1## cosign verify-blob-attestation
2
3Verify an attestation on the supplied blob
4
5### Synopsis
6
7Verify an attestation on the supplied blob input using the specified key reference.
8You may specify either a key or a kms reference to verify against.
9
10The signature may be specified as a path to a file or a base64 encoded string.
11The blob may be specified as a path to a file.
12
13```
14cosign verify-blob-attestation [flags]
15```
16
17### Examples
18
19```
20 cosign verify-blob-attestation (--key <key path>|<key url>|<kms uri>) --signature <sig> [path to BLOB]
21
22 # Verify a simple blob attestation with a DSSE style signature
23 cosign verify-blob-attestation --key cosign.pub (--signature <sig path>|<sig url>)[path to BLOB]
24
25
26```
27
28### Options
29
30```
31 --bundle string path to bundle FILE
32 --certificate string path to the public certificate. The certificate will be verified against the Fulcio roots if the --certificate-chain option is not passed.
33 --certificate-chain string path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate
34 --certificate-github-workflow-name string contains the workflow claim from the GitHub OIDC Identity token that contains the name of the executed workflow.
35 --certificate-github-workflow-ref string contains the ref claim from the GitHub OIDC Identity token that contains the git ref that the workflow run was based upon.
36 --certificate-github-workflow-repository string contains the repository claim from the GitHub OIDC Identity token that contains the repository that the workflow run was based upon
37 --certificate-github-workflow-sha string contains the sha claim from the GitHub OIDC Identity token that contains the commit SHA that the workflow run was based upon.
38 --certificate-github-workflow-trigger string contains the event_name claim from the GitHub OIDC Identity token that contains the name of the event that triggered the workflow run
39 --certificate-identity string The identity expected in a valid Fulcio certificate. Valid values include email address, DNS names, IP addresses, and URIs. Either --certificate-identity or --certificate-identity-regexp must be set for keyless flows.
40 --certificate-identity-regexp string A regular expression alternative to --certificate-identity. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --certificate-identity or --certificate-identity-regexp must be set for keyless flows.
41 --certificate-oidc-issuer string The OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows.
42 --certificate-oidc-issuer-regexp string A regular expression alternative to --certificate-oidc-issuer. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows.
43 --check-claims if true, verifies the provided blob's sha256 digest exists as an in-toto subject within the attestation. If false, only the DSSE envelope is verified. (default true)
44 --experimental-oci11 set to true to enable experimental OCI 1.1 behaviour
45 -h, --help help for verify-blob-attestation
46 --insecure-ignore-sct when set, verification will not check that a certificate contains an embedded SCT, a proof of inclusion in a certificate transparency log
47 --insecure-ignore-tlog ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts cannot be publicly verified when not included in a log
48 --key string path to the public key file, KMS URI or Kubernetes Secret
49 --max-workers int the amount of maximum workers for parallel executions (default 10)
50 --offline only allow offline verification
51 --private-infrastructure skip transparency log verification when verifying artifacts in a privately deployed infrastructure
52 --rekor-url string address of rekor STL server (default "https://rekor.sigstore.dev")
53 --rfc3161-timestamp string path to RFC3161 timestamp FILE
54 --sct string path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs.
55 --signature string path to base64-encoded signature over attestation in DSSE format
56 --sk whether to use a hardware security key
57 --slot string security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management)
58 --timestamp-certificate-chain string path to PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. Optionally may contain intermediate CA certificates, and may contain the leaf TSA certificate if not present in the timestamp
59 --type string specify a predicate type (slsaprovenance|slsaprovenance02|slsaprovenance1|link|spdx|spdxjson|cyclonedx|vuln|openvex|custom) or an URI (default "custom")
60```
61
62### Options inherited from parent commands
63
64```
65 --output-file string log output to a file
66 -t, --timeout duration timeout for commands (default 3m0s)
67 -d, --verbose log debug output
68```
69
70### SEE ALSO
71
72* [cosign](cosign.md) - A tool for Container Signing, Verification and Storage in an OCI registry.
73
View as plain text