Text file src/github.com/sigstore/cosign/v2/doc/cosign_attest-blob.md

Documentation: github.com/sigstore/cosign/v2/doc

     1## cosign attest-blob
     2
     3Attest the supplied blob.
     4
     5```
     6cosign attest-blob [flags]
     7```
     8
     9### Examples
    10
    11```
    12  cosign attest-blob --key <key path>|<kms uri> [--predicate <path>] [--a key=value] [--f] [--r] <BLOB uri>
    13
    14  # attach an attestation to a blob with a local key pair file and print the attestation
    15  cosign attest-blob --predicate <FILE> --type <TYPE> --key cosign.key --output-attestation <path> <BLOB>
    16
    17  # attach an attestation to a blob with a key pair stored in Azure Key Vault
    18  cosign attest-blob --predicate <FILE> --type <TYPE> --key azurekms://[VAULT_NAME][VAULT_URI]/[KEY] <BLOB>
    19
    20  # attach an attestation to a blob with a key pair stored in AWS KMS
    21  cosign attest-blob --predicate <FILE> --type <TYPE> --key awskms://[ENDPOINT]/[ID/ALIAS/ARN] <BLOB>
    22
    23  # attach an attestation to a blob with a key pair stored in Google Cloud KMS
    24  cosign attest-blob --predicate <FILE> --type <TYPE> --key gcpkms://projects/[PROJECT]/locations/global/keyRings/[KEYRING]/cryptoKeys/[KEY]/versions/[VERSION] <BLOB>
    25
    26  # attach an attestation to a blob with a key pair stored in Hashicorp Vault
    27  cosign attest-blob --predicate <FILE> --type <TYPE> --key hashivault://[KEY] <BLOB>
    28
    29  # supply attestation via stdin
    30  echo <PAYLOAD> | cosign attest-blob --predicate - --yes
    31```
    32
    33### Options
    34
    35```
    36      --bundle string                     write everything required to verify the blob to a FILE
    37      --certificate string                path to the X.509 certificate in PEM format to include in the OCI Signature
    38      --certificate-chain string          path to a list of CA X.509 certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate. Included in the OCI Signature
    39      --fulcio-auth-flow string           fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. (options) normal|device|token|client_credentials
    40      --fulcio-url string                 address of sigstore PKI server (default "https://fulcio.sigstore.dev")
    41      --hash string                       hash of blob in hexadecimal (base16). Used if you want to sign an artifact stored elsewhere and have the hash
    42  -h, --help                              help for attest-blob
    43      --identity-token string             identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted.
    44      --insecure-skip-verify              skip verifying fulcio published to the SCT (this should only be used for testing).
    45      --key string                        path to the private key file, KMS URI or Kubernetes Secret
    46      --oidc-client-id string             OIDC client ID for application (default "sigstore")
    47      --oidc-client-secret-file string    Path to file containing OIDC client secret for application
    48      --oidc-disable-ambient-providers    Disable ambient OIDC providers. When true, ambient credentials will not be read
    49      --oidc-issuer string                OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth")
    50      --oidc-provider string              Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github-actions, filesystem, buildkite-agent]
    51      --oidc-redirect-url string          OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.
    52      --output-attestation string         write the attestation to FILE
    53      --output-certificate string         write the certificate to FILE
    54      --output-signature string           write the signature to FILE
    55      --predicate string                  path to the predicate file.
    56      --rekor-entry-type string           specifies the type to be used for a rekor entry upload. Options are intoto or dsse (default).  (default "dsse")
    57      --rekor-url string                  address of rekor STL server (default "https://rekor.sigstore.dev")
    58      --rfc3161-timestamp-bundle string   path to an RFC 3161 timestamp bundle FILE
    59      --sk                                whether to use a hardware security key
    60      --slot string                       security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management)
    61      --timestamp-server-url string       url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr
    62      --tlog-upload                       whether or not to upload to the tlog (default true)
    63      --type string                       specify a predicate type (slsaprovenance|slsaprovenance02|slsaprovenance1|link|spdx|spdxjson|cyclonedx|vuln|openvex|custom) or an URI (default "custom")
    64  -y, --yes                               skip confirmation prompts for non-destructive operations
    65```
    66
    67### Options inherited from parent commands
    68
    69```
    70      --output-file string   log output to a file
    71  -t, --timeout duration     timeout for commands (default 3m0s)
    72  -d, --verbose              log debug output
    73```
    74
    75### SEE ALSO
    76
    77* [cosign](cosign.md)	 - A tool for Container Signing, Verification and Storage in an OCI registry.
    78

View as plain text