cosign policy sign
Sign a keyless policy
Options
| Name | Description |
|---|---|
--output-file <output-file> | Log output to a file |
--timeout, -t <timeout> | Timeout for commands |
--verbose, -d | Log debug output |
--allow-insecure-registry | Whether to allow insecure connections to registries. Don't use this for anything but testing |
--attachment-tag-prefix <attachment-tag-prefix> | Optional custom prefix to use for attached image tags. Attachment images are tagged as: `[AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]` |
--fulcio-url <fulcio-url> | [EXPERIMENTAL] address of sigstore PKI server |
--identity-token <identity-token> | [EXPERIMENTAL] identity token to use for certificate from fulcio |
--insecure-skip-verify | [EXPERIMENTAL] skip verifying fulcio published to the SCT (this should only be used for testing) |
--k8s-keychain | Whether to use the kubernetes keychain instead of the default keychain (supports workload identity) |
--namespace <namespace> | Registry namespace that the root policy belongs to |
--oidc-client-id <oidc-client-id> | [EXPERIMENTAL] OIDC client ID for application |
--oidc-client-secret <oidc-client-secret> | [EXPERIMENTAL] OIDC client secret for application |
--oidc-issuer <oidc-issuer> | [EXPERIMENTAL] OIDC provider to be used to issue ID token |
--out <out> | Output policy locally |
--rekor-url <rekor-url> | [EXPERIMENTAL] address of rekor STL server |
--help, -h | Help for sign |