Rekor, sigstore’s transparency log, recently reached an important milestone in its v0.6 release: it now supports log sharding.
Log sharding means that the entries associated with a single Rekor server can now be distributed among multiple backend logs, which improves scalability and enables the rotation of signing keys for a single server in accordance with the The Update Framework (TUF) standard. This is a crucial step on sigstore’s 1.0 roadmap, and is the result of contributions and collaboration from Red Hatters and other members of the sigstore community.
For those not familiar, sigstore is a project under OpenSSF that aims to improve open source supply chain security by making it easier to sign and verify software. It encompasses several components, including Rekor for signature transparency, similar to certificate transparency but for software signing materials. Rekor serves as a tamper-resistant ledger of metadata generated within a software supply chain.
As a public ledger, Rekor is a critical part of sigstore as it can help to guard against a variety of dangers like certain downgrade attacks and can alert developers and maintainers to compromised keys. You can find out more about the motivations for sigstore from our previous blog post introducing sigstore or visit the sigstore website.
The new sharding feature is available both in the public good Rekor instance as well as for other instances of Rekor – instructions for running a server with sharding are available here. Sharding the logs is optional, and users can still run a Rekor server without sharding.
To explore more and learn about the latest news for Sigstore and Rekor, check out the blog series here.