cosign manifest verify

Verify all signatures of images specified in the manifest

Options

NameDescription
--output-file <output-file>Log output to a file
--timeout, -t <timeout>Timeout for commands
--verbose, -dLog debug output
--allow-insecure-registryWhether to allow insecure connections to registries. Don't use this for anything but testing
--annotations, -a <annotations>Extra key=value pairs to sign
--attachment <attachment>Related image attachment to sign (sbom), default none
--attachment-tag-prefix <attachment-tag-prefix>Optional custom prefix to use for attached image tags. Attachment images are tagged as: `[AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]`
--cert <cert>Path to the public certificate
--cert-email <cert-email>The email expected in a valid Fulcio certificate
--cert-oidc-issuer <cert-oidc-issuer>The OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth
--check-claimsWhether to check the claims found
--k8s-keychainWhether to use the kubernetes keychain instead of the default keychain (supports workload identity)
--key <key>Path to the public key file, KMS URI or Kubernetes Secret
--local-imageWhether the specified image is a path to an image saved locally via 'cosign save'
--output, -o <output>Output format for the signing image information (json|text)
--rekor-url <rekor-url>[EXPERIMENTAL] address of rekor STL server
--signature <signature>Signature content or path or remote URL
--signature-digest-algorithm <signature-digest-algorithm>Digest algorithm to use when processing a signature (sha224|sha256|sha384|sha512)
--skWhether to use a hardware security key
--slot <slot>Security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management)
--help, -hHelp for verify