security/rekor: New port

Software Supply Chain Transparency Log

Rekor's goals are to provide an immutable tamper resistant ledger of
metadata generated within a software projects supply chain. Rekor will
enable software maintainers and build systems to record signed metadata
to an immutable record.  Other parties can then query said metadata to
enable them to make informed decisions on trust and non-repudiation of
an object's lifecycle.

The Rekor project provides a restful API based server for validation and
a transparency log for storage. A CLI application is available to make
and verify entries, query the transparency log for inclusion proof,
integrity verification of the transparency log or retrieval of entries
by either public key or artifact.

Rekor fulfils the signature transparency role of sigstore's software
signing infrastructure. However, Rekor can be run on its own and is
designed to be extensible to working with different manifest schemas and
PKI tooling.

WWW: https://www.sigstore.dev/

9 files changed, 143 insertions, 2 deletions

diff --git a/GIDs b/GIDs
index 0a1dee381e46..e126d9060a84 100644
--- a/GIDs
+++ b/GIDs
@@ -802,7 +802,7 @@ opensearch:*:855:
 # free: 858
 # free: 859
 plocate:*:860:
-# free: 861
+rekor:*:861:
 timestamp-authority:*:862:
 trillian:*:863:
 mediamtx:*:864:
diff --git a/UIDs b/UIDs
index c9d7563c7b37..a04c7188973f 100644
--- a/UIDs
+++ b/UIDs
@@ -808,7 +808,7 @@ opensearch:*:855:855::0:0:opensearch user:/nonexistent:/usr/sbin/nologin
 # free: 858
 # free: 859
 # free: 860
-# free: 861
+rekor:*:861:861::0:0:rekor user:/nonexistent:/usr/sbin/nologin
 timestamp-authority:*:862:862::0:0:Timestamp Authority:/nonexistent:/usr/sbin/nologin
 trillian:*:863:863::0:0:trillian user:/nonexistent:/usr/sbin/nologin
 mediamtx:*:864:864::0:0:mediamtx:/nonexistent:/usr/sbin/nologin
diff --git a/security/Makefile b/security/Makefile
index 09b9edefdcc1..90c7170e9735 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -1106,6 +1106,7 @@
     SUBDIR += ratproxy
     SUBDIR += rats
     SUBDIR += rcracki_mt
+    SUBDIR += rekor
     SUBDIR += reop
     SUBDIR += rhash
     SUBDIR += rhonabwy
diff --git a/security/rekor/Makefile b/security/rekor/Makefile
new file mode 100644
index 000000000000..fc47905048e5
--- /dev/null
+++ b/security/rekor/Makefile
@@ -0,0 +1,65 @@
+PORTNAME=	rekor
+DISTVERSIONPREFIX=	v
+DISTVERSION=	1.3.10
+CATEGORIES=	security
+
+MAINTAINER=	bofh@FreeBSD.org
+COMMENT=	Software Supply Chain Transparency Log ${${FLAVOR}_COMMENT}
+WWW=		https://www.sigstore.dev/
+
+LICENSE=	APACHE20
+LICENSE_FILE=	${WRKSRC}/LICENSE
+
+FLAVORS=	client server
+FLAVOR?=	${FLAVORS:[1]}
+client_PKGNAMESUFFIX=	-client
+client_COMMENT=		(client only)
+client_PLIST=	${.CURDIR}/pkg-plist.client
+server_PKGNAMESUFFIX=	-server
+server_COMMENT=		(server only)
+server_PLIST=	${.CURDIR}/pkg-plist.server
+
+USES=		cpe go:1.24,modules
+CPE_VENDOR=	linuxfoundation
+.if ${FLAVOR} == server
+USE_RC_SUBR=	rekor
+.endif
+
+GO_MODULE=	github.com/sigstore/rekor
+.if ${FLAVOR} == client
+GO_TARGET=	./cmd/rekor-cli
+.elif ${FLAVOR} == server
+GO_TARGET=	./cmd/rekor-server \
+		./cmd/backfill-index \
+		./cmd/cleanup-index \
+		./cmd/copy-index
+.endif
+GO_BUILDFLAGS=	-ldflags="\
+	-X sigs.k8s.io/release-utils/version.gitVersion=$(DISTVERSION) \
+	-X sigs.k8s.io/release-utils/version.gitCommit=$(GIT_HASH) \
+	-X sigs.k8s.io/release-utils/version.gitTreeState=clean \
+	-X sigs.k8s.io/release-utils/version.buildDate=${SOURCE_DATE_EPOCH:U${SOURCE_DATE_EPOCH_CMD:sh}}"
+
+.if ${FLAVOR} == server
+USERS=		${PORTNAME}
+GROUPS=		${PORTNAME}
+.endif
+
+GIT_HASH=	4118a64b4b9c228a968b2d935a00807ca1b33aed
+
+.include <bsd.port.pre.mk>
+
+# Bring DISTINFO_FILE into scope so we can get the timestamp.
+SOURCE_DATE_EPOCH_CMD=	date -ur \
+			$$(${GREP} -m1 TIMESTAMP ${DISTINFO_FILE} | ${SED} -e 's/[^0-9]//g') \
+			'+%Y-%m-%dT%H:%M:%SZ'
+
+post-install:
+	${MKDIR} ${STAGEDIR}${PREFIX}/etc/rekor
+.if ${FLAVOR} == client
+	${INSTALL_DATA} ${WRKSRC}/config/rekor.yaml ${STAGEDIR}${PREFIX}/etc/rekor/rekor.yaml.sample
+.elif ${FLAVOR} == server
+	${INSTALL_DATA} ${WRKSRC}/rekor-server.yaml ${STAGEDIR}${PREFIX}/etc/rekor/rekor-server.yaml.sample
+.endif
+
+.include <bsd.port.post.mk>
diff --git a/security/rekor/distinfo b/security/rekor/distinfo
new file mode 100644
index 000000000000..2c16c79e10d2
--- /dev/null
+++ b/security/rekor/distinfo
@@ -0,0 +1,5 @@
+TIMESTAMP = 1746289423
+SHA256 (go/security_rekor/rekor-v1.3.10/v1.3.10.mod) = 788c563e936db5816de40e7ff4a7f58ffa8d184fbe99842eec058da0d3b8f65d
+SIZE (go/security_rekor/rekor-v1.3.10/v1.3.10.mod) = 11137
+SHA256 (go/security_rekor/rekor-v1.3.10/v1.3.10.zip) = 6a65d2c266a8ac2351061716142c9cb373abec19c892d4b5c0c83e21bf2b3789
+SIZE (go/security_rekor/rekor-v1.3.10/v1.3.10.zip) = 1193215
diff --git a/security/rekor/files/rekor.in b/security/rekor/files/rekor.in
new file mode 100644
index 000000000000..a8f145e34d2c
--- /dev/null
+++ b/security/rekor/files/rekor.in
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+# PROVIDE: rekor
+# REQUIRE: DAEMON
+# KEYWORD: shutdown
+#
+# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
+# to enable this service:
+#
+# rekor_enable (bool):	Set it to YES to enable rekor.
+#			Default is "NO".
+# rekor_user (user):	Set user to run rekor.
+#			Default is "rekor".
+# rekor_group (group):	Set group to run rekor.
+#			Default is "rekor".
+# rekor_config (file):	Set rekor config file.
+#			Default is "%%PREFIX%%/etc/rekor/rekor-server.yaml".
+
+. /etc/rc.subr
+
+name=rekor-server
+rcvar=rekor_enable
+
+load_rc_config $name
+
+: ${rekor_enable:="NO"}
+: ${rekor_user:="rekor"}
+: ${rekor_group:="rekor"}
+: ${rekor_config:="%%PREFIX%%/etc/rekor/rekor-server.yaml"}
+
+pidfile=/var/run/rekor.pid
+procname="%%PREFIX%%/bin/rekor-server"
+command="/usr/sbin/daemon"
+command_args="-f -t ${name} -p ${pidfile} ${procname} server -config=${rekor_config}"
+
+start_precmd=rekor_startprecmd
+required_files="$rekor_config"
+
+rekor_startprecmd()
+{
+        if [ ! -e ${pidfile} ]; then
+                install -o ${rekor_user} -g ${rekor_group} /dev/null ${pidfile};
+        fi
+}
+
+run_rc_command "$1"
diff --git a/security/rekor/pkg-descr b/security/rekor/pkg-descr
new file mode 100644
index 000000000000..3bcbf74dd9a5
--- /dev/null
+++ b/security/rekor/pkg-descr
@@ -0,0 +1,17 @@
+Rekor's goals are to provide an immutable tamper resistant ledger of
+metadata generated within a software projects supply chain. Rekor will
+enable software maintainers and build systems to record signed metadata
+to an immutable record.  Other parties can then query said metadata to
+enable them to make informed decisions on trust and non-repudiation of
+an object's lifecycle.
+
+The Rekor project provides a restful API based server for validation and
+a transparency log for storage. A CLI application is available to make
+and verify entries, query the transparency log for inclusion proof,
+integrity verification of the transparency log or retrieval of entries
+by either public key or artifact.
+
+Rekor fulfils the signature transparency role of sigstore's software
+signing infrastructure. However, Rekor can be run on its own and is
+designed to be extensible to working with different manifest schemas and
+PKI tooling.
diff --git a/security/rekor/pkg-plist.client b/security/rekor/pkg-plist.client
new file mode 100644
index 000000000000..e2d5c1237f63
--- /dev/null
+++ b/security/rekor/pkg-plist.client
@@ -0,0 +1,2 @@
+bin/rekor-cli
+@sample etc/rekor/rekor.yaml.sample
diff --git a/security/rekor/pkg-plist.server b/security/rekor/pkg-plist.server
new file mode 100644
index 000000000000..665e4deed750
--- /dev/null
+++ b/security/rekor/pkg-plist.server
@@ -0,0 +1,5 @@
+bin/backfill-index
+bin/cleanup-index
+bin/copy-index
+bin/rekor-server
+@sample etc/rekor/rekor-server.yaml.sample