What is Sigstore rekor?
Sigstore's transparency log — a Merkle-tree append-only ledger that records signed software artifacts so anyone can verify an attestation existed at the claimed time. Securie publishes attestations to rekor when configured, stamping the rekor UUID into the persisted attestation row.
Full explanation
rekor is one of three components of Sigstore (alongside Fulcio for short-lived certificates and cosign for the CLI). It is a public, append-only transparency log that anyone can write to and anyone can verify against. Each entry records a signed artifact + its signature + a timestamp. The Merkle structure means: once an entry is published, removing or modifying it is detectable. For attestations, rekor publication provides 'this attestation existed at this time' as an auditor-replicable claim — the auditor can fetch the rekor entry by UUID, verify the inclusion proof against the current tree head, and confirm the timestamp was not back-dated.
Example
Securie's attestation pipeline (when REKOR_URL is set) publishes each DSSE-signed attestation envelope to rekor.sigstore.dev. The returned UUID is persisted in the `attestations.rekor_uuid` column (migration 0027). The auditor portal at /audit/{tenant}/{commit} surfaces the rekor UUID + a deep-link to the public rekor entry, so any auditor can verify the attestation exists in the public transparency log without trusting Securie's database.
FAQ
Is rekor publication required?
No — Securie's attestation chain is auditor-verifiable with the public-key endpoint at /.well-known/securie/attestation-keys.json + the DSSE envelope alone. rekor publication adds the transparency-log claim ('this attestation existed at this time, publicly') for high-trust audit contexts. For most launch scenarios, it is opt-in via the REKOR_URL env var.
Does rekor publication leak my findings to the public?
Only the signed envelope's hash + signature + timestamp are published — not the predicate body. The auditor needs the public-key endpoint AND the bundle to verify; rekor stores only the proof of existence, not the contents.