Verifies a witness policy using a set of attestation collections

witness verify

Verifies a witness policy


Verifies a policy provided key source and exits with code 0 if verification succeeds

witness verify [flags]


  -f, --artifactfile string    Path to the artifact to verify
  -a, --attestations strings   Attestation files to test against the policy
  -h, --help                   help for verify
  -p, --policy string          Path to the policy to verify
      --policy-ca strings      Paths to CA certificates to use for verifying the policy
  -k, --publickey string       Path to the policy signer's public key
  -r, --rekor-server string    Rekor server from which to fetch attestations

Options inherited from parent commands

  -c, --config string      Path to the witness config file (default ".witness.yaml")
  -l, --log-level string   Level of logging to output (debug, info, warn, error) (default "info")


  • witness - Collect and verify attestations about your build environments
Last modified May 10, 2022: update with docs (d196ae7)