How to Sign and Upload Metadata to Rekor

Use the Rekor CLI to sign and upload metadata to the Sigstore transparency log

An earlier version of this material was published in the Rekor chapter of the Linux Foundation Sigstore course.

This tutorial will walk you through signing and uploading metadata to the Rekor transparency log, which is a project of Sigstore. In order to follow along, you’ll need the rekor-cli installed, which you can accomplish by following the “How to Install the Rekor CLI” tutorial.

We will use SSH to sign a text document. SSH is often used to communicate securely over an unsecured network and can also be used to generate public and private keys appropriate for signing an artifact.

First, generate a key pair. This command will generate a public key and a private key file. You’ll be able to easily identify the public key because it uses the .pub extension. The command below will create a new file in ~/.ssh called id_ed25519 but you may want to call it something else; you can do that by passing a different filename after the -f flag.

ssh-keygen -t ed25519 -f id_ed25519

Then, create a text file called README.txt with your favorite text editor. You can enter as little or as much text in that file as you would like.

For example, we can use nano:

nano README.txt

Then within the file, we can type some text into it, such as the following.

[label README.txt]

Hello, Rekor!

Save and close the file.

Next, sign this file with the following command. This command produces a signature file ending in the .sig extension.

ssh-keygen -Y sign -n file -f id_ed25519 README.txt

You should receive the following output.

Signing file README.txt
Write signature to README.txt.sig

Then, upload this artifact to the public instance of the Rekor log.

rekor-cli upload --artifact README.txt --signature README.txt.sig --pki-format=ssh

The returned value will include a string similar to:

Save the UUID returned after using this command. In this example, the UUID is 83140d699ebc33dc84b702d2f95b209dc71f47a3dce5cce19a197a401852ee97.

Now you can query Rekor for your recently saved entry. Run the following command, replacing UUID with the UUID number obtained in the previous command.

rekor-cli get --uuid UUID

Once you receive output formatted as a JSON with details on the signature, you will know you have successfully stored a signed metadata entry in Rekor.