@sigstore/cli

CLI for creating and verifying Sigstore bundles.

Usage

``sh-session
$ npm install -g @sigstore/cli
$ sigstore COMMAND
running command...
$ sigstore (--version)
@sigstore/cli/0.9.0 linux-x64 node-v20.19.4
$ sigstore --help [COMMAND]
USAGE
$ sigstore COMMAND
...
`

Commands

* sigstore attach IMAGE-URI
* sigstore attest FILE
* [sigstore help [COMMAND]](#sigstore-help-command)
* sigstore initialize
* sigstore verify BUNDLE

sigstore attach IMAGE-URI

attach an attestation to a container image

`
USAGE
$ sigstore attach IMAGE-URI --attestation [-u -p ]

ARGUMENTS
IMAGE-URI fully qualified URI to the image

FLAGS
-p, --password= password for the registry
-u, --username= username for the registry
--attestation= (required) attestation bundle to attach

DESCRIPTION
attach an attestation to a container image

EXAMPLES
$ sigstore attach --attestation {:|@}
`

sigstore attest FILE

attest the supplied file

`
USAGE
$ sigstore attest FILE [--json] [--fulcio-url ] [--rekor-url ] [--tsa-server-url ]
[--tlog-upload] [--oidc-client-id ] [--oidc-client-secret ] [--oidc-issuer ]
[--oidc-redirect-url ] [-t ] [-o ] [--timeout ]

ARGUMENTS
FILE file to attest

FLAGS
-o, --output-file= write output to file
-t, --payload-type= [default: application/vnd.in-toto+json] MIME or content type to apply to the DSSE
envelope
--fulcio-url= [default: https://fulcio.sigstore.dev] URL to the Sigstore PKI server
--oidc-client-id= [default: sigstore] OIDC client ID for application
--oidc-client-secret= OIDC client secret for application
--oidc-issuer= [default: https://oauth2.sigstore.dev/auth] OIDC provider to be used to issue ID
token
--oidc-redirect-url= OIDC redirect URL
--rekor-url= [default: https://rekor.sigstore.dev] URL to the Rekor transparency log
--timeout= [default: 5] timeout in seconds for API requests
--[no-]tlog-upload whether or not to upload entry to the transparency log
--tsa-server-url= URL to the Timestamping Authority

GLOBAL FLAGS
--json Format output as json.

DESCRIPTION
attest the supplied file

EXAMPLES
$ sigstore attest ./statement.json
`

sigstore help [COMMAND]

Display help for sigstore.

`
USAGE
$ sigstore help [COMMAND...] [-n]

ARGUMENTS
COMMAND... Command to show help for.

FLAGS
-n, --nested-commands Include all nested commands in the output.

DESCRIPTION
Display help for sigstore.
`

sigstore initialize

initialize the Sigstore TUF root to retrieve trusted certificates and keys for verification

`
USAGE
$ sigstore initialize [--mirror ] [--root ] [--cache-path ] [--force]

FLAGS
--cache-path= Absolute path to the directory to be used for caching downloaded TUF metadata and targets
--force force initialization even if the cache already exists
--mirror= [default: https://tuf-repo-cdn.sigstore.dev] URL to the Sigstore TUF repository
--root= path to the initial trusted root. Defaults to the embedded root.

DESCRIPTION
initialize the Sigstore TUF root to retrieve trusted certificates and keys for verification

ALIASES
$ sigstore init

EXAMPLES
$ sigstore initialize
`

sigstore verify BUNDLE

verify the supplied .sigstore bundle file

`
USAGE
$ sigstore verify BUNDLE [--json] [--tlog-threshold ] [--ctlog-threshold ]
[--certificate-identity-email --certificate-issuer ] [--certificate-identity-uri ]
[--tuf-mirror-url ] [--tuf-root-path ] [--tuf-cache-path ] [--tuf-force-cache] [--blob-file
| --blob ]

ARGUMENTS
BUNDLE bundle to verify

FLAGS
--blob= Base64 encoded data to verify. Only required if bundle was not signed using
attest
--blob-file= File containing data to verify. Only required if bundle was not signed using
attest
--certificate-identity-email= Email address which must appear in the signing certificate's Subject Alternative
Name (SAN) extension. Not verified if no value is supplied
--certificate-identity-uri= URI which must appear in the signing certificate's Subject Alternative Name
(SAN) extension. Not verified if no value is supplied
--certificate-issuer= Value that must appear in the signing certificate's issuer extension (OID
1.3.6.1.4.1.57264.1.1 or 1.3.6.1.4.1.57264.1.8). Not verified if no value is
supplied
--ctlog-threshold= [default: 1] number of certificate transparency log entries required to verify
--tlog-threshold= [default: 1] number of transparency log entries required to verify
--tuf-cache-path= Absolute path to the directory to be used for caching downloaded TUF metadata
and targets
--tuf-force-cache Whether to give precedence to cached, un-expired TUF metadata and targets over
remote versions
--tuf-mirror-url= Base URL for the Sigstore TUF repository
--tuf-root-path= Path to the initial trust root for the TUF repository

GLOBAL FLAGS
--json Format output as json.

DESCRIPTION
verify the supplied .sigstore bundle file

EXAMPLES
$ sigstore verify ./bundle.sigstore
``