cosign sign-blob
Sign the supplied blob, outputting the base64-encoded signature to stdout
Options
| Name | Description |
|---|---|
--output-file <output-file> | Log output to a file |
--timeout, -t <timeout> | Timeout for commands |
--verbose, -d | Log debug output |
--allow-insecure-registry | Whether to allow insecure connections to registries. Don't use this for anything but testing |
--attachment-tag-prefix <attachment-tag-prefix> | Optional custom prefix to use for attached image tags. Attachment images are tagged as: `[AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]` |
--b64 | Whether to base64 encode the output |
--bundle <bundle> | Write everything required to verify the blob to a FILE |
--fulcio-url <fulcio-url> | [EXPERIMENTAL] address of sigstore PKI server |
--identity-token <identity-token> | [EXPERIMENTAL] identity token to use for certificate from fulcio |
--insecure-skip-verify | [EXPERIMENTAL] skip verifying fulcio published to the SCT (this should only be used for testing) |
--k8s-keychain | Whether to use the kubernetes keychain instead of the default keychain (supports workload identity) |
--key <key> | Path to the private key file, KMS URI or Kubernetes Secret |
--oidc-client-id <oidc-client-id> | [EXPERIMENTAL] OIDC client ID for application |
--oidc-client-secret <oidc-client-secret> | [EXPERIMENTAL] OIDC client secret for application |
--oidc-issuer <oidc-issuer> | [EXPERIMENTAL] OIDC provider to be used to issue ID token |
--output <output> | Write the signature to FILE |
--output-certificate <output-certificate> | Write the certificate to FILE |
--output-signature <output-signature> | Write the signature to FILE |
--rekor-url <rekor-url> | [EXPERIMENTAL] address of rekor STL server |
--sk | Whether to use a hardware security key |
--slot <slot> | Security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) |
--help, -h | Help for sign-blob |