Metadata-Version: 2.4
Name: rekor-verification
Version: 0.1.0
Summary: 
License-File: LICENSE
Author: Alexander Hom
Author-email: alexanderhom19@gmail.com
Requires-Python: >=3.10
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Programming Language :: Python :: 3.14
Requires-Dist: autodocstring (>=0.1.2,<0.2.0)
Requires-Dist: bandit (>=1.8.6,<2.0.0)
Requires-Dist: black (>=25.11.0,<26.0.0)
Requires-Dist: cryptography (>=46.0.3,<47.0.0)
Requires-Dist: flake8 (>=7.3.0,<8.0.0)
Requires-Dist: mypy (>=1.18.2,<2.0.0)
Requires-Dist: pylint (>=4.0.2,<5.0.0)
Requires-Dist: ruff (>=0.14.4,<0.15.0)
Description-Content-Type: text/markdown

# Python Rekor Signed Artifact Verification Script

## Overview
In software development, artifact signing is a method to help increase the
security of the software by associating an artifact with the person who
uploaded it.

Sigstore is a tool that simplifies the signing of artifacts by signing it and
uploading the signature details to Rekor, an append-only log, so that other
users are able to verify the integrity of the artifact.

This script contains functions for interacting with the Rekor logs, such as
verifying the inclusion of an artifact in the logs.

## Usage
Prior to using this script, an artifact is signed using a tool like cosign. For
example:

```bash
cosign sign-blob <artifact> --bundle artifact.bundle
```

The generated `.bundle` file will contain details about the signing, such as
the log entry that was appended to Rekor as well as the log ID.

Once you have an artifact that has been signed, you can use this script to do
the following:

### Verify the inclusion of the artifact in Rekor
```bash
python main.py --inclusion <logIndex> --artifact <artifact>
```

### Fetch the latest log entry in Rekor
```bash
python main.py -c
```

### Verify the consistency of a log entry with the latest Rekor log entry
In order to perform consistency verification, you'll need the following details
of the log entry that you want to verify its consistency: `treeId`, `treeSize`,
and `rootHash`. You can query the Rekor API for your log entry to obtain these
details. Once obtained, the following command will perform the consistency
verification:

```bash
python main.py --consistency --tree-id <treeId> --tree-size <treeSize> --root-hash <rootHash>
```

## Installation
This script contains a few dependencies that are required to be installed prior
to usage. They can be installed by running:

```bash
pip install -r requirements.txt
```
