SigstoreCon Supply Chain Day 2024

Transparency logs are tamper-evident, immutable ledgers that provide a cryptographic commitment for inclusion of ledger entries in the log to allow the entries to be publicly auditable, forcing malicious behavior to be transparent. Rekor is Sigstore's signature transparency log, where each entry in the log provides auditability for a signed artifact. A public-good instance of Rekor is maintained by the Sigstore community and used by individuals, organizations and package registries. We've learned much since we deployed the 1.0 API for Rekor; the API is complex and inefficient for what clients really need to verify an artifact, and the maintenance burden and storage costs needed to support it are nontrivial and may deter operators from adopting Rekor. Moreover, privacy and redaction is not easily supportable in the current design. There has been active development in simplifying log deployments and minimizing operational costs in Certificate Transparency that we can apply to Rekor. In this talk, we'll discuss how we will leverage these innovations to improve Rekor's usability, simplifying the API and making Rekor deployments easier to maintain and scale.