How to Use the Rekor Transparency Log to Audit Signatures
Every keyless Cosign signature is recorded in Rekor, a tamper-evident log you can query to audit what was signed and when.
Keyless signing writes an entry to the Sigstore Rekor transparency log. You can search Rekor with cosign verify (which checks the log by default) or rekor-cli to confirm a signature exists and inspect its inclusion proof, independent of the registry.
Steps
- Sign keyless so the entry lands in Rekor automatically.
- Verify with
cosign verify, which checks Rekor inclusion by default. - Use
rekor-cli searchto audit entries for an artifact digest.
Terminal
Terminal
# cosign verify checks the Rekor entry by default
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/OWNER/REPO/' \
ghcr.io/OWNER/REPO@sha256:DIGEST
# Independently search the transparency log
rekor-cli search --sha sha256:DIGESTGotchas
- For air-gapped or private setups you may run a private Rekor and point
cosignat it. - The log proves a signature was recorded; you still pin the identity to decide whether to trust it.
Related guides
How to Sign Artifacts With Cosign Keyless in GitHub ActionsSign container images and artifacts in CI using Cosign keyless signing backed by the workflow OIDC token, so…
How to Verify a Cosign Signature Before DeployVerify a keyless Cosign signature in CI with cosign verify, pinning the expected OIDC issuer and identity so…