This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

artifact sign

Use the artifact sign command to sign container images and build artifacts in the CI pipeline.

Use the artifact [ sign \| verify ] command to sign and verify container images and other build artifacts.

Usage

To sign an artifact, use the following command:

endorctl artifact sign --name <artifact> --source-repository-ref <ref> --certificate-oidc-issuer <issuer>

To verify a signed artifact, use the following command:

endorctl verify --name <artifact> --certificate-oidc-issuer <issuer>`

To revoke a signature, use the following command:

endorctl artifact revoke-signature --name <artifact> --source-repository-ref <ref>

Options

You can use the following flags and environment variables:

For endorctl artifact sign

Flags Environment Variables Description
--name string ENDOR_ARTIFACT_NAME Name of the artifact. For example, ghcr.io/org/image@sha256:digest.
--build-config-digest string ENDOR_ARTIFACT_BUILD_CONFIG_DIGEST Specific version of top-level/initiating build instructions. For example, workflow sha.
--build-config-name ENDOR_ARTIFACT_BUILD_CONFIG_NAME Name of top-level/initiating build instructions. For example, workflow.
--certificate-oidc-issuer ENDOR_ARTIFACT_CERTIFICATE_OIDC_ISSUER Name of the OIDC issuer present in a valid certificate.
--certificate-identity ENDOR_ARTIFACT_CERTIFICATE_IDENTITY Name of the identity present in a valid certificate.
--runner-environment string ENDOR_ARTIFACT_RUNNER_ENVIRONMENT Name of platform-hosted or self-hosted infrastructure. For example, self-hosted.
--source-repository string ENDOR_ARTIFACT_SOURCE_REPOSITORY Source repository that the build was based upon. For example, org/repo.
--source-repository-digest string ENDOR_ARTIFACT_SOURCE_REPOSITORY_DIGEST Specific version of the source code that the build was based upon. For example, commit sha.
--source-repository-owner string ENDOR_ARTIFACT_SOURCE_REPOSITORY_OWNER Owner of the source repository that the build was based upon. For example, my-org.
--source-repository-ref string (mandatory) ENDOR_ARTIFACT_SOURCE_REPOSITORY_REF Source repository ref that the build run was based upon.

For endorctl artifact verify

Flags Environment Variables Description
--name <name> ENDOR_ARTIFACT_NAME The name of the artifact to verify.
--certificate-oidc-issuer <issuer> ENDOR_ARTIFACT_CERTIFICATE_OIDC_ISSUER The issuer of the OIDC certificate used for verification.

For endorctl artifact [revoke-signature ]

Flags Environment Variables Description
--name string ENDOR_ARTIFACT_NAME The name of the artifact whose signature needs to be revoked.
--source-repository-ref string (mandatory) ENDOR_ARTIFACT_SOURCE_REPOSITORY_REF Reference to the source repository of the artifact.