1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
|
#
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
swagger: "2.0"
info:
title: Rekor
description: Rekor is a cryptographically secure, immutable transparency log for signed software releases.
version: 1.0.0
host: rekor.sigstore.dev
schemes:
- http
consumes:
- application/json
produces:
- application/json
paths:
/api/v1/index/retrieve:
post:
summary: Searches index by entry metadata
description: >
EXPERIMENTAL - this endpoint is offered as best effort only and may be changed or removed in future releases.
The results returned from this endpoint may be incomplete.
deprecated: true
operationId: searchIndex
tags:
- index
parameters:
- in: body
name: query
required: true
schema:
$ref: '#/definitions/SearchIndex'
responses:
200:
description: Returns zero or more entry UUIDs from the transparency log based on search query
schema:
type: array
items:
type: string
description: Entry UUID in transparency log
pattern: '^([0-9a-fA-F]{64}|[0-9a-fA-F]{80})$'
400:
$ref: '#/responses/BadContent'
default:
$ref: '#/responses/InternalServerError'
/api/v1/log:
get:
summary: Get information about the current state of the transparency log
description: Returns the current root hash and size of the merkle tree used to store the log entries.
operationId: getLogInfo
tags:
- tlog
responses:
200:
description: A JSON object with the root hash and tree size as properties
schema:
$ref: '#/definitions/LogInfo'
default:
$ref: '#/responses/InternalServerError'
/api/v1/log/publicKey:
get:
summary: Retrieve the public key that can be used to validate the signed tree head
description: Returns the public key that can be used to validate the signed tree head
operationId: getPublicKey
tags:
- pubkey
parameters:
- in: query
name: treeID
type: string
pattern: '^[0-9]+$'
description: The tree ID of the tree you wish to get a public key for
produces:
- application/x-pem-file
responses:
200:
description: The public key
schema:
type: string
default:
$ref: '#/responses/InternalServerError'
/api/v1/log/proof:
get:
summary: Get information required to generate a consistency proof for the transparency log
description: Returns a list of hashes for specified tree sizes that can be used to confirm the consistency of the transparency log
operationId: getLogProof
tags:
- tlog
parameters:
- in: query
name: firstSize
type: integer
default: 1
minimum: 1
description: >
The size of the tree that you wish to prove consistency from (1 means the beginning of the log)
Defaults to 1 if not specified
- in: query
name: lastSize
type: integer
required: true
minimum: 1
description: The size of the tree that you wish to prove consistency to
- in: query
name: treeID
type: string
pattern: '^[0-9]+$'
description: The tree ID of the tree that you wish to prove consistency for
responses:
200:
description: All hashes required to compute the consistency proof
schema:
$ref: '#/definitions/ConsistencyProof'
400:
$ref: '#/responses/BadContent'
default:
$ref: '#/responses/InternalServerError'
/api/v1/log/entries:
post:
summary: Creates an entry in the transparency log
description: >
Creates an entry in the transparency log for a detached signature, public key, and content.
operationId: createLogEntry
tags:
- entries
parameters:
- in: body
name: proposedEntry
schema:
$ref: '#/definitions/ProposedEntry'
required: true
responses:
201:
description: Returns the entry created in the transparency log
headers:
ETag:
type: string
description: UUID of log entry
Location:
type: string
description: URI location of log entry
format: uri
schema:
$ref: '#/definitions/LogEntry'
400:
$ref: '#/responses/BadContent'
409:
$ref: '#/responses/Conflict'
default:
$ref: '#/responses/InternalServerError'
get:
summary: Retrieves an entry and inclusion proof from the transparency log (if it exists) by index
operationId: getLogEntryByIndex
tags:
- entries
parameters:
- in: query
name: logIndex
type: integer
required: true
minimum: 0
description: specifies the index of the entry in the transparency log to be retrieved
responses:
200:
description: the entry in the transparency log requested along with an inclusion proof
schema:
$ref: '#/definitions/LogEntry'
404:
$ref: '#/responses/NotFound'
default:
$ref: '#/responses/InternalServerError'
/api/v1/log/entries/{entryUUID}:
get:
summary: Get log entry and information required to generate an inclusion proof for the entry in the transparency log
description: Returns the entry, root hash, tree size, and a list of hashes that can be used to calculate proof of an entry being included in the transparency log
operationId: getLogEntryByUUID
tags:
- entries
parameters:
- in: path
name: entryUUID
type: string
required: true
pattern: '^([0-9a-fA-F]{64}|[0-9a-fA-F]{80})$'
description: the UUID of the entry for which the inclusion proof information should be returned
responses:
200:
description: Information needed for a client to compute the inclusion proof
schema:
$ref: '#/definitions/LogEntry'
404:
$ref: '#/responses/NotFound'
default:
$ref: '#/responses/InternalServerError'
/api/v1/log/entries/retrieve:
post:
summary: Searches transparency log for one or more log entries
operationId: searchLogQuery
tags:
- entries
parameters:
- in: body
name: entry
required: true
schema:
$ref: '#/definitions/SearchLogQuery'
responses:
200:
description: Returns zero or more entries from the transparency log, according to how many were included in request query
schema:
type: array
items:
$ref: '#/definitions/LogEntry'
400:
$ref: '#/responses/BadContent'
422:
$ref: '#/responses/UnprocessableEntity'
default:
$ref: '#/responses/InternalServerError'
definitions:
ProposedEntry:
type: object
discriminator: kind
properties:
kind:
type: string
required:
- kind
rekord:
type: object
description: Rekord object
allOf:
- $ref: '#/definitions/ProposedEntry'
- properties:
apiVersion:
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
spec:
type: object
$ref: 'pkg/types/rekord/rekord_schema.json'
required:
- apiVersion
- spec
additionalProperties: false
hashedrekord:
type: object
description: Hashed Rekord object
allOf:
- $ref: '#/definitions/ProposedEntry'
- properties:
apiVersion:
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
spec:
type: object
$ref: 'pkg/types/hashedrekord/hashedrekord_schema.json'
required:
- apiVersion
- spec
additionalProperties: false
rpm:
type: object
description: RPM package
allOf:
- $ref: '#/definitions/ProposedEntry'
- properties:
apiVersion:
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
spec:
type: object
$ref: 'pkg/types/rpm/rpm_schema.json'
required:
- apiVersion
- spec
additionalProperties: false
tuf:
type: object
description: TUF metadata
allOf:
- $ref: '#/definitions/ProposedEntry'
- properties:
apiVersion:
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
spec:
type: object
$ref: 'pkg/types/tuf/tuf_schema.json'
required:
- apiVersion
- spec
additionalProperties: false
alpine:
type: object
description: Alpine package
allOf:
- $ref: '#/definitions/ProposedEntry'
- properties:
apiVersion:
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
spec:
type: object
$ref: 'pkg/types/alpine/alpine_schema.json'
required:
- apiVersion
- spec
additionalProperties: false
helm:
type: object
description: Helm chart
allOf:
- $ref: '#/definitions/ProposedEntry'
- properties:
apiVersion:
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
spec:
type: object
$ref: 'pkg/types/helm/helm_schema.json'
required:
- apiVersion
- spec
intoto:
type: object
description: Intoto object
allOf:
- $ref: '#/definitions/ProposedEntry'
- properties:
apiVersion:
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
spec:
type: object
$ref: 'pkg/types/intoto/intoto_schema.json'
required:
- apiVersion
- spec
additionalProperties: false
cose:
type: object
description: COSE object
allOf:
- $ref: '#/definitions/ProposedEntry'
- properties:
apiVersion:
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
spec:
type: object
$ref: 'pkg/types/cose/cose_schema.json'
required:
- apiVersion
- spec
additionalProperties: false
jar:
type: object
description: Java Archive (JAR)
allOf:
- $ref: '#/definitions/ProposedEntry'
- properties:
apiVersion:
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
spec:
type: object
$ref: 'pkg/types/jar/jar_schema.json'
required:
- apiVersion
- spec
additionalProperties: false
rfc3161:
type: object
description: RFC3161 Timestamp
allOf:
- $ref: '#/definitions/ProposedEntry'
- properties:
apiVersion:
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
spec:
type: object
$ref: 'pkg/types/rfc3161/rfc3161_schema.json'
required:
- apiVersion
- spec
additionalProperties: false
dsse:
type: object
description: DSSE envelope
allOf:
- $ref: '#/definitions/ProposedEntry'
- properties:
apiVersion:
type: string
pattern: ^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$
spec:
type: object
$ref: 'pkg/types/dsse/dsse_schema.json'
required:
- apiVersion
- spec
additionalProperties: false
LogEntry:
type: object
additionalProperties:
type: object
properties:
logID:
type: string
pattern: '^[0-9a-fA-F]{64}$'
description: This is the SHA256 hash of the DER-encoded public key for the log at the time the entry was included in the log
logIndex:
type: integer
minimum: 0
body:
type: object
additionalProperties: true
integratedTime:
type: integer
description: The time the entry was added to the log as a Unix timestamp in seconds
attestation:
type: object
properties:
data:
format: byte
format: byte
verification:
type: object
properties:
inclusionProof:
$ref: '#/definitions/InclusionProof'
signedEntryTimestamp:
type: string
format: byte
# To verify the signedEntryTimestamp:
# 1. Remove the Verification object from the JSON Document
# 2. Canonicalize the remaining JSON document by following RFC 8785 rules
# 3. Verify the canonicalized payload and signedEntryTimestamp against rekor's public key
description: Signature over the logID, logIndex, body and integratedTime.
required:
- "logID"
- "logIndex"
- "body"
- "integratedTime"
SearchIndex:
type: object
properties:
email:
type: string
format: email
publicKey:
type: object
properties:
format:
type: string
enum: ['pgp','x509','minisign', 'ssh', 'tuf']
content:
type: string
format: byte
required:
- "format"
hash:
type: string
pattern: '^(sha512:)?[0-9a-fA-F]{128}$|^(sha256:)?[0-9a-fA-F]{64}$|^(sha1:)?[0-9a-fA-F]{40}$'
operator:
type: string
enum: ['and','or']
SearchLogQuery:
type: object
properties:
entryUUIDs:
type: array
minItems: 1
maxItems: 10
items:
type: string
pattern: '^([0-9a-fA-F]{64}|[0-9a-fA-F]{80})$'
logIndexes:
type: array
minItems: 1
maxItems: 10
items:
type: integer
minimum: 0
entries:
type: array
minItems: 1
maxItems: 10
items:
$ref: '#/definitions/ProposedEntry'
LogInfo:
type: object
properties:
rootHash:
type: string
description: The current hash value stored at the root of the merkle tree
pattern: '^[0-9a-fA-F]{64}$'
treeSize:
type: integer
description: The current number of nodes in the merkle tree
minimum: 1
signedTreeHead:
type: string
format: signedCheckpoint
description: The current signed tree head
treeID:
type: string
description: The current treeID
pattern: '^[0-9]+$'
inactiveShards:
type: array
items:
$ref: '#/definitions/InactiveShardLogInfo'
required:
- rootHash
- treeSize
- signedTreeHead
- treeID
InactiveShardLogInfo:
type: object
properties:
rootHash:
type: string
description: The current hash value stored at the root of the merkle tree
pattern: '^[0-9a-fA-F]{64}$'
treeSize:
type: integer
description: The current number of nodes in the merkle tree
minimum: 1
signedTreeHead:
type: string
format: signedCheckpoint
description: The current signed tree head
treeID:
type: string
description: The current treeID
pattern: '^[0-9]+$'
required:
- rootHash
- treeSize
- signedTreeHead
- treeID
ConsistencyProof:
type: object
properties:
rootHash:
type: string
description: The hash value stored at the root of the merkle tree at the time the proof was generated
pattern: '^[0-9a-fA-F]{64}$'
hashes:
type: array
items:
type: string
description: SHA256 hash value expressed in hexadecimal format
pattern: '^[0-9a-fA-F]{64}$'
required:
- rootHash
- hashes
InclusionProof:
type: object
properties:
logIndex:
type: integer
description: The index of the entry in the transparency log
minimum: 0
rootHash:
description: The hash value stored at the root of the merkle tree at the time the proof was generated
type: string
pattern: '^[0-9a-fA-F]{64}$'
treeSize:
type: integer
description: The size of the merkle tree at the time the inclusion proof was generated
minimum: 1
hashes:
description: A list of hashes required to compute the inclusion proof, sorted in order from leaf to root
type: array
items:
type: string
description: SHA256 hash value expressed in hexadecimal format
pattern: '^[0-9a-fA-F]{64}$'
checkpoint:
type: string
format: signedCheckpoint
description: The checkpoint (signed tree head) that the inclusion proof is based on
required:
- logIndex
- rootHash
- treeSize
- hashes
- checkpoint
Error:
type: object
properties:
code:
type: integer
message:
type: string
responses:
BadContent:
description: The content supplied to the server was invalid
schema:
$ref: "#/definitions/Error"
Conflict:
description: The request conflicts with the current state of the transparency log
schema:
$ref: "#/definitions/Error"
headers:
Location:
type: string
format: uri
NotFound:
description: The content requested could not be found
InternalServerError:
description: There was an internal error in the server while processing the request
schema:
$ref: "#/definitions/Error"
UnprocessableEntity:
description: The server understood the request but is unable to process the contained instructions
schema:
$ref: "#/definitions/Error"
|
