Sigstore Rekor Types

0.0.18 · active · verified Thu Apr 16

This package provides Python data models for the Sigstore Rekor API types. It primarily consists of Pydantic models generated from the Rekor OpenAPI specification, enabling programmatic interaction with Rekor's data structures. The library is currently at version 0.0.18 and receives updates as the upstream Rekor API evolves, maintaining an active release cadence.

Common errors

```
from sigstore_rekor_types.models.rekord import RekordObj
ModuleNotFoundError: No module named 'sigstore_rekor_types.models.rekord'
```
cause Incorrect import path for a specific Rekor model. While `RekordObj` exists within the Rekord-kind entry, the top-level import might be different or the internal structure has changed.

fix Check the exact sub-package structure in `sigstore_rekor_types.models` for the specific Rekord type you intend to use. For example, generic `Rekord` is typically under `sigstore_rekor_types.models.rekord`, but the actual content data often resides within nested classes like `RekordObjSchema`. Always verify the package structure, e.g., using `dir(sigstore_rekor_types.models.rekord)`.
```
pydantic.error_wrappers.ValidationError: 1 validation error for HashedRekordSchema
kind
  field required (type=value_error.missing)
```
cause Attempting to instantiate a Pydantic model without providing a required field, in this case, the `kind` field for `HashedRekordSchema`.

fix Ensure all required fields for the Pydantic model are provided during instantiation. Consult the model's signature or the Rekor OpenAPI specification to identify mandatory fields. For `HashedRekordSchema`, `apiVersion`, `kind`, and `spec` are typically required.

Warnings

breaking Rekor v2 introduces significant breaking changes by removing many older entry types. Only `hashedrekord` and `dsse` entry types are supported in Rekor v2. Other types like `intoto`, `rekord` (generic), `helm`, `tuf`, `rfc3161`, `jar`, `rpm`, `cose`, and `alpine` are no longer supported.
Fix: Review your Rekor entry types and migrate to `HashedRekord` or `DSSE` if targeting Rekor v2. Consult `sigstore-rekor-types` changelog for specific model version compatibility.
gotcha This library provides *only* the Python data models for Rekor's API. It does not include client-side functionality for interacting with the Rekor transparency log (e.g., uploading entries, querying).
Fix: For full Rekor client functionality, including signing, uploading, and verification, use the `sigstore-python` library, which integrates these models with API interaction logic.
deprecated Rekor v1 is now in maintenance mode, and users are strongly encouraged to transition to Rekor v2. Rekor v1 will eventually be frozen, disallowing new entry uploads with a one-year advance notice.
Fix: Plan to migrate your Rekor integrations to use Rekor v2 and ensure your `sigstore-rekor-types` models are compatible with the v2 API. Monitor Sigstore announcements for the v1 freezing timeline.

Install

pip install sigstore-rekor-types Install stable version

Imports

Rekord
```
from sigstore_rekor_types.models.rekord import Rekord
```
Represents the Rekord entry type for general artifacts.
HashedRekord
```
from sigstore_rekor_types.models.hashedrekord import HashedRekord
```
Represents the HashedRekord entry type, common for large payloads and supported in Rekor v2.
LogEntry
```
from sigstore_rekor_types.models.log_entry import LogEntry
```
The base model for a log entry response from Rekor.

Quickstart

This quickstart demonstrates how to instantiate core Pydantic models provided by `sigstore-rekor-types`, specifically `HashedRekord` which is a primary entry type in Rekor v2, and a generic `LogEntry` structure. This library focuses purely on data models, not client interaction with the Rekor API itself. For full client functionality (uploading, verifying), integrate with `sigstore-python`.

import datetime
from sigstore_rekor_types.models.hashedrekord import HashedRekord, HashedRekordSchema
from sigstore_rekor_types.models.log_entry import LogEntry
from sigstore_rekor_types.models.rekord import RekordObj, RekordObjSchema, RekordObjSignature, RekordObjSignaturePublicKey, RekordObjSignatureData

# Example of creating a HashedRekord object (a common Rekor v2 type)
# Note: This library provides models, not client functionality to upload to Rekor.
# For a full client, see sigstore-python.

try:
    hashed_rekord_content = HashedRekordSchema(
        apiVersion='0.0.1',
        kind='hashedrekord',
        spec=HashedRekord(
            signature=RekordObjSignature(
                content='base64encodedsignature==',
                format='minisign',
                publicKey=RekordObjSignaturePublicKey(
                    content='base64encodedpublickey=='
                )
            ),
            data=RekordObjData(
                hash=RekordObjHash(
                    algorithm='sha256',
                    value='a' * 64 # Example SHA256 hash
                )
            )
        )
    )
    print("HashedRekord object created successfully:")
    print(hashed_rekord_content.model_dump_json(indent=2))

    # Example of a generic LogEntry structure, often returned by Rekor
    example_log_entry = LogEntry(
        apiVersion="1.0.0",
        kind="hashedrekord",
        spec=hashed_rekord_content.spec.model_dump(mode='json'), # embed the spec
        uuid="some-unique-uuid",
        integratedTime=int(datetime.datetime.now(datetime.timezone.utc).timestamp()),
        logID="some-log-id",
        logIndex=12345,
        body="base64encodedlogentrybody==",
        verification=None
    )
    print("\nExample LogEntry object (often retrieved from Rekor):")
    print(example_log_entry.model_dump_json(indent=2))

except Exception as e:
    print(f"Error creating models: {e}")

view raw JSON →