cosign verify
Verify a signature on the supplied container image
Options
Name | Description |
---|---|
--output-file <output-file> | Log output to a file |
--timeout, -t <timeout> | Timeout for commands |
--verbose, -d | Log debug output |
--allow-insecure-registry | Whether to allow insecure connections to registries. Don't use this for anything but testing |
--annotations, -a <annotations> | Extra key=value pairs to sign |
--attachment <attachment> | Related image attachment to sign (sbom), default none |
--attachment-tag-prefix <attachment-tag-prefix> | Optional custom prefix to use for attached image tags. Attachment images are tagged as: `[AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]` |
--cert <cert> | Path to the public certificate |
--cert-email <cert-email> | The email expected in a valid Fulcio certificate |
--cert-oidc-issuer <cert-oidc-issuer> | The OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or https://oauth2.sigstore.dev/auth |
--check-claims | Whether to check the claims found |
--k8s-keychain | Whether to use the kubernetes keychain instead of the default keychain (supports workload identity) |
--key <key> | Path to the public key file, KMS URI or Kubernetes Secret |
--local-image | Whether the specified image is a path to an image saved locally via 'cosign save' |
--output, -o <output> | Output format for the signing image information (json|text) |
--rekor-url <rekor-url> | [EXPERIMENTAL] address of rekor STL server |
--signature <signature> | Signature content or path or remote URL |
--signature-digest-algorithm <signature-digest-algorithm> | Digest algorithm to use when processing a signature (sha224|sha256|sha384|sha512) |
--sk | Whether to use a hardware security key |
--slot <slot> | Security key slot to use for generated key (default: signature) (authentication|signature|card-authentication|key-management) |
--help, -h | Help for verify |