1## cosign manifest verify
2
3Verify all signatures of images specified in the manifest
4
5### Synopsis
6
7Verify all signature of images in a Kubernetes resource manifest by checking claims
8against the transparency log.
9
10```
11cosign manifest verify [flags]
12```
13
14### Examples
15
16```
17 cosign manifest verify --key <key path>|<key url>|<kms uri> <path/to/manifest>
18
19 # verify cosign claims and signing certificates on images in the manifest
20 cosign manifest verify <path/to/my-deployment.yaml>
21
22 # additionally verify specified annotations
23 cosign manifest verify -a key1=val1 -a key2=val2 <path/to/my-deployment.yaml>
24
25 # verify images with public key
26 cosign manifest verify --key cosign.pub <path/to/my-deployment.yaml>
27
28 # verify images with public key provided by URL
29 cosign manifest verify --key https://host.for/<FILE> <path/to/my-deployment.yaml>
30
31 # verify images with public key stored in Azure Key Vault
32 cosign manifest verify --key azurekms://[VAULT_NAME][VAULT_URI]/[KEY] <path/to/my-deployment.yaml>
33
34 # verify images with public key stored in AWS KMS
35 cosign manifest verify --key awskms://[ENDPOINT]/[ID/ALIAS/ARN] <path/to/my-deployment.yaml>
36
37 # verify images with public key stored in Google Cloud KMS
38 cosign manifest verify --key gcpkms://projects/[PROJECT]/locations/global/keyRings/[KEYRING]/cryptoKeys/[KEY] <path/to/my-deployment.yaml>
39
40 # verify images with public key stored in Hashicorp Vault
41 cosign manifest verify --key hashivault://[KEY] <path/to/my-deployment.yaml>
42```
43
44### Options
45
46```
47 --allow-http-registry whether to allow using HTTP protocol while connecting to registries. Don't use this for anything but testing
48 --allow-insecure-registry whether to allow insecure connections to registries (e.g., with expired or self-signed TLS certificates). Don't use this for anything but testing
49 -a, --annotations strings extra key=value pairs to sign
50 --attachment string DEPRECATED, related image attachment to verify (sbom), default none
51 --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]
52 --certificate string path to the public certificate. The certificate will be verified against the Fulcio roots if the --certificate-chain option is not passed.
53 --certificate-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate
54 --certificate-github-workflow-name string contains the workflow claim from the GitHub OIDC Identity token that contains the name of the executed workflow.
55 --certificate-github-workflow-ref string contains the ref claim from the GitHub OIDC Identity token that contains the git ref that the workflow run was based upon.
56 --certificate-github-workflow-repository string contains the repository claim from the GitHub OIDC Identity token that contains the repository that the workflow run was based upon
57 --certificate-github-workflow-sha string contains the sha claim from the GitHub OIDC Identity token that contains the commit SHA that the workflow run was based upon.
58 --certificate-github-workflow-trigger string contains the event_name claim from the GitHub OIDC Identity token that contains the name of the event that triggered the workflow run
59 --certificate-identity string The identity expected in a valid Fulcio certificate. Valid values include email address, DNS names, IP addresses, and URIs. Either --certificate-identity or --certificate-identity-regexp must be set for keyless flows.
60 --certificate-identity-regexp string A regular expression alternative to --certificate-identity. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --certificate-identity or --certificate-identity-regexp must be set for keyless flows.
61 --certificate-oidc-issuer string The OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows.
62 --certificate-oidc-issuer-regexp string A regular expression alternative to --certificate-oidc-issuer. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows.
63 --check-claims whether to check the claims found (default true)
64 --experimental-oci11 set to true to enable experimental OCI 1.1 behaviour
65 -h, --help help for verify
66 --insecure-ignore-sct when set, verification will not check that a certificate contains an embedded SCT, a proof of inclusion in a certificate transparency log
67 --insecure-ignore-tlog ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts cannot be publicly verified when not included in a log
68 --k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity).
69 --key string path to the public key file, KMS URI or Kubernetes Secret
70 --local-image whether the specified image is a path to an image saved locally via 'cosign save'
71 --max-workers int the amount of maximum workers for parallel executions (default 10)
72 --offline only allow offline verification
73 -o, --output string output format for the signing image information (json|text) (default "json")
74 --payload string payload path or remote URL
75 --private-infrastructure skip transparency log verification when verifying artifacts in a privately deployed infrastructure
76 --registry-password string registry basic auth password
77 --registry-token string registry bearer auth token
78 --registry-username string registry basic auth username
79 --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev")
80 --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs.
81 --signature string signature content or path or remote URL
82 --signature-digest-algorithm string digest algorithm to use when processing a signature (sha224|sha256|sha384|sha512) (default "sha256")
83 --sk whether to use a hardware security key
84 --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management)
85 --timestamp-certificate-chain string path to PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. Optionally may contain intermediate CA certificates, and may contain the leaf TSA certificate if not present in the timestamp
86```
87
88### Options inherited from parent commands
89
90```
91 --output-file string log output to a file
92 -t, --timeout duration timeout for commands (default 3m0s)
93 -d, --verbose log debug output
94```
95
96### SEE ALSO
97
98* [cosign manifest](cosign_manifest.md) - Provides utilities for discovering images in and performing operations on Kubernetes manifests
99
View as plain text