Linux command
in-toto-sign 命令
文件
复制后可按需替换文件名、目录或参数。
常用示例
Sign a link file
in-toto-sign -k [key.pem] -f [link_file]
Sign layout file
in-toto-sign -k [key] -f [root.layout]
Append
in-toto-sign -k [key] -f [file] -a
Output
in-toto-sign -k [key] -f [input] -o [output]
Verify
in-toto-sign --verify -k [key.pub] -f [file]
Sign
in-toto-sign -g [gpg_keyid] -f [file]
说明
in-toto-sign adds cryptographic signatures to in-toto metadata files. It signs both link files from build steps and layout files that define supply chain policies. Multiple signatures can be added for multi-party verification. The tool supports GPG and PEM key formats.
参数
- -k _KEY_
- Private signing key file.
- -f _FILE_
- File to sign (link or layout).
- -a, --append
- Append signature instead of replacing.
- -o _OUTPUT_
- Output file path.
- -g _KEYID ..._
- GPG keyids used to sign or verify
- --gpg-home _PATH_
- GPG home directory path
- --verify
- Verify signatures instead of signing
- -v
- Verbose output
- -q
- Quiet output
- --version
- Show version information
- --help
- Display help information
FAQ
What is the in-toto-sign command used for?
in-toto-sign adds cryptographic signatures to in-toto metadata files. It signs both link files from build steps and layout files that define supply chain policies. Multiple signatures can be added for multi-party verification. The tool supports GPG and PEM key formats.
How do I run a basic in-toto-sign example?
Run `in-toto-sign -k [key.pem] -f [link_file]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.
What does -k _KEY_ do in in-toto-sign?
Private signing key file.