cosign_verify-blob.md

Documentation: github.com/sigstore/cosign/v2/doc

     1## cosign verify-blob
     2
     3Verify a signature on the supplied blob
     4
     5### Synopsis
     6
     7Verify a signature on the supplied blob input using the specified key reference.
     8You may specify either a key, a certificate or a kms reference to verify against.
     9	If you use a key or a certificate, you must specify the path to them on disk.
    10
    11The signature may be specified as a path to a file or a base64 encoded string.
    12The blob may be specified as a path to a file or - for stdin.
    13
    14```
    15cosign verify-blob [flags]
    16```
    17
    18### Examples
    19
    20```
    21 cosign verify-blob (--key <key path>|<key url>|<kms uri>)|(--certificate <cert>) --signature <sig> <blob>
    22
    23  # Verify a simple blob and message
    24  cosign verify-blob --key cosign.pub (--signature <sig path>|<sig url> msg)
    25
    26  # Verify a signature from an environment variable
    27  cosign verify-blob --key cosign.pub --signature $sig msg
    28
    29  # verify a signature with public key provided by URL
    30  cosign verify-blob --key https://host.for/<FILE> --signature $sig msg
    31
    32  # verify a signature with signature and key provided by URL
    33  cosign verify-blob --key https://host.for/<FILE> --signature https://example.com/<SIG>
    34
    35  # Verify a signature against Azure Key Vault
    36  cosign verify-blob --key azurekms://[VAULT_NAME][VAULT_URI]/[KEY] --signature $sig <blob>
    37
    38  # Verify a signature against AWS KMS
    39  cosign verify-blob --key awskms://[ENDPOINT]/[ID/ALIAS/ARN] --signature $sig <blob>
    40
    41  # Verify a signature against Google Cloud KMS
    42  cosign verify-blob --key gcpkms://projects/[PROJECT ID]/locations/[LOCATION]/keyRings/[KEYRING]/cryptoKeys/[KEY] --signature $sig <blob>
    43
    44  # Verify a signature against Hashicorp Vault
    45  cosign verify-blob --key hashivault://[KEY] --signature $sig <blob>
    46
    47  # Verify a signature against GitLab with project name
    48  cosign verify-blob --key gitlab://[OWNER]/[PROJECT_NAME]  --signature $sig <blob>
    49
    50  # Verify a signature against GitLab with project id
    51  cosign verify-blob --key gitlab://[PROJECT_ID]  --signature $sig <blob>
    52
    53  # Verify a signature against a certificate
    54  cosign verify-blob --certificate <cert> --signature $sig <blob>
    55
    56```
    57
    58### Options
    59
    60```
    61      --bundle string                                   path to bundle FILE
    62      --certificate string                              path to the public certificate. The certificate will be verified against the Fulcio roots if the --certificate-chain option is not passed.
    63      --certificate-chain string                        path to a list of CA certificates in PEM format which will be needed when building the certificate chain for the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and end with the root certificate
    64      --certificate-github-workflow-name string         contains the workflow claim from the GitHub OIDC Identity token that contains the name of the executed workflow.
    65      --certificate-github-workflow-ref string          contains the ref claim from the GitHub OIDC Identity token that contains the git ref that the workflow run was based upon.
    66      --certificate-github-workflow-repository string   contains the repository claim from the GitHub OIDC Identity token that contains the repository that the workflow run was based upon
    67      --certificate-github-workflow-sha string          contains the sha claim from the GitHub OIDC Identity token that contains the commit SHA that the workflow run was based upon.
    68      --certificate-github-workflow-trigger string      contains the event_name claim from the GitHub OIDC Identity token that contains the name of the event that triggered the workflow run
    69      --certificate-identity string                     The identity expected in a valid Fulcio certificate. Valid values include email address, DNS names, IP addresses, and URIs. Either --certificate-identity or --certificate-identity-regexp must be set for keyless flows.
    70      --certificate-identity-regexp string              A regular expression alternative to --certificate-identity. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --certificate-identity or --certificate-identity-regexp must be set for keyless flows.
    71      --certificate-oidc-issuer string                  The OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows.
    72      --certificate-oidc-issuer-regexp string           A regular expression alternative to --certificate-oidc-issuer. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be set for keyless flows.
    73      --experimental-oci11                              set to true to enable experimental OCI 1.1 behaviour
    74  -h, --help                                            help for verify-blob
    75      --insecure-ignore-sct                             when set, verification will not check that a certificate contains an embedded SCT, a proof of inclusion in a certificate transparency log
    76      --insecure-ignore-tlog                            ignore transparency log verification, to be used when an artifact signature has not been uploaded to the transparency log. Artifacts cannot be publicly verified when not included in a log
    77      --key string                                      path to the public key file, KMS URI or Kubernetes Secret
    78      --max-workers int                                 the amount of maximum workers for parallel executions (default 10)
    79      --offline                                         only allow offline verification
    80      --private-infrastructure                          skip transparency log verification when verifying artifacts in a privately deployed infrastructure
    81      --rekor-url string                                address of rekor STL server (default "https://rekor.sigstore.dev")
    82      --rfc3161-timestamp string                        path to RFC3161 timestamp FILE
    83      --sct string                                      path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a certificate contains an SCT, verification will check both the detached and embedded SCTs.
    84      --signature string                                signature content or path or remote URL
    85      --sk                                              whether to use a hardware security key
    86      --slot string                                     security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management)
    87      --timestamp-certificate-chain string              path to PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA certificate. Optionally may contain intermediate CA certificates, and may contain the leaf TSA certificate if not present in the timestamp
    88```
    89
    90### Options inherited from parent commands
    91
    92```
    93      --output-file string   log output to a file
    94  -t, --timeout duration     timeout for commands (default 3m0s)
    95  -d, --verbose              log debug output
    96```
    97
    98### SEE ALSO
    99
   100* [cosign](cosign.md)	 - A tool for Container Signing, Verification and Storage in an OCI registry.
   101
View as plain text