{"id":28413976,"url":"https://github.com/sigstore/rekor-tiles","last_synced_at":"2026-01-17T01:57:02.954Z","repository":{"id":278830611,"uuid":"936862185","full_name":"sigstore/rekor-tiles","owner":"sigstore","description":"Signature Transparency Log designed for ease of use, low cost, and minimal maintenance","archived":false,"fork":false,"pushed_at":"2026-01-12T09:08:22.000Z","size":1438,"stargazers_count":24,"open_issues_count":39,"forks_count":16,"subscribers_count":7,"default_branch":"main","last_synced_at":"2026-01-12T18:38:03.959Z","etag":null,"topics":["provenance","security","supply-chain","transparency-log"],"latest_commit_sha":null,"homepage":"https://sigstore.dev","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sigstore.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":"COPYRIGHT.txt","agents":null,"dco":null,"cla":null}},"created_at":"2025-02-21T20:24:05.000Z","updated_at":"2026-01-12T09:08:25.000Z","dependencies_parsed_at":"2025-03-08T14:19:35.393Z","dependency_job_id":"cb0dfc03-2381-4cbc-a829-fbd7eb9bd57a","html_url":"https://github.com/sigstore/rekor-tiles","commit_stats":null,"previous_names":["sigstore/rekor-tiles"],"tags_count":18,"template":false,"template_full_name":null,"purl":"pkg:github/sigstore/rekor-tiles","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Frekor-tiles","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Frekor-tiles/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Frekor-tiles/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Frekor-tiles/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sigstore","download_url":"https://codeload.github.com/sigstore/rekor-tiles/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sigstore%2Frekor-tiles/sbom","scorecard":{"id":666311,"data":{"date":"2025-08-21T15:19:22Z","repo":{"name":"github.com/sigstore/rekor-tiles","commit":"7a5472e2a4d4baeef3762f648e03907afd1166fc"},"scorecard":{"version":"v5.2.1","commit":"ab2f6e92482462fe66246d9e32f642855a691dc1"},"score":8.2,"checks":[{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dependency-update-tool"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#binary-artifacts"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":9,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/build_container.yml:45","Warn: jobLevel 'security-events' permission set to 'write': .github/workflows/scorecard.yml:36","Info: jobLevel 'contents' permission set to 'read': .github/workflows/test.yml:68","Info: jobLevel 'contents' permission set to 'read': .github/workflows/test.yml:108","Info: jobLevel 'contents' permission set to 'read': .github/workflows/test.yml:122","Info: jobLevel 'contents' permission set to 'read': .github/workflows/test.yml:135","Info: found token with 'none' permissions: .github/workflows/build_container.yml:1","Warn: topLevel 'security-events' permission set to 'write': .github/workflows/codeql.yml:28","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:27","Info: topLevel 'contents' permission set to 'read': .github/workflows/license_check.yml:20","Info: topLevel 'contents' permission set to 'read': .github/workflows/lint.yml:20","Info: topLevel 'contents' permission set to 'read': .github/workflows/protoc_diff_check.yml:19","Info: found token with 'none' permissions: .github/workflows/release.yml:1","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:29","Info: topLevel 'contents' permission set to 'read': .github/workflows/test.yml:25"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":10,"reason":"all dependencies are pinned","details":["Info:  26 out of  26 GitHub-owned GitHubAction dependencies pinned","Info:  12 out of  12 third-party GitHubAction dependencies pinned","Info:   1 out of   1 goCommand dependencies pinned","Info:   9 out of   9 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#cii-best-practices"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/build_container.yml:40"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#packaging"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#license"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#branch-protection"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.1.9 not signed: https://api.github.com/repos/sigstore/rekor-tiles/releases/239861556","Warn: release artifact v0.1.8 not signed: https://api.github.com/repos/sigstore/rekor-tiles/releases/239439430","Warn: release artifact v0.1.7 not signed: https://api.github.com/repos/sigstore/rekor-tiles/releases/239431567","Warn: release artifact v0.1.6 not signed: https://api.github.com/repos/sigstore/rekor-tiles/releases/225021518","Warn: release artifact v0.1.5 not signed: https://api.github.com/repos/sigstore/rekor-tiles/releases/223684476","Warn: release artifact v0.1.9 does not have provenance: https://api.github.com/repos/sigstore/rekor-tiles/releases/239861556","Warn: release artifact v0.1.8 does not have provenance: https://api.github.com/repos/sigstore/rekor-tiles/releases/239439430","Warn: release artifact v0.1.7 does not have provenance: https://api.github.com/repos/sigstore/rekor-tiles/releases/239431567","Warn: release artifact v0.1.6 does not have provenance: https://api.github.com/repos/sigstore/rekor-tiles/releases/225021518","Warn: release artifact v0.1.5 does not have provenance: https://api.github.com/repos/sigstore/rekor-tiles/releases/223684476"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#signed-releases"}},{"name":"Vulnerabilities","score":7,"reason":"3 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2022-0635","Warn: Project is vulnerable to: GO-2022-0646","Warn: Project is vulnerable to: GO-2025-3770"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: github.com/sigstore/.github/SECURITY.md:1","Info: Found linked content: github.com/sigstore/.github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: github.com/sigstore/.github/SECURITY.md:1","Info: Found text in security policy: github.com/sigstore/.github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#fuzzing"}},{"name":"Contributors","score":10,"reason":"project has 6 contributing companies or organizations","details":["Info: found contributions from: GoogleContainerTools, google, googlers, pdxcat, sigstore, theupdateframework"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#contributors"}},{"name":"CI-Tests","score":10,"reason":"30 out of 30 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#ci-tests"}}]},"last_synced_at":"2025-08-21T18:09:03.968Z","repository_id":278830611,"created_at":"2025-08-21T18:09:03.968Z","updated_at":"2025-08-21T18:09:03.968Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28491911,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-17T00:50:05.742Z","status":"ssl_error","status_checked_at":"2026-01-17T00:43:11.982Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["provenance","security","supply-chain","transparency-log"],"created_at":"2025-06-03T06:10:55.644Z","updated_at":"2026-01-17T01:57:02.941Z","avatar_url":"https://github.com/sigstore.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Rekor v2\n\nRekor v2, aka rekor-tiles or Rekor on Tiles, is a redesigned and modernized [Rekor](https://github.com/sigstore/rekor),\nSigstore's signature transparency log, transitioning its backend to a modern,\n[tile-backed transparency log](https://transparency.dev/articles/tile-based-logs/) implementation to\nsimplify maintenance and lower operational costs.\n\nMore information (documents are shared with [sigstore-dev](https://groups.google.com/g/sigstore-dev), join the group to get access):\n\n* [Proposal](https://docs.google.com/document/d/1Mi9OhzrucIyt-UCLk_FxO2_xSQZW9ow9U3Lv0ZB_PpM/edit?resourcekey=0-4rPbZPyCS7QDj26Hk0UyvA\u0026tab=t.0#heading=h.bjitqo6lwsmn)\n* [Design doc](https://docs.google.com/document/d/1ZYlt_VFB-lxbZCcTZHN-6KVDox3h7-ePp85pNpOUF1U/edit?resourcekey=0-V3WqDB22nOJfI4lTs59RVQ\u0026tab=t.0#heading=h.xzptrog8pyxf)\n\n## Public-good instance\n\nThe Sigstore community hosts a productionized instance of Rekor v2 with a 99.5% availability SLO.\nSee the [status page](https://status.sigstore.dev/) for uptime metrics.\n\nUse the public-good instance's TUF repository to determine the URL of the active instance.\nNote that the community instance's URL will change approximately every 6 months when\nwe \"shard\" the log, creating a new log instance to keep the size of the log maintainable.\nSigstore clients will pull the latest log shard URL from the TUF-distributed\n[SigningConfig](https://github.com/sigstore/root-signing/blob/main/targets/signing_config.v0.2.json),\nand will fetch both active and inactive shard public keys from the\n[TrustedRoot](https://github.com/sigstore/root-signing/blob/main/targets/trusted_root.json).\n\nAs of October 2025, we have not yet distributed the current Rekor v2 URL in the SigningConfig, to give users\nadequate time to update their clients to support verifying entries from Rekor v2. We are planning to distribute\nthe latest Rekor v2 URL by end of 2025/early 2026.\n\nIf you want to start using Rekor v2, construct a signing config, using the\n[TUF-distributed signing config](https://github.com/sigstore/root-signing/blob/main/targets/signing_config.v0.2.json)\nas a base, and adding the following instance as the first entry in the `rekorTlogUrls` list:\n\n```\n    {\n      \"url\": \"https://log2025-1.rekor.sigstore.dev\",\n      \"majorApiVersion\": 2,\n      \"validFor\": {\n        \"start\": \"2025-10-06T00:00:00Z\"\n      },\n      \"operator\": \"sigstore.dev\"\n    },\n```\n\n**Note**: We will eventually turn down the 2025 Rekor v2 instance when we deploy a 2026 instance. We strongly\nadvise against hardcoding this URL into any pipelines that cannot be easily updated.\n\n## Installation\n\nWe provide prebuilt binaries and containers for private deployments.\n\n* Download the latest binary from [Releases](https://github.com/sigstore/rekor-tiles/releases)\n* Pull the latest container from [GHCR](https://github.com/sigstore/rekor-tiles/pkgs/container/rekor-tiles)\n* Install Rekor v2 via [Helm](https://github.com/sigstore/helm-charts/tree/main/charts/rekor-tiles)\n\n## Security Reports\n\nIf you find any issues, follow Sigstore's [security policy](https://github.com/sigstore/rekor-tiles/security/policy)\nto report them.\n\n## Local Development\n\n### Deployment\n\nRun `docker compose up --build --wait` to start the service along with emulated Google Cloud Storage and Spanner instances.\n\nRun `docker compose down` to turn down the service, or `docker compose down --volumes` to turn down the service and delete\npersisted tiles.\n\n### Making a request\n\nFollow the [client documentation](https://github.com/sigstore/rekor-tiles/blob/main/CLIENTS.md#rekor-v2-the-bash-way)\nfor constructing a request and parsing a response.\n\n### Testing\n\nRun unit tests with `go test ./...`.\n\nFollow the [end-to-end test documentation](https://github.com/sigstore/rekor-tiles/blob/main/tests/README.md)\nfor how to run integration tests against a local instance.\n\n## Adding a storage backend\n\nTessera supports multiple [storage backends](https://github.com/transparency-dev/tessera/tree/main/storage) for\ndifferent cloud providers and infrastructure. We will add support in Rekor for different storage backends with\nuser demand.\n\nRekor will produce different binaries and containers for each storage backend. Binaries will be named\n`rekor-server-\u003cbackend\u003e` and containers `github.com/sigstore/rekor-tiles/pkgs/container/rekor-tiles/\u003cbackend\u003e`.\n\nTo add support for a new backend, with the example below for the `gcp` backend from [PR #630](https://github.com/sigstore/rekor-tiles/pull/630):\n\n* Create a [backend-specific driver](https://github.com/sigstore/rekor-tiles/blob/d596e236da3ce44024986f24c34005714430dda5/internal/tessera/gcp/gcp.go)\n* If needed, create a [backend-specific signer/verifier](https://github.com/sigstore/rekor-tiles/blob/682236adf5e63118853b00c5bfa33ba36a381fce/internal/tessera/gcp/signerverifier/signerverifier.go).\n  At a minimum, you should support the file-based signer/verifier. To support a KMS-backed key, import the cloud provider-specific driver\n  ([example](https://github.com/sigstore/rekor-tiles/blob/682236adf5e63118853b00c5bfa33ba36a381fce/internal/tessera/gcp/signerverifier/signerverifier.go#L33)).\n* Create a [backend-specific main package](https://github.com/sigstore/rekor-tiles/tree/d596e236da3ce44024986f24c34005714430dda5/cmd/rekor-server/gcp)\n* Create a Docker compose file, and set the [`STORAGE_BACKEND`](https://github.com/sigstore/rekor-tiles/blob/d596e236da3ce44024986f24c34005714430dda5/compose.yml#L52-L53)\n  arg for building the containerized binary\n* Add an [end-to-end test configuration](https://github.com/sigstore/rekor-tiles/blob/d596e236da3ce44024986f24c34005714430dda5/tests/e2e_test.go#L77-L93)\n* Add the binary to [goreleaser](https://github.com/sigstore/rekor-tiles/blob/d596e236da3ce44024986f24c34005714430dda5/.goreleaser.yaml#L30-L46)\n* Add the storage backend to the [matrix for container building](https://github.com/sigstore/rekor-tiles/blob/d596e236da3ce44024986f24c34005714430dda5/.github/workflows/build_container.yml#L51)\n* Update the [test matrix](https://github.com/sigstore/rekor-tiles/blob/d596e236da3ce44024986f24c34005714430dda5/.github/workflows/test.yml#L50)\n* Call the end-to-end test [in CI](https://github.com/sigstore/rekor-tiles/blob/d596e236da3ce44024986f24c34005714430dda5/.github/workflows/test.yml#L108-L122)\n* Add a [Makefile target](https://github.com/sigstore/rekor-tiles/blob/d596e236da3ce44024986f24c34005714430dda5/Makefile#L76-L77) and update\n  [`make all`](https://github.com/sigstore/rekor-tiles/blob/d596e236da3ce44024986f24c34005714430dda5/Makefile#L18)\n* Once merged, update the list of [required tests](https://github.com/sigstore/community/blob/ff0761c37ab63c55f50609ed32c27e2bc9497572/github-sync/github-data/sigstore/repositories.yaml#L1513)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsigstore%2Frekor-tiles","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsigstore%2Frekor-tiles","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsigstore%2Frekor-tiles/lists"}