Rekor is the transparency log used in the Sigstore ecosystem. It records signing events in an append-only, tamper-evident way so that software signatures can be checked later against a public record. In practice, Rekor does not hold the private signing key; it provides evidence that a signing action happened and that the recorded metadata has not been silently changed.
This matters in cyber security because release pipelines are common targets for supply-chain attacks. If an attacker steals a key, forges a build, or abuses a signing workflow, defenders can use Rekor to verify whether a signature was logged as expected and to spot gaps between the artifact and the trusted record. Rekor supports auditability, detection, and post-incident investigation, but it does not by itself make software safe. It works best when paired with strong identity controls, secure build systems, and policy checks.



