Witness CLI Reference
This is the reference for the Witness command line tool, generated by Cobra.
witness attestors
List all available attestors
Synopsis
Lists all the available attestors in Witness with supporting information
witness attestors [flags]
Options
-h, --help help for attestors
Options inherited from parent commands
-c, --config string Path to the witness config file (default ".witness.yaml")
-l, --log-level string Level of logging to output (debug, info, warn, error) (default "info")
SEE ALSO
- witness - Collect and verify attestations about your build environments
witness run
Runs the provided command and records attestations about the execution
witness run [cmd] [flags]
Options
--archivista-server string URL of the Archivista server to store or retrieve attestations (default "https://archivista.testifysec.io")
-a, --attestations strings Attestations to record ('product' and 'material' are always recorded) (default [environment,git])
--attestor-maven-pom-path string The path to the Project Object Model (POM) XML file used for task being attested (default "pom.xml"). (default "pom.xml")
--attestor-product-exclude-glob string Pattern to use when recording products. Files that match this pattern will be excluded as subjects on the attestation.
--attestor-product-include-glob string Pattern to use when recording products. Files that match this pattern will be included as subjects on the attestation. (default "*")
--enable-archivista Use Archivista to store or retrieve attestations
--hashes strings Hashes selected for digest calculation. Defaults to SHA256 (default [sha256])
-h, --help help for run
-o, --outfile string File to which to write signed data. Defaults to stdout
--signer-file-cert-path string Path to the file containing the certificate for the private key
--signer-file-intermediate-paths strings Paths to files containing intermediates required to establish trust of the signer's certificate to a root
-k, --signer-file-key-path string Path to the file containing the private key
--signer-fulcio-oidc-client-id string OIDC client ID to use for authentication
--signer-fulcio-oidc-issuer string OIDC issuer to use for authentication
--signer-fulcio-oidc-redirect-url string OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.
--signer-fulcio-token string Raw token string to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token-path)
--signer-fulcio-token-path string Path to the file containing a raw token to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token)
--signer-fulcio-url string Fulcio address to sign with
--signer-kms-aws-config-file string The shared configuration file to use with the AWS KMS signer provider
--signer-kms-aws-credentials-file string The shared credentials file to use with the AWS KMS signer provider
--signer-kms-aws-insecure-skip-verify Skip verification of the server's certificate chain and host name
--signer-kms-aws-profile string The shared configuration profile to use with the AWS KMS signer provider
--signer-kms-aws-remote-verify verify signature using AWS KMS remote verification. If false, the public key will be pulled from AWS KMS and verification will take place locally (default true)
--signer-kms-gcp-credentials-file string The credentials file to use with the GCP KMS signer provider
--signer-kms-hashType string The hash type to use for signing (default "sha256")
--signer-kms-keyVersion string The key version to use for signing
--signer-kms-ref string The KMS Reference URI to use for connecting to the KMS service
--signer-spiffe-socket-path string Path to the SPIFFE Workload API Socket
--signer-vault-altnames strings Alt names to use for the generated certificate. All alt names must be allowed by the vault role policy
--signer-vault-commonname string Common name to use for the generated certificate. Must be allowed by the vault role policy
--signer-vault-namespace string Vault namespace to use
--signer-vault-pki-secrets-engine-path string Path to the Vault PKI Secrets Engine to use (default "pki")
--signer-vault-role string Name of the Vault role to generate the certificate for
--signer-vault-token string Token to use to connect to Vault
--signer-vault-ttl duration Time to live for the generated certificate. Defaults to the vault role policy's configured TTL if not provided
--signer-vault-url string Base url of the Vault instance to connect to
-s, --step string Name of the step being run
--timestamp-servers strings Timestamp Authority Servers to use when signing envelope
--trace Enable tracing for the command
-d, --workingdir string Directory from which commands will run
Options inherited from parent commands
-c, --config string Path to the witness config file (default ".witness.yaml")
-l, --log-level string Level of logging to output (debug, info, warn, error) (default "info")
SEE ALSO
- witness - Collect and verify attestations about your build environments
witness sign
Signs a file
Synopsis
Signs a file with the provided key source and outputs the signed file to the specified destination
witness sign [file] [flags]
Options
-t, --datatype string The URI reference to the type of data being signed. Defaults to the Witness policy type (default "https://witness.testifysec.com/policy/v0.1")
-h, --help help for sign
-f, --infile string Witness policy file to sign
-o, --outfile string File to write signed data. Defaults to stdout
--signer-file-cert-path string Path to the file containing the certificate for the private key
--signer-file-intermediate-paths strings Paths to files containing intermediates required to establish trust of the signer's certificate to a root
-k, --signer-file-key-path string Path to the file containing the private key
--signer-fulcio-oidc-client-id string OIDC client ID to use for authentication
--signer-fulcio-oidc-issuer string OIDC issuer to use for authentication
--signer-fulcio-oidc-redirect-url string OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.
--signer-fulcio-token string Raw token string to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token-path)
--signer-fulcio-token-path string Path to the file containing a raw token to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token)
--signer-fulcio-url string Fulcio address to sign with
--signer-kms-aws-config-file string The shared configuration file to use with the AWS KMS signer provider
--signer-kms-aws-credentials-file string The shared credentials file to use with the AWS KMS signer provider
--signer-kms-aws-insecure-skip-verify Skip verification of the server's certificate chain and host name
--signer-kms-aws-profile string The shared configuration profile to use with the AWS KMS signer provider
--signer-kms-aws-remote-verify verify signature using AWS KMS remote verification. If false, the public key will be pulled from AWS KMS and verification will take place locally (default true)
--signer-kms-gcp-credentials-file string The credentials file to use with the GCP KMS signer provider
--signer-kms-hashType string The hash type to use for signing (default "sha256")
--signer-kms-keyVersion string The key version to use for signing
--signer-kms-ref string The KMS Reference URI to use for connecting to the KMS service
--signer-spiffe-socket-path string Path to the SPIFFE Workload API Socket
--signer-vault-altnames strings Alt names to use for the generated certificate. All alt names must be allowed by the vault role policy
--signer-vault-commonname string Common name to use for the generated certificate. Must be allowed by the vault role policy
--signer-vault-namespace string Vault namespace to use
--signer-vault-pki-secrets-engine-path string Path to the Vault PKI Secrets Engine to use (default "pki")
--signer-vault-role string Name of the Vault role to generate the certificate for
--signer-vault-token string Token to use to connect to Vault
--signer-vault-ttl duration Time to live for the generated certificate. Defaults to the vault role policy's configured TTL if not provided
--signer-vault-url string Base url of the Vault instance to connect to
--timestamp-servers strings Timestamp Authority Servers to use when signing envelope
Options inherited from parent commands
-c, --config string Path to the witness config file (default ".witness.yaml")
-l, --log-level string Level of logging to output (debug, info, warn, error) (default "info")
SEE ALSO
- witness - Collect and verify attestations about your build environments
witness verify
Verifies a witness policy
Synopsis
Verifies a policy provided key source and exits with code 0 if verification succeeds
witness verify [flags]
Options
--archivista-server string URL of the Archivista server to store or retrieve attestations (default "https://archivista.testifysec.io")
-f, --artifactfile string Path to the artifact to verify
-a, --attestations strings Attestation files to test against the policy
--enable-archivista Use Archivista to store or retrieve attestations
-h, --help help for verify
-p, --policy string Path to the policy to verify
--policy-ca strings Paths to CA certificates to use for verifying the policy
-k, --publickey string Path to the policy signer's public key
-s, --subjects strings Additional subjects to lookup attestations
--verifier-kms-aws-config-file string The shared configuration file to use with the AWS KMS signer provider
--verifier-kms-aws-credentials-file string The shared credentials file to use with the AWS KMS signer provider
--verifier-kms-aws-insecure-skip-verify Skip verification of the server's certificate chain and host name
--verifier-kms-aws-profile string The shared configuration profile to use with the AWS KMS signer provider
--verifier-kms-aws-remote-verify verify signature using AWS KMS remote verification. If false, the public key will be pulled from AWS KMS and verification will take place locally (default true)
--verifier-kms-gcp-credentials-file string The credentials file to use with the GCP KMS signer provider
--verifier-kms-hashType string The hash type used for verifying (default "sha256")
--verifier-kms-keyVersion string The key version to use for signing
--verifier-kms-ref string The KMS Reference URI to use for connecting to the KMS service
Options inherited from parent commands
-c, --config string Path to the witness config file (default ".witness.yaml")
-l, --log-level string Level of logging to output (debug, info, warn, error) (default "info")
SEE ALSO
- witness - Collect and verify attestations about your build environments
witness version
Prints out the witness version
Synopsis
Prints out the witness version
witness version [flags]
Options
-h, --help help for version
Options inherited from parent commands
-c, --config string Path to the witness config file (default ".witness.yaml")
-l, --log-level string Level of logging to output (debug, info, warn, error) (default "info")
SEE ALSO
- witness - Collect and verify attestations about your build environments