artifact sign
Use the
artifact sign command to sign container images and build artifacts in the CI pipeline.Use the artifact [ sign \| verify ] command to sign and verify container images and other build artifacts.
Usage
To sign an artifact, use the following command:
endorctl artifact sign --name <artifact> --source-repository-ref <ref> --certificate-oidc-issuer <issuer>
To verify a signed artifact, use the following command:
endorctl verify --name <artifact> --certificate-oidc-issuer <issuer>`
To revoke a signature, use the following command:
endorctl artifact revoke-signature --name <artifact> --source-repository-ref <ref>
Options
You can use the following flags and environment variables:
For endorctl artifact sign
| Flags | Environment Variables | Description |
|---|---|---|
--name string |
ENDOR_ARTIFACT_NAME |
Name of the artifact. For example, ghcr.io/org/image@sha256:digest. |
--build-config-digest string |
ENDOR_ARTIFACT_BUILD_CONFIG_DIGEST |
Specific version of top-level/initiating build instructions. For example, workflow sha. |
--build-config-name |
ENDOR_ARTIFACT_BUILD_CONFIG_NAME |
Name of top-level/initiating build instructions. For example, workflow. |
--certificate-oidc-issuer |
ENDOR_ARTIFACT_CERTIFICATE_OIDC_ISSUER |
Name of the OIDC issuer present in a valid certificate. |
--certificate-identity |
ENDOR_ARTIFACT_CERTIFICATE_IDENTITY |
Name of the identity present in a valid certificate. |
--runner-environment string |
ENDOR_ARTIFACT_RUNNER_ENVIRONMENT |
Name of platform-hosted or self-hosted infrastructure. For example, self-hosted. |
--source-repository string |
ENDOR_ARTIFACT_SOURCE_REPOSITORY |
Source repository that the build was based upon. For example, org/repo. |
--source-repository-digest string |
ENDOR_ARTIFACT_SOURCE_REPOSITORY_DIGEST |
Specific version of the source code that the build was based upon. For example, commit sha. |
--source-repository-owner string |
ENDOR_ARTIFACT_SOURCE_REPOSITORY_OWNER |
Owner of the source repository that the build was based upon. For example, my-org. |
--source-repository-ref string (mandatory) |
ENDOR_ARTIFACT_SOURCE_REPOSITORY_REF |
Source repository ref that the build run was based upon. |
For endorctl artifact verify
| Flags | Environment Variables | Description |
|---|---|---|
--name <name> |
ENDOR_ARTIFACT_NAME |
The name of the artifact to verify. |
--certificate-oidc-issuer <issuer> |
ENDOR_ARTIFACT_CERTIFICATE_OIDC_ISSUER |
The issuer of the OIDC certificate used for verification. |
For endorctl artifact [revoke-signature ]
| Flags | Environment Variables | Description |
|---|---|---|
--name string |
ENDOR_ARTIFACT_NAME |
The name of the artifact whose signature needs to be revoked. |
--source-repository-ref string (mandatory) |
ENDOR_ARTIFACT_SOURCE_REPOSITORY_REF |
Reference to the source repository of the artifact. |
Feedback
Was this page helpful? Send your feedback to support@endor.ai