/uds › /uds/sigstore
Sigstore — cosign signature + public Rekor entry
The Warhacker air-gap bundle is cosign-signed and its checksum manifest is anchored in the public Sigstore Rekor transparency log. Both the offline Rekor bundle and the live public log entry are verifiable — this is a real tlog anchor, not a private claim.
cosign v2.4.1
ECDSA P-256
logIndex 1693757456
public Rekor entry
hashedrekord
v0.0.1
HTTP 200
rekor.sigstore.dev
Real signing values (captured, not asserted)
| Field | Value |
|---|---|
| Bundle SHA256 | 88b99afc581e8c03d13c1033306c08c1027e51189f4f6c9f87223091c1119218 |
| Signature SHA256 | 7f6a082ca90123f50865de28174a01dfe45bf640108ab8017d342d5b51eb30aa |
| cosign keyid | szlholdings-cosign |
| Public-key fingerprint | a4d73120c312d94bdd6cbdfa6f3d629cfff4b85e7addde5f9c3fd4c02341eb30 |
| Rekor logIndex | 1693757456 |
| Rekor entry UUID | 108e9186e8c5677a29e0edfa38045faad85d9ec8160e6874efc8caef35408deeb11fb01c1be463c2 |
| integratedTime | 1780328689 |
| hashedrekord value | 57436b9c91032ad8f9e4272f1ad02ab6b5c39c9c7606a936fd49ce57a26eaefb |
Verify against the public log
# 1) integrity sha256sum -c bundle.tar.zst.sha256 # -> bundle.tar.zst: OK # 2) authenticity, anchored at the public Sigstore transparency log cosign verify-blob --key cosign.pub \ --bundle bundle.tar.zst.rekor.bundle \ bundle.tar.zst.sha256 # -> Verified OK # 2b) air-gap / offline equivalent (no tlog egress) cosign verify-blob --key cosign.pub --insecure-ignore-tlog=true \ --signature bundle.tar.zst.sig bundle.tar.zst # -> Verified OK # 3) read the public log entry directly (HTTP 200) curl "https://rekor.sigstore.dev/api/v1/log/entries?logIndex=1693757456"
Honesty: the killinchu in-process Khipu receipt chain submits to a private
transparency log; per-mission receipts are not_submitted to public Rekor (honest).
The release bundle above, however, IS anchored in public Rekor at logIndex 1693757456.
Verifiable evidence
- Public Sigstore search: search.sigstore.dev?logIndex=1693757456
- Public Rekor API (HTTP 200): rekor.sigstore.dev/api/v1/log/entries?logIndex=1693757456
- Offline Rekor bundle: airgap-bundle.tar.zst.rekor.bundle · bundle.tar.zst.rekor.bundle
- Signature + key: bundle.tar.zst.sig · cosign.pub
- Capture proof: PROOF.md · signing log COSIGN_SIGNING_LOG.md
- SLSA posture: L1 honest, L2 in progress (hosted GitHub Actions + Sigstore keyless). Never L2/L3 claimed achieved.
ADDITIVE · self-contained · Doctrine v11 LOCKED 749/14/163 · Λ Conjecture 1 · every cited link curl-verified HTTP 200 · sign: Yachay <yachay@szlholdings.dev> · Co-Authored-By: Perplexity Computer Agent