Skip to content
Latchkey

How to Use the Rekor Transparency Log to Audit Signatures

Every keyless Cosign signature is recorded in Rekor, a tamper-evident log you can query to audit what was signed and when.

Keyless signing writes an entry to the Sigstore Rekor transparency log. You can search Rekor with cosign verify (which checks the log by default) or rekor-cli to confirm a signature exists and inspect its inclusion proof, independent of the registry.

Steps

  • Sign keyless so the entry lands in Rekor automatically.
  • Verify with cosign verify, which checks Rekor inclusion by default.
  • Use rekor-cli search to audit entries for an artifact digest.

Terminal

Terminal
# cosign verify checks the Rekor entry by default
cosign verify \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  --certificate-identity-regexp '^https://github.com/OWNER/REPO/' \
  ghcr.io/OWNER/REPO@sha256:DIGEST

# Independently search the transparency log
rekor-cli search --sha sha256:DIGEST

Gotchas

  • For air-gapped or private setups you may run a private Rekor and point cosign at it.
  • The log proves a signature was recorded; you still pin the identity to decide whether to trust it.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →