Rekor transparency log

Durable, tamper-evident proof of signing.

Expert30 min · lesson 9 of 15

Rekor is Sigstore’s transparency log — the piece that makes keyless signing accountable. Because ephemeral certificates expire in minutes, you need a durable, tamper-evident record that a signature genuinely existed; Rekor is that record.

An append-only, tamper-evident record

When an artifact is signed, an entry — the signature, the certificate, the artifact digest — is written to Rekor, an append-only log backed by a Merkle tree. Once written, an entry cannot be altered or removed without detection, and anyone can query the log to confirm that a given signature was recorded and when. This provides two things: a way to verify signatures made with already-expired ephemeral certificates (the log proves the cert was valid at signing time), and public accountability — a hidden or backdated signature stands out because it is either absent from the log or inconsistent with it.

verify inclusion in the transparency log
# cosign checks Rekor inclusion by default during verify. You can query directly:
rekor-cli search --sha 9f2c... # find log entries for this artifact
rekor-cli get --uuid <entry-uuid> # inspect the recorded cert + signature
# Verification confirms: signature valid, identity as expected, AND a matching
# entry exists in the immutable log — so the signature is provable after the
# ephemeral certificate has expired.

Why transparency matters for the chain

Transparency logs turn signing from a private act into a publicly-auditable one, borrowing the model that made TLS Certificate Transparency effective. If an attacker compromises a build and signs a malicious artifact, that signature is logged — creating evidence that can be detected, correlated, and investigated, rather than a silent event. Monitoring your own entries (and alerting on unexpected ones) becomes a detection control: a signature under your identity that your pipeline did not make is a loud alarm. The log is what keeps the keyless model honest.

Rekor: durable proof of signing
1signature made
ephemeral cert (minutes)
2entry appended to Rekor
Merkle-tree backed
3tamper-evident + public
cannot alter/remove undetected
4verify anytime
proves validity after cert expiry
A public, append-only record makes ephemeral signatures durable and hidden ones detectable. Monitor your entries as a detection signal.
An unexpected log entry under your identity is an incident
Because every signature is logged, a Rekor entry signed by your pipeline’s identity that you cannot account for likely means your signing identity or build was abused. Monitor the transparency log for your identities and alert on unexpected entries — the log is not just for verification, it is a tripwire.