This repository contains a directory of archived Certificate Transparency (CT) logs, as well as tools to archive RFC 6962 and Static CT logs.
† These logs were mistakenly archived without the issuer/ directory.
If you archive a log, please submit a pull request to add it to this table.
To help seed the torrent files, you can use this feed 📡 The whole archive weighs approximately 10TB.
A very comprehensive list of CT logs can be found at https://sslmate.com/app/ctlogs.
Logs are archived in the c2sp.org/static-ct-api@v1.0.0 format, although if they were originally served through RFC 6962 APIs, leaves might miss the LeafIndex extension. The sunlight.ReadTileLeafMaybeArchival function can read both types of leaves.
The log is split over multiple zip files, each 10-15GB. Archive <N>.zip
contains the tiles at levels -1 (the data entries), 0, 1, and 2 belonging to
subtree
[ 256×256×256×N, min(256×256×256×(N+1),TreeSize) )
In other words, each zip file contains one level 2 tile, and all those below it.
Every zip file also contains the following files, making it self-contained and self-verifying:
README.txt— a description of the archival formatcheckpoint— a Signed Tree Head in c2sp.org/tlog-checkpoint format, with the RFC 6962 STH signature encoded according to c2sp.org/static-ct-api@v1.0.0log.v3.json— a JSON specification of the log, including its log ID, public key, temporal interval, and original URL(s)issuer/*— the X.509 chain issuers for the whole logtile/{3,4}/*— higher-level tiles, including the hashes of other level 2 tiles not included in this archivetile/{0,1,2}/*.p/*— partial tiles on the right edge of the tree, if any, necessary to compute the tree head
filippo.io/sunlight.Client can be used with a archive+file:// URL to read
these logs directly from the zip archives, or with a file:// URL to read the
unpacked Static CT log. You may need to set ClientConfig.AllowRFC6962ArchivalLeafs.
Alternatively, filippo.io/torchwood.TileArchiveFS can be used to read files directly from the zip archives.
The vanity-mirror command fetches an RFC 6962 log and stores it in the Static
CT log format.
go run geomys.org/ct-archive/cmd/vanity-mirror@main
The log's URL and public key are obtained from the log.v3.json file in the working directory, and the log is downloaded to the working directory. The following command creates a log.v3.json file for a log with the given URL:
curl -sSL https://www.gstatic.com/ct/log_list/v3/all_logs_list.json | \
jq ".operators[].logs[] | select(.url == \"$URL\") | del(.state, .mmd)" | tee log.v3.json
The origin for the checkpoint is derived from the log's URL.
Progress is tracked by storing partial unsigned checkpoints in the working
directory. Only get-sth and get-entries requests are made to the log. Once
the download is complete, the final checkpoint is verified against the Signed
Tree Head, and the signature is stored in the checkpoint file.
An optional command-line argument can be provided to specify a different base URL for fetching the log, e.g. a mirror. This URL is not persisted in the archive.
The photocamera-archiver command packs a local Static CT log into zip files
suitable for archival.
Note: as of Go 1.25, the archive/zip package produces subtly invalid Zip64
files that some extractors (including sometimes the Internet Archive's) cannot
read. Use https://go.dev/cl/725161 to build and run this tool like in the
instructions below or fix the archives with zip -F before uploading them.
go install golang.org/dl/gotip@latest
gotip download 725161
gotip run geomys.org/ct-archive/cmd/photocamera-archiver@main
The log is read from the working directory, and zip files are created in the
archive/ subdirectory. All entries are verified against the checkpoint.
If the log operator doesn't have the resources to host them long-term, the zip
files can be uploaded to a new Internet Archive item using the ia CLI. The
ia-metadata.py script populates the metadata from the contents of the item.
Use ct_operator_nameYYYYhN as the item identifier, e.g. ct_sectigo_sabre2024h1.
uv tool install internetarchive
ia configure
ia upload --metadata="collection:opensource_media" $ITEM archive/*.zip
uv run --script cmd/ia-metadata.py $ITEM
All items are tagged with the certificate transparency log topic.