artifact sign
Use the
artifact sign command to sign container images and build artifacts in the CI pipeline.Use the artifact [ sign \| verify ] command to sign and verify container images and other build artifacts.
Usage
To sign an artifact, use the following command.
endorctl artifact sign --name <artifact> --source-repository-ref <ref> --certificate-oidc-issuer <issuer>
To verify a signed artifact, use the following command.
endorctl verify --name <artifact> --certificate-oidc-issuer <issuer>`
To revoke a signature, use the following command.
endorctl artifact revoke-signature --name <artifact> --source-repository-ref <ref>
Options
You can use the following flags and environment variables:
For endorctl artifact sign
| Flag | Environment Variable | Type | Description |
|---|---|---|---|
name |
ENDOR_ARTIFACT_NAME |
string | Name of the artifact. For example, ghcr.io/org/image@sha256:digest. |
build-config-digest |
ENDOR_ARTIFACT_BUILD_CONFIG_DIGEST |
string | Specific version of the top-level build instructions. For example, workflow sha. |
build-config-name |
ENDOR_ARTIFACT_BUILD_CONFIG_NAME |
string | Name of the top-level build instructions. For example, workflow. |
certificate-oidc-issuer |
ENDOR_ARTIFACT_CERTIFICATE_OIDC_ISSUER |
string | OIDC issuer name from a valid certificate. |
certificate-identity |
ENDOR_ARTIFACT_CERTIFICATE_IDENTITY |
string | Identity name from a valid certificate. |
runner-environment |
ENDOR_ARTIFACT_RUNNER_ENVIRONMENT |
string | Name of the hosting platform or self-hosted infrastructure. For example, self-hosted. |
source-repository |
ENDOR_ARTIFACT_SOURCE_REPOSITORY |
string | Source repository for the build. For example, org/repo. |
source-repository-digest |
ENDOR_ARTIFACT_SOURCE_REPOSITORY_DIGEST |
string | Specific version of the source code for the build. For example, commit sha. |
source-repository-owner |
ENDOR_ARTIFACT_SOURCE_REPOSITORY_OWNER |
string | Owner of the source repository for the build. For example, my-org. |
source-repository-ref (mandatory) |
ENDOR_ARTIFACT_SOURCE_REPOSITORY_REF |
string | Source repository ref for the build run. |
For endorctl artifact verify
| Flag | Environment Variable | Type | Description |
|---|---|---|---|
name <name> |
ENDOR_ARTIFACT_NAME |
string | The name of the artifact to verify. |
certificate-oidc-issuer <issuer> |
ENDOR_ARTIFACT_CERTIFICATE_OIDC_ISSUER |
string | OIDC certificate issuer used to verify the artifact. |
For endorctl artifact [revoke-signature]
| Flag | Environment Variable | Type | Description |
|---|---|---|---|
name |
ENDOR_ARTIFACT_NAME |
string | The name of the artifact whose signature you want to revoke. |
source-repository-ref (mandatory) |
ENDOR_ARTIFACT_SOURCE_REPOSITORY_REF |
string | Reference to the source repository of the artifact. |
Feedback
Was this page helpful?
Thanks for the feedback. Write to us at support@endor.ai to tell us more.
Thanks for the feedback. Write to us at support@endor.ai to tell us more.