Sunday 05 July 2026 16:10:51 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

WIKICROOK

Rekor

a named transparency log in the Sigstore stack.

Rekor is the transparency log used in the Sigstore ecosystem. It records signing events in an append-only, tamper-evident way so that software signatures can be checked later against a public record. In practice, Rekor does not hold the private signing key; it provides evidence that a signing action happened and that the recorded metadata has not been silently changed.

This matters in cyber security because release pipelines are common targets for supply-chain attacks. If an attacker steals a key, forges a build, or abuses a signing workflow, defenders can use Rekor to verify whether a signature was logged as expected and to spot gaps between the artifact and the trusted record. Rekor supports auditability, detection, and post-incident investigation, but it does not by itself make software safe. It works best when paired with strong identity controls, secure build systems, and policy checks.

← WIKICROOK index