Skip to content

Latest commit

 

History

History
59 lines (43 loc) · 3.31 KB

cosign_generate.md

File metadata and controls

59 lines (43 loc) · 3.31 KB

cosign generate

Generates (unsigned) signature payloads from the supplied container image.

Synopsis

Generates an unsigned payload from the supplied container image and flags. This payload matches the one generated by the "cosign sign" command and can be used if you need to sign payloads with your own tooling or algorithms.

cosign generate [flags]

Examples

  cosign generate [--a key=value] <image uri>

  # Generate a simple payload for an image
  cosign generate <IMAGE>

  # Generate a payload with specific annotations
  cosign generate -a foo=bar <IMAGE>

  # Use this payload in another tool
  gpg --output image.sig --detach-sig <(cosign generate <IMAGE>)

Options

      --allow-http-registry                                                                      whether to allow using HTTP protocol while connecting to registries. Don't use this for anything but testing
      --allow-insecure-registry                                                                  whether to allow insecure connections to registries (e.g., with expired or self-signed TLS certificates). Don't use this for anything but testing
  -a, --annotations strings                                                                      extra key=value pairs to sign
      --attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]   optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]
  -h, --help                                                                                     help for generate
      --k8s-keychain                                                                             whether to use the kubernetes keychain instead of the default keychain (supports workload identity).
      --registry-cacert string                                                                   path to the X.509 CA certificate file in PEM format to be used for the connection to the registry
      --registry-client-cert string                                                              path to the X.509 certificate file in PEM format to be used for the connection to the registry
      --registry-client-key string                                                               path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry
      --registry-password string                                                                 registry basic auth password
      --registry-server-name string                                                              SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry
      --registry-token string                                                                    registry bearer auth token
      --registry-username string                                                                 registry basic auth username

Options inherited from parent commands

      --output-file string   log output to a file
  -t, --timeout duration     timeout for commands (default 3m0s)
  -d, --verbose              log debug output

SEE ALSO

  • cosign - A tool for Container Signing, Verification and Storage in an OCI registry.