This is the reference for the Witness command line tool, generated by Cobra.
List all available attestors
Lists all the available attestors in Witness with supporting information
witness attestors [flags]
-h, --help help for attestors
-c, --config string Path to the witness config file (default ".witness.yaml")
-l, --log-level string Level of logging to output (debug, info, warn, error) (default "info")
- witness - Collect and verify attestations about your build environments
Runs the provided command and records attestations about the execution
witness run [cmd] [flags]
--archivista-server string URL of the Archivista server to store or retrieve attestations (default "https://archivista.testifysec.io")
-a, --attestations strings Attestations to record ('product' and 'material' are always recorded) (default [environment,git])
--attestor-link-export Export the Link predicate in its own attestation
--attestor-maven-pom-path string The path to the Project Object Model (POM) XML file used for task being attested (default "pom.xml"). (default "pom.xml")
--attestor-product-exclude-glob string Pattern to use when recording products. Files that match this pattern will be excluded as subjects on the attestation.
--attestor-product-include-glob string Pattern to use when recording products. Files that match this pattern will be included as subjects on the attestation. (default "*")
--attestor-slsa-export Export the SLSA provenance predicate in its own attestation
--enable-archivista Use Archivista to store or retrieve attestations
--hashes strings Hashes selected for digest calculation. Defaults to SHA256 (default [sha256])
-h, --help help for run
-o, --outfile string File to write signed data to
--signer-file-cert-path string Path to the file containing the certificate for the private key
--signer-file-intermediate-paths strings Paths to files containing intermediates required to establish trust of the signer's certificate to a root
-k, --signer-file-key-path string Path to the file containing the private key
--signer-fulcio-oidc-client-id string OIDC client ID to use for authentication
--signer-fulcio-oidc-issuer string OIDC issuer to use for authentication
--signer-fulcio-oidc-redirect-url string OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.
--signer-fulcio-token string Raw token string to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token-path)
--signer-fulcio-token-path string Path to the file containing a raw token to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token)
--signer-fulcio-url string Fulcio address to sign with
--signer-kms-aws-config-file string The shared configuration file to use with the AWS KMS signer provider
--signer-kms-aws-credentials-file string The shared credentials file to use with the AWS KMS signer provider
--signer-kms-aws-insecure-skip-verify Skip verification of the server's certificate chain and host name
--signer-kms-aws-profile string The shared configuration profile to use with the AWS KMS signer provider
--signer-kms-aws-remote-verify verify signature using AWS KMS remote verification. If false, the public key will be pulled from AWS KMS and verification will take place locally (default true)
--signer-kms-gcp-credentials-file string The credentials file to use with the GCP KMS signer provider
--signer-kms-hashType string The hash type to use for signing (default "sha256")
--signer-kms-keyVersion string The key version to use for signing
--signer-kms-ref string The KMS Reference URI to use for connecting to the KMS service
--signer-spiffe-socket-path string Path to the SPIFFE Workload API Socket
--signer-vault-altnames strings Alt names to use for the generated certificate. All alt names must be allowed by the vault role policy
--signer-vault-commonname string Common name to use for the generated certificate. Must be allowed by the vault role policy
--signer-vault-namespace string Vault namespace to use
--signer-vault-pki-secrets-engine-path string Path to the Vault PKI Secrets Engine to use (default "pki")
--signer-vault-role string Name of the Vault role to generate the certificate for
--signer-vault-token string Token to use to connect to Vault
--signer-vault-ttl duration Time to live for the generated certificate. Defaults to the vault role policy's configured TTL if not provided
--signer-vault-url string Base url of the Vault instance to connect to
-s, --step string Name of the step being run
--timestamp-servers strings Timestamp Authority Servers to use when signing envelope
--trace Enable tracing for the command
-d, --workingdir string Directory from which commands will run
-c, --config string Path to the witness config file (default ".witness.yaml")
-l, --log-level string Level of logging to output (debug, info, warn, error) (default "info")
- witness - Collect and verify attestations about your build environments
Signs a file
Signs a file with the provided key source and outputs the signed file to the specified destination
witness sign [file] [flags]
-t, --datatype string The URI reference to the type of data being signed. Defaults to the Witness policy type (default "https://witness.testifysec.com/policy/v0.1")
-h, --help help for sign
-f, --infile string Witness policy file to sign
-o, --outfile string File to write signed data. Defaults to stdout
--signer-file-cert-path string Path to the file containing the certificate for the private key
--signer-file-intermediate-paths strings Paths to files containing intermediates required to establish trust of the signer's certificate to a root
-k, --signer-file-key-path string Path to the file containing the private key
--signer-fulcio-oidc-client-id string OIDC client ID to use for authentication
--signer-fulcio-oidc-issuer string OIDC issuer to use for authentication
--signer-fulcio-oidc-redirect-url string OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.
--signer-fulcio-token string Raw token string to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token-path)
--signer-fulcio-token-path string Path to the file containing a raw token to use for authentication to fulcio (cannot be used in conjunction with --fulcio-token)
--signer-fulcio-url string Fulcio address to sign with
--signer-kms-aws-config-file string The shared configuration file to use with the AWS KMS signer provider
--signer-kms-aws-credentials-file string The shared credentials file to use with the AWS KMS signer provider
--signer-kms-aws-insecure-skip-verify Skip verification of the server's certificate chain and host name
--signer-kms-aws-profile string The shared configuration profile to use with the AWS KMS signer provider
--signer-kms-aws-remote-verify verify signature using AWS KMS remote verification. If false, the public key will be pulled from AWS KMS and verification will take place locally (default true)
--signer-kms-gcp-credentials-file string The credentials file to use with the GCP KMS signer provider
--signer-kms-hashType string The hash type to use for signing (default "sha256")
--signer-kms-keyVersion string The key version to use for signing
--signer-kms-ref string The KMS Reference URI to use for connecting to the KMS service
--signer-spiffe-socket-path string Path to the SPIFFE Workload API Socket
--signer-vault-altnames strings Alt names to use for the generated certificate. All alt names must be allowed by the vault role policy
--signer-vault-commonname string Common name to use for the generated certificate. Must be allowed by the vault role policy
--signer-vault-namespace string Vault namespace to use
--signer-vault-pki-secrets-engine-path string Path to the Vault PKI Secrets Engine to use (default "pki")
--signer-vault-role string Name of the Vault role to generate the certificate for
--signer-vault-token string Token to use to connect to Vault
--signer-vault-ttl duration Time to live for the generated certificate. Defaults to the vault role policy's configured TTL if not provided
--signer-vault-url string Base url of the Vault instance to connect to
--timestamp-servers strings Timestamp Authority Servers to use when signing envelope
-c, --config string Path to the witness config file (default ".witness.yaml")
-l, --log-level string Level of logging to output (debug, info, warn, error) (default "info")
- witness - Collect and verify attestations about your build environments
Verifies a witness policy
Verifies a policy provided key source and exits with code 0 if verification succeeds
witness verify [flags]
--archivista-server string URL of the Archivista server to store or retrieve attestations (default "https://archivista.testifysec.io")
-f, --artifactfile string Path to the artifact to verify
-a, --attestations strings Attestation files to test against the policy
--enable-archivista Use Archivista to store or retrieve attestations
-h, --help help for verify
-p, --policy string Path to the policy to verify
--policy-ca strings Paths to CA certificates to use for verifying the policy
-k, --publickey string Path to the policy signer's public key
-s, --subjects strings Additional subjects to lookup attestations
--verifier-kms-aws-config-file string The shared configuration file to use with the AWS KMS signer provider
--verifier-kms-aws-credentials-file string The shared credentials file to use with the AWS KMS signer provider
--verifier-kms-aws-insecure-skip-verify Skip verification of the server's certificate chain and host name
--verifier-kms-aws-profile string The shared configuration profile to use with the AWS KMS signer provider
--verifier-kms-aws-remote-verify verify signature using AWS KMS remote verification. If false, the public key will be pulled from AWS KMS and verification will take place locally (default true)
--verifier-kms-gcp-credentials-file string The credentials file to use with the GCP KMS signer provider
--verifier-kms-hashType string The hash type used for verifying (default "sha256")
--verifier-kms-keyVersion string The key version to use for signing
--verifier-kms-ref string The KMS Reference URI to use for connecting to the KMS service
-c, --config string Path to the witness config file (default ".witness.yaml")
-l, --log-level string Level of logging to output (debug, info, warn, error) (default "info")
- witness - Collect and verify attestations about your build environments
Prints out the witness version
Prints out the witness version
witness version [flags]
-h, --help help for version
-c, --config string Path to the witness config file (default ".witness.yaml")
-l, --log-level string Level of logging to output (debug, info, warn, error) (default "info")
- witness - Collect and verify attestations about your build environments