Text file src/github.com/sigstore/cosign/v2/doc/cosign_sign-blob.md

Documentation: github.com/sigstore/cosign/v2/doc

     1## cosign sign-blob
     2
     3Sign the supplied blob, outputting the base64-encoded signature to stdout.
     4
     5```
     6cosign sign-blob [flags]
     7```
     8
     9### Examples
    10
    11```
    12  cosign sign-blob --key <key path>|<kms uri> <blob>
    13
    14  # sign a blob with Google sign-in (experimental)
    15  cosign sign-blob <FILE> --output-signature <FILE> --output-certificate <FILE>
    16
    17  # sign a blob with a local key pair file
    18  cosign sign-blob --key cosign.key <FILE>
    19
    20  # sign a blob with a key stored in an environment variable
    21  cosign sign-blob --key env://[ENV_VAR] <FILE>
    22
    23  # sign a blob with a key pair stored in Azure Key Vault
    24  cosign sign-blob --key azurekms://[VAULT_NAME][VAULT_URI]/[KEY] <FILE>
    25
    26  # sign a blob with a key pair stored in AWS KMS
    27  cosign sign-blob --key awskms://[ENDPOINT]/[ID/ALIAS/ARN] <FILE>
    28
    29  # sign a blob with a key pair stored in Google Cloud KMS
    30  cosign sign-blob --key gcpkms://projects/[PROJECT]/locations/global/keyRings/[KEYRING]/cryptoKeys/[KEY] <FILE>
    31
    32  # sign a blob with a key pair stored in Hashicorp Vault
    33  cosign sign-blob --key hashivault://[KEY] <FILE>
    34```
    35
    36### Options
    37
    38```
    39      --b64                              whether to base64 encode the output (default true)
    40      --bundle string                    write everything required to verify the blob to a FILE
    41      --fulcio-auth-flow string          fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. (options) normal|device|token|client_credentials
    42      --fulcio-url string                address of sigstore PKI server (default "https://fulcio.sigstore.dev")
    43  -h, --help                             help for sign-blob
    44      --identity-token string            identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted.
    45      --insecure-skip-verify             skip verifying fulcio published to the SCT (this should only be used for testing).
    46      --issue-certificate                issue a code signing certificate from Fulcio, even if a key is provided
    47      --key string                       path to the private key file, KMS URI or Kubernetes Secret
    48      --oidc-client-id string            OIDC client ID for application (default "sigstore")
    49      --oidc-client-secret-file string   Path to file containing OIDC client secret for application
    50      --oidc-disable-ambient-providers   Disable ambient OIDC providers. When true, ambient credentials will not be read
    51      --oidc-issuer string               OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth")
    52      --oidc-provider string             Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github-actions, filesystem, buildkite-agent]
    53      --oidc-redirect-url string         OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.
    54      --output string                    write the signature to FILE
    55      --output-certificate string        write the certificate to FILE
    56      --output-signature string          write the signature to FILE
    57      --rekor-url string                 address of rekor STL server (default "https://rekor.sigstore.dev")
    58      --rfc3161-timestamp string         write the RFC3161 timestamp to a file
    59      --sk                               whether to use a hardware security key
    60      --slot string                      security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management)
    61      --timestamp-client-cacert string   path to the X.509 CA certificate file in PEM format to be used for the connection to the TSA Server
    62      --timestamp-client-cert string     path to the X.509 certificate file in PEM format to be used for the connection to the TSA Server
    63      --timestamp-client-key string      path to the X.509 private key file in PEM format to be used, together with the 'timestamp-client-cert' value, for the connection to the TSA Server
    64      --timestamp-server-name string     SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the TSA Server
    65      --timestamp-server-url string      url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr
    66      --tlog-upload                      whether or not to upload to the tlog (default true)
    67  -y, --yes                              skip confirmation prompts for non-destructive operations
    68```
    69
    70### Options inherited from parent commands
    71
    72```
    73      --output-file string   log output to a file
    74  -t, --timeout duration     timeout for commands (default 3m0s)
    75  -d, --verbose              log debug output
    76```
    77
    78### SEE ALSO
    79
    80* [cosign](cosign.md)	 - A tool for Container Signing, Verification and Storage in an OCI registry.
    81

View as plain text