# notation CLI Spec ## notation sign ```console $ notation sign --help Signs artifacts Usage: notation sign [reference] [flags] Flags: --cert-file string signing certificate file --envelope-type string signature envelope format, options: 'jws', 'cose' (default "jws") -e, --expiry duration expire duration -h, --help help for sign -k, --key string signing key name --key-file string signing key file -l, --local reference is a local file --media-type string specify the media type of the manifest read from file or stdin (default "application/vnd.docker.distribution.manifest.v2+json") -o, --output string write signature to a specific path -p, --password string Password for registry operations (default from $NOTATION_PASSWORD) -c, --pluginConfig string list of comma-separated {key}={value} pairs that are passed as is to the plugin, refer plugin documentation to set appropriate values --push push after successful signing (default true) --push-reference string different remote to store signature -r, --reference string original reference -t, --timestamp string timestamp the signed signature via the remote TSA -u, --username string Username for registry operations (default from $NOTATION_USERNAME) Global Flags: --plain-http Registry access via plain HTTP ``` ### Examples #### Overview After successful signing an artifact, the signature is pushed to the registry and stored in a local cache folder by default, and the digest of the signing artifact is returned. #### sign a container image with a local key and certificate ```console notation sign <image> --key-file <key path> --cert-file <cert path> ``` #### sign a container image using a key name ```console # Add a key name referecing key file and certificate file notation key add -n <key name> <key path> <cert path> # sign a container image using a key name notation sign <image> --key <key name> ``` #### sign a container image with key and certificate stored in a Key Vault ```console # Pre-condition: # - A Key Vault plugin is installed in notation # - User creates key and certificate in a Key vault # Add the key to signing key list notation key add -n <key name> --plugin <plugin name> --id <key id> # sign a container image using a key name notation sign <image> -n <key name> ``` ### store signature in a local file ```console # disable auto push and store signature in a local file notation sign <image> -n <key name> --push false -o <signature file> ``` ### sign a local file and store signature in a local file ```console notation sign <local file> -l -n <key name> -o <signature file> ``` ## notation plugin ```markdown Manage plugins Usage: notation plugin [command] Available Commands: list List registered plugins Flags: -h, --help help for plugin Global Flags: --plain-http Registry access via plain HTTP ``` ## Description The `notation plugin` command by itself performs no action. In order to operate on a plugin, one of the subcommands must be used. ### plugin list ```console $ notation plugin list --help List registered plugins Usage: notation plugin list [flags] Aliases: list, ls Flags: -h, --help help for list Global Flags: --plain-http Registry access via plain HTTP ``` ## Examples ### List registered plugins ```console notation plugin list ``` ## notation key