notation sign

Sign artifacts

Synopsis

Sign artifacts

Note: a signing key must be specified. This can be done temporarily by specifying a key ID, or a new key can be configured using the command “notation key add”

Example - Sign an OCI artifact using the default signing key, with the default JWS envelope, and use OCI image manifest to store the signature:

notation sign <registry>/<repository>@<digest>

Example - Sign an OCI artifact using the default signing key, with the COSE envelope:

notation sign --signature-format cose <registry>/<repository>@<digest>

Example - Sign an OCI artifact with a specified plugin and signing key stored in KMS

notation sign --plugin <plugin_name> --id <remote_key_id> <registry>/<repository>@<digest>

Example - Sign an OCI artifact using a specified key

notation sign --key <key_name> <registry>/<repository>@<digest>

Example - Sign an OCI artifact identified by a tag (Notation will resolve tag to digest)

notation sign <registry>/<repository>:<tag>

Example - Sign an OCI artifact stored in a registry and specify the signature expiry duration, for example 24 hours

notation sign --expiry 24h <registry>/<repository>@<digest>

Example - [Experimental] Sign an OCI artifact referenced in an OCI layout

notation sign --oci-layout "<oci_layout_path>@<digest>"

Example - [Experimental] Sign an OCI artifact identified by a tag and referenced in an OCI layout

notation sign --oci-layout "<oci_layout_path>:<tag>"

Example - [Experimental] Sign an OCI artifact and use OCI artifact manifest to store the signature:

notation sign --signature-manifest artifact <registry>/<repository>@<digest>

General usage:

notation sign [flags] <reference>

Options

  -d, --debug                       debug mode
  -e, --expiry duration             optional expiry that provides a "best by use" time for the artifact. The duration is specified in minutes(m) and/or hours(h). For example: 12h, 30m, 3h20m
  -h, --help                        help for sign
      --id string                   key id (required if --plugin is set). This is mutually exclusive with the --key flag
  -k, --key string                  signing key name, for a key previously added to notation's key list. This is mutually exclusive with the --id and --plugin flags
  -p, --password string             password for registry operations (default to $NOTATION_PASSWORD if not specified)
      --plain-http                  registry access via plain HTTP
      --plugin string               signing plugin name (required if --id is set). This is mutually exclusive with the --key flag
      --plugin-config stringArray   {key}={value} pairs that are passed as it is to a plugin, refer plugin's documentation to set appropriate values
      --signature-format string     signature envelope format, options: "jws", "cose" (default "jws")
  -m, --user-metadata stringArray   {key}={value} pairs that are added to the signature payload
  -u, --username string             username for registry operations (default to $NOTATION_USERNAME if not specified)
  -v, --verbose                     verbose mode

Last modified September 12, 2023 : Restructured the layout of the current documentation (#312) (9b88d58)