[feature] add hauler equivalent of cosign verify #395
Comments
zackbradys@Zacks-MacBook-Pro Downloads % cosign verify --help
Verify signature and annotations on an image by checking the claims
against the transparency log.
Usage:
cosign verify [flags]
Examples:
cosign verify --key <key path>|<key url>|<kms uri> <image uri> [<image uri> ...]
# verify cosign claims and signing certificates on the image with the transparency log
cosign verify <IMAGE>
# verify multiple images
cosign verify <IMAGE_1> <IMAGE_2> ...
# additionally verify specified annotations
cosign verify -a key1=val1 -a key2=val2 <IMAGE>
# verify image with an on-disk public key
cosign verify --key cosign.pub <IMAGE>
# verify image with an on-disk public key, manually specifying the
# signature digest algorithm
cosign verify --key cosign.pub --signature-digest-algorithm sha512 <IMAGE>
# verify image with an on-disk signed image from 'cosign save'
cosign verify --key cosign.pub --local-image <PATH>
# verify image with local certificate and certificate chain
cosign verify --cert cosign.crt --cert-chain chain.crt <IMAGE>
# verify image with local certificate and certificate bundles of CA roots
# and (optionally) CA intermediates
cosign verify --cert cosign.crt --ca-roots ca-roots.pem --ca-intermediates ca-intermediates.pem <IMAGE>
# verify image using keyless verification with the given certificate
# chain and identity parameters, without Fulcio roots (for BYO PKI):
cosign verify --cert-chain chain.crt --certificate-oidc-issuer https://issuer.example.com --certificate-identity [email protected] <IMAGE>
# verify image with public key provided by URL
cosign verify --key https://host.for/[FILE] <IMAGE>
# verify image with a key stored in an environment variable
cosign verify --key env://[ENV_VAR] <IMAGE>
# verify image with public key stored in Google Cloud KMS
cosign verify --key gcpkms://projects/[PROJECT]/locations/global/keyRings/[KEYRING]/cryptoKeys/[KEY] <IMAGE>
# verify image with public key stored in Hashicorp Vault
cosign verify --key hashivault://[KEY] <IMAGE>
# verify image with public key stored in a Kubernetes secret
cosign verify --key k8s://[NAMESPACE]/[KEY] <IMAGE>
# verify image with public key stored in GitLab with project name
cosign verify --key gitlab://[OWNER]/[PROJECT_NAME] <IMAGE>
# verify image with public key stored in GitLab with project id
cosign verify --key gitlab://[PROJECT_ID] <IMAGE>
Flags:
--allow-http-registry=false:
whether to allow using HTTP protocol while connecting to registries. Don't use this for anything but testing
--allow-insecure-registry=false:
whether to allow insecure connections to registries (e.g., with expired or self-signed TLS certificates).
Don't use this for anything but testing
-a, --annotations=[]:
extra key=value pairs to sign
--attachment='':
DEPRECATED, related image attachment to verify (sbom), default none
--attachment-tag-prefix='':
optional custom prefix to use for attached image tags. Attachment images are tagged as:
`[AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]`
--ca-intermediates='':
path to a file of intermediate CA certificates in PEM format which will be needed when building the
certificate chains for the signing certificate. The flag is optional and must be used together with
--ca-roots, conflicts with --certificate-chain.
--ca-roots='':
path to a bundle file of CA certificates in PEM format which will be needed when building the certificate
chains for the signing certificate. Conflicts with --certificate-chain.
--certificate='':
path to the public certificate. The certificate will be verified against the Fulcio roots if the
--certificate-chain option is not passed.
--certificate-chain='':
path to a list of CA certificates in PEM format which will be needed when building the certificate chain for
the signing certificate. Must start with the parent intermediate CA certificate of the signing certificate and
end with the root certificate. Conflicts with --ca-roots and --ca-intermediates.
--certificate-github-workflow-name='':
contains the workflow claim from the GitHub OIDC Identity token that contains the name of the executed
workflow.
--certificate-github-workflow-ref='':
contains the ref claim from the GitHub OIDC Identity token that contains the git ref that the workflow run was
based upon.
--certificate-github-workflow-repository='':
contains the repository claim from the GitHub OIDC Identity token that contains the repository that the
workflow run was based upon
--certificate-github-workflow-sha='':
contains the sha claim from the GitHub OIDC Identity token that contains the commit SHA that the workflow run
was based upon.
--certificate-github-workflow-trigger='':
contains the event_name claim from the GitHub OIDC Identity token that contains the name of the event that
triggered the workflow run
--certificate-identity='':
The identity expected in a valid Fulcio certificate. Valid values include email address, DNS names, IP
addresses, and URIs. Either --certificate-identity or --certificate-identity-regexp must be set for keyless
flows.
--certificate-identity-regexp='':
A regular expression alternative to --certificate-identity. Accepts the Go regular expression syntax described
at https://golang.org/s/re2syntax. Either --certificate-identity or --certificate-identity-regexp must be set
for keyless flows.
--certificate-oidc-issuer='':
The OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or
https://oauth2.sigstore.dev/auth. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be
set for keyless flows.
--certificate-oidc-issuer-regexp='':
A regular expression alternative to --certificate-oidc-issuer. Accepts the Go regular expression syntax
described at https://golang.org/s/re2syntax. Either --certificate-oidc-issuer or
--certificate-oidc-issuer-regexp must be set for keyless flows.
--check-claims=true:
whether to check the claims found
--experimental-oci11=false:
set to true to enable experimental OCI 1.1 behaviour
-h, --help=false:
help for verify
--insecure-ignore-sct=false:
when set, verification will not check that a certificate contains an embedded SCT, a proof of inclusion in a
certificate transparency log
--insecure-ignore-tlog=false:
ignore transparency log verification, to be used when an artifact signature has not been uploaded to the
transparency log. Artifacts cannot be publicly verified when not included in a log
--k8s-keychain=false:
whether to use the kubernetes keychain instead of the default keychain (supports workload identity).
--key='':
path to the public key file, KMS URI or Kubernetes Secret
--local-image=false:
whether the specified image is a path to an image saved locally via 'cosign save'
--max-workers=10:
the amount of maximum workers for parallel executions
--offline=false:
only allow offline verification
-o, --output='json':
output format for the signing image information (json|text)
--payload='':
payload path or remote URL
--private-infrastructure=false:
skip transparency log verification when verifying artifacts in a privately deployed infrastructure
--registry-password='':
registry basic auth password
--registry-token='':
registry bearer auth token
--registry-username='':
registry basic auth username
--rekor-url='https://rekor.sigstore.dev':
address of rekor STL server
--sct='':
path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. If a
certificate contains an SCT, verification will check both the detached and embedded SCTs.
--signature='':
signature content or path or remote URL
--signature-digest-algorithm='sha256':
digest algorithm to use when processing a signature (sha224|sha256|sha384|sha512)
--sk=false:
whether to use a hardware security key
--slot='':
security key slot to use for generated key (default: signature)
(authentication|signature|card-authentication|key-management)
--timestamp-certificate-chain='':
path to PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must contain the root CA
certificate. Optionally may contain intermediate CA certificates, and may contain the leaf TSA certificate if
not present in the timestamp
--use-signed-timestamps=false:
use signed timestamps if available
Global Flags:
--output-file string log output to a file
-t, --timeout duration timeout for commands (default 3m0s)
-d, --verbose log debug output |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
the carbide docs currently walk through verifying images using cosign https://rancherfederal.github.io/carbide-docs/docs/registry-docs/validating-images
it would be great if there was equivalent functionality in hauler so it customers could use it as their single command line tool for CSR
The text was updated successfully, but these errors were encountered: