1## cosign initialize
2
3Initializes SigStore root to retrieve trusted certificate and key targets for verification.
4
5### Synopsis
6
7Initializes SigStore root to retrieve trusted certificate and key targets for verification.
8
9The following options are used by default:
10 - The current trusted Sigstore TUF root is embedded inside cosign at the time of release.
11 - SigStore remote TUF repository is pulled from the CDN mirror at tuf-repo-cdn.sigstore.dev.
12
13To provide an out-of-band trusted initial root.json, use the -root flag with a file or URL reference.
14This will enable you to point cosign to a separate TUF root.
15
16Any updated TUF repository will be written to $HOME/.sigstore/root/.
17
18Trusted keys and certificate used in cosign verification (e.g. verifying Fulcio issued certificates
19with Fulcio root CA) are pulled form the trusted metadata.
20
21```
22cosign initialize [flags]
23```
24
25### Examples
26
27```
28cosign initialize -mirror <url> -out <file>
29
30# initialize root with distributed root keys, default mirror, and default out path.
31cosign initialize
32
33# initialize with an out-of-band root key file, using the default mirror.
34cosign initialize -root <url>
35
36# initialize with an out-of-band root key file and custom repository mirror.
37cosign initialize -mirror <url> -root <url>
38```
39
40### Options
41
42```
43 -h, --help help for initialize
44 --mirror string GCS bucket to a SigStore TUF repository, or HTTP(S) base URL, or file:/// for local filestore remote (air-gap) (default "https://tuf-repo-cdn.sigstore.dev")
45 --root string path to trusted initial root. defaults to embedded root
46```
47
48### Options inherited from parent commands
49
50```
51 --output-file string log output to a file
52 -t, --timeout duration timeout for commands (default 3m0s)
53 -d, --verbose log debug output
54```
55
56### SEE ALSO
57
58* [cosign](cosign.md) - A tool for Container Signing, Verification and Storage in an OCI registry.
59
View as plain text