cosign sign

Sign the supplied container image

Options

NameDescription
--output-file <output-file>Log output to a file
--timeout, -t <timeout>Timeout for commands
--verbose, -dLog debug output
--allow-insecure-registryWhether to allow insecure connections to registries. Don't use this for anything but testing
--annotations, -a <annotations>Extra key=value pairs to sign
--attachment <attachment>Related image attachment to sign (sbom), default none
--attachment-tag-prefix <attachment-tag-prefix>Optional custom prefix to use for attached image tags. Attachment images are tagged as: `[AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]`
--cert <cert>Path to the x509 certificate to include in the Signature
--force, -fSkip warnings and confirmations
--fulcio-url <fulcio-url>[EXPERIMENTAL] address of sigstore PKI server
--identity-token <identity-token>[EXPERIMENTAL] identity token to use for certificate from fulcio
--insecure-skip-verify[EXPERIMENTAL] skip verifying fulcio published to the SCT (this should only be used for testing)
--k8s-keychainWhether to use the kubernetes keychain instead of the default keychain (supports workload identity)
--key <key>Path to the private key file, KMS URI or Kubernetes Secret
--oidc-client-id <oidc-client-id>[EXPERIMENTAL] OIDC client ID for application
--oidc-client-secret <oidc-client-secret>[EXPERIMENTAL] OIDC client secret for application
--oidc-issuer <oidc-issuer>[EXPERIMENTAL] OIDC provider to be used to issue ID token
--output-certificate <output-certificate>Write the certificate to FILE
--output-signature <output-signature>Write the signature to FILE
--payload <payload>Path to a payload file to use rather than generating one
--recursive, -rIf a multi-arch image is specified, additionally sign each discrete image
--rekor-url <rekor-url>[EXPERIMENTAL] address of rekor STL server
--skWhether to use a hardware security key
--slot <slot>Security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management)
--uploadWhether to upload the signature
--help, -hHelp for sign