artifact sign

Use the artifact sign command to sign container images and build artifacts in the CI pipeline.

Use the artifact [ sign \| verify ] command to sign and verify container images and other build artifacts.

Usage

To sign an artifact, use the following command:

endorctl artifact sign --name <artifact> --source-repository-ref <ref> --certificate-oidc-issuer <issuer>

To verify a signed artifact, use the following command:

endorctl verify --name <artifact> --certificate-oidc-issuer <issuer>`

To revoke a signature, use the following command:

endorctl artifact revoke-signature --name <artifact> --source-repository-ref <ref>

Options

You can use the following flags and environment variables:

For endorctl artifact sign

Flags Environment Variables Description
--name string ENDOR_ARTIFACT_NAME Name of the artifact. For example, ghcr.io/org/image@sha256:digest.
--build-config-digest string ENDOR_ARTIFACT_BUILD_CONFIG_DIGEST Specific version of top-level/initiating build instructions. For example, workflow sha.
--build-config-name ENDOR_ARTIFACT_BUILD_CONFIG_NAME Name of top-level/initiating build instructions. For example, workflow.
--certificate-oidc-issuer ENDOR_ARTIFACT_CERTIFICATE_OIDC_ISSUER Name of the OIDC issuer present in a valid certificate.
--certificate-identity ENDOR_ARTIFACT_CERTIFICATE_IDENTITY Name of the identity present in a valid certificate.
--runner-environment string ENDOR_ARTIFACT_RUNNER_ENVIRONMENT Name of platform-hosted or self-hosted infrastructure. For example, self-hosted.
--source-repository string ENDOR_ARTIFACT_SOURCE_REPOSITORY Source repository that the build was based upon. For example, org/repo.
--source-repository-digest string ENDOR_ARTIFACT_SOURCE_REPOSITORY_DIGEST Specific version of the source code that the build was based upon. For example, commit sha.
--source-repository-owner string ENDOR_ARTIFACT_SOURCE_REPOSITORY_OWNER Owner of the source repository that the build was based upon. For example, my-org.
--source-repository-ref string (mandatory) ENDOR_ARTIFACT_SOURCE_REPOSITORY_REF Source repository ref that the build run was based upon.

For endorctl artifact verify

Flags Environment Variables Description
--name <name> ENDOR_ARTIFACT_NAME The name of the artifact to verify.
--certificate-oidc-issuer <issuer> ENDOR_ARTIFACT_CERTIFICATE_OIDC_ISSUER The issuer of the OIDC certificate used for verification.

For endorctl artifact [revoke-signature ]

Flags Environment Variables Description
--name string ENDOR_ARTIFACT_NAME The name of the artifact whose signature needs to be revoked.
--source-repository-ref string (mandatory) ENDOR_ARTIFACT_SOURCE_REPOSITORY_REF Reference to the source repository of the artifact.