ec sigstore initialize
Initializes Sigstore root to retrieve trusted certificate and key targets for verification== Synopsis
Initializes Sigstore root to retrieve trusted certificate and key targets for verification.
The following options are used by default: - The current trusted Sigstore TUF root is embedded inside ec at the time of release. - Sigstore remote TUF repository is pulled from the CDN mirror at tuf-repo-cdn.sigstore.dev.
To provide an out-of-band trusted initial root.json, use the --root flag with a file or URL reference. This will enable you to point ec to a separate TUF root.
Any updated TUF repository will be written to $HOME/.sigstore/root/.
Trusted keys and certificate used in ec verification (e.g. verifying Fulcio issued certificates with Fulcio root CA) are pulled form the trusted metadata.
This command is mostly a wrapper around "cosign initialize".
ec sigstore initialize [flags]
Examples
ec initialize -mirror <url> -out <file>
Initialize root with distributed root keys, default mirror, and default out path. ec initialize
Initialize with an out-of-band root key file, using the default mirror. ec initialize -root <url>
Initialize with an out-of-band root key file and custom repository mirror. ec initialize -mirror <url> -root <url>
Options
- -h, --help
-
help for initialize (Default: false)
- --mirror
-
GCS bucket to a SigStore TUF repository, or HTTP(S) base URL, or file:/// for local filestore remote (air-gap) (Default: https://tuf-repo-cdn.sigstore.dev)
- --root
-
path to trusted initial root. defaults to embedded root
Options inherited from parent commands
- --debug
-
same as verbose but also show function names and line numbers (Default: false)
- --kubeconfig
-
path to the Kubernetes config file to use
- --logfile
-
file to write the logging output. If not specified logging output will be written to stderr
- --quiet
-
less verbose output (Default: false)
- --timeout
-
max overall execution duration (Default: 5m0s)
- --trace
-
enable trace logging (Default: false)
- --verbose
-
more verbose output (Default: false)