license switch agpl -> busl1, sprints work, new product advisories

devops/compose/env/airgap.env.example

@@ -24,6 +24,19 @@ SIGNER_PORT=8441
 # Attestor
 ATTESTOR_PORT=8442
 
+# Rekor Configuration (Attestor/Scanner)
+# Server URL - default is public Sigstore Rekor (use http://rekor-v2:3000 when running the Rekor v2 compose overlay)
+REKOR_SERVER_URL=https://rekor.sigstore.dev
+# Log version: Auto or V2 (V2 uses tile-based Sunlight format)
+REKOR_VERSION=V2
+# Tile base URL for V2 (optional, defaults to {REKOR_SERVER_URL}/tile/)
+REKOR_TILE_BASE_URL=
+# Log ID for multi-log environments (Sigstore production log ID)
+REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
+
+# Rekor v2 tiles image (pin to digest when mirroring)
+REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
+
 # Issuer Directory
 ISSUER_DIRECTORY_PORT=8447
 ISSUER_DIRECTORY_SEED_CSAF=true

devops/compose/env/dev.env.example

@@ -24,16 +24,17 @@ SIGNER_PORT=8441
 ATTESTOR_PORT=8442
 
 # Rekor Configuration (Attestor/Scanner)
-# Server URL - default is public Sigstore Rekor
+# Server URL - default is public Sigstore Rekor (use http://rekor-v2:3000 when running the Rekor v2 compose overlay)
 REKOR_SERVER_URL=https://rekor.sigstore.dev
-# Log version: Auto, V1, or V2 (V2 uses tile-based Sunlight format)
-REKOR_VERSION=Auto
+# Log version: Auto or V2 (V2 uses tile-based Sunlight format)
+REKOR_VERSION=V2
 # Tile base URL for V2 (optional, defaults to {REKOR_SERVER_URL}/tile/)
 REKOR_TILE_BASE_URL=
 # Log ID for multi-log environments (Sigstore production log ID)
 REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
-# Prefer tile proofs when Version=Auto
-REKOR_PREFER_TILE_PROOFS=false
+
+# Rekor v2 tiles image (pin to digest when mirroring)
+REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
 
 # Issuer Directory
 ISSUER_DIRECTORY_PORT=8447

devops/compose/env/prod.env.example

@@ -25,6 +25,19 @@ SIGNER_PORT=8441
 # Attestor
 ATTESTOR_PORT=8442
 
+# Rekor Configuration (Attestor/Scanner)
+# Server URL - default is public Sigstore Rekor (use http://rekor-v2:3000 when running the Rekor v2 compose overlay)
+REKOR_SERVER_URL=https://rekor.sigstore.dev
+# Log version: Auto or V2 (V2 uses tile-based Sunlight format)
+REKOR_VERSION=V2
+# Tile base URL for V2 (optional, defaults to {REKOR_SERVER_URL}/tile/)
+REKOR_TILE_BASE_URL=
+# Log ID for multi-log environments (Sigstore production log ID)
+REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
+
+# Rekor v2 tiles image (pin to digest when mirroring)
+REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
+
 # Issuer Directory
 ISSUER_DIRECTORY_PORT=8447
 ISSUER_DIRECTORY_SEED_CSAF=true

devops/compose/env/stage.env.example

@@ -24,6 +24,19 @@ SIGNER_PORT=8441
 # Attestor
 ATTESTOR_PORT=8442
 
+# Rekor Configuration (Attestor/Scanner)
+# Server URL - default is public Sigstore Rekor (use http://rekor-v2:3000 when running the Rekor v2 compose overlay)
+REKOR_SERVER_URL=https://rekor.sigstore.dev
+# Log version: Auto or V2 (V2 uses tile-based Sunlight format)
+REKOR_VERSION=V2
+# Tile base URL for V2 (optional, defaults to {REKOR_SERVER_URL}/tile/)
+REKOR_TILE_BASE_URL=
+# Log ID for multi-log environments (Sigstore production log ID)
+REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
+
+# Rekor v2 tiles image (pin to digest when mirroring)
+REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
+
 # Issuer Directory
 ISSUER_DIRECTORY_PORT=8447
 ISSUER_DIRECTORY_SEED_CSAF=true