cosign sign
Sign the supplied container image
Options
| Name | Description |
|---|---|
--output-file <output-file> | Log output to a file |
--timeout, -t <timeout> | Timeout for commands |
--verbose, -d | Log debug output |
--allow-insecure-registry | Whether to allow insecure connections to registries. Don't use this for anything but testing |
--annotations, -a <annotations> | Extra key=value pairs to sign |
--attachment <attachment> | Related image attachment to sign (sbom), default none |
--attachment-tag-prefix <attachment-tag-prefix> | Optional custom prefix to use for attached image tags. Attachment images are tagged as: `[AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]` |
--cert <cert> | Path to the x509 certificate to include in the Signature |
--force, -f | Skip warnings and confirmations |
--fulcio-url <fulcio-url> | [EXPERIMENTAL] address of sigstore PKI server |
--identity-token <identity-token> | [EXPERIMENTAL] identity token to use for certificate from fulcio |
--insecure-skip-verify | [EXPERIMENTAL] skip verifying fulcio published to the SCT (this should only be used for testing) |
--k8s-keychain | Whether to use the kubernetes keychain instead of the default keychain (supports workload identity) |
--key <key> | Path to the private key file, KMS URI or Kubernetes Secret |
--oidc-client-id <oidc-client-id> | [EXPERIMENTAL] OIDC client ID for application |
--oidc-client-secret <oidc-client-secret> | [EXPERIMENTAL] OIDC client secret for application |
--oidc-issuer <oidc-issuer> | [EXPERIMENTAL] OIDC provider to be used to issue ID token |
--output-certificate <output-certificate> | Write the certificate to FILE |
--output-signature <output-signature> | Write the signature to FILE |
--payload <payload> | Path to a payload file to use rather than generating one |
--recursive, -r | If a multi-arch image is specified, additionally sign each discrete image |
--rekor-url <rekor-url> | [EXPERIMENTAL] address of rekor STL server |
--sk | Whether to use a hardware security key |
--slot <slot> | Security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) |
--upload | Whether to upload the signature |
--help, -h | Help for sign |