Rekor transparency log
Durable, tamper-evident proof of signing.
Rekor is Sigstore’s transparency log — the piece that makes keyless signing accountable. Because ephemeral certificates expire in minutes, you need a durable, tamper-evident record that a signature genuinely existed; Rekor is that record.
An append-only, tamper-evident record
When an artifact is signed, an entry — the signature, the certificate, the artifact digest — is written to Rekor, an append-only log backed by a Merkle tree. Once written, an entry cannot be altered or removed without detection, and anyone can query the log to confirm that a given signature was recorded and when. This provides two things: a way to verify signatures made with already-expired ephemeral certificates (the log proves the cert was valid at signing time), and public accountability — a hidden or backdated signature stands out because it is either absent from the log or inconsistent with it.
# cosign checks Rekor inclusion by default during verify. You can query directly:rekor-cli search --sha 9f2c... # find log entries for this artifactrekor-cli get --uuid <entry-uuid> # inspect the recorded cert + signature# Verification confirms: signature valid, identity as expected, AND a matching# entry exists in the immutable log — so the signature is provable after the# ephemeral certificate has expired.
Why transparency matters for the chain
Transparency logs turn signing from a private act into a publicly-auditable one, borrowing the model that made TLS Certificate Transparency effective. If an attacker compromises a build and signs a malicious artifact, that signature is logged — creating evidence that can be detected, correlated, and investigated, rather than a silent event. Monitoring your own entries (and alerting on unexpected ones) becomes a detection control: a signature under your identity that your pipeline did not make is a loud alarm. The log is what keeps the keyless model honest.