cosign sign-blob

Sign the supplied blob, outputting the base64-encoded signature to stdout


--output-file <output-file>Log output to a file
--timeout, -t <timeout>Timeout for commands
--verbose, -dLog debug output
--allow-insecure-registryWhether to allow insecure connections to registries. Don't use this for anything but testing
--attachment-tag-prefix <attachment-tag-prefix>Optional custom prefix to use for attached image tags. Attachment images are tagged as: `[AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]`
--b64Whether to base64 encode the output
--bundle <bundle>Write everything required to verify the blob to a FILE
--fulcio-url <fulcio-url>[EXPERIMENTAL] address of sigstore PKI server
--identity-token <identity-token>[EXPERIMENTAL] identity token to use for certificate from fulcio
--insecure-skip-verify[EXPERIMENTAL] skip verifying fulcio published to the SCT (this should only be used for testing)
--k8s-keychainWhether to use the kubernetes keychain instead of the default keychain (supports workload identity)
--key <key>Path to the private key file, KMS URI or Kubernetes Secret
--oidc-client-id <oidc-client-id>[EXPERIMENTAL] OIDC client ID for application
--oidc-client-secret <oidc-client-secret>[EXPERIMENTAL] OIDC client secret for application
--oidc-issuer <oidc-issuer>[EXPERIMENTAL] OIDC provider to be used to issue ID token
--output <output>Write the signature to FILE
--output-certificate <output-certificate>Write the certificate to FILE
--output-signature <output-signature>Write the signature to FILE
--rekor-url <rekor-url>[EXPERIMENTAL] address of rekor STL server
--skWhether to use a hardware security key
--slot <slot>Security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management)
--help, -hHelp for sign-blob