notation verify

notation verify

Verify OCI artifacts

Synopsis

Verify OCI artifacts

Prerequisite: added a certificate into trust store and created a trust policy.

notation verify [reference] [flags]

Examples

# Verify a signature on an OCI artifact identified by a digest:
notation verify <registry>/<repository>@<digest>

# Verify a signature on an OCI artifact identified by a tag  (Notation will resolve tag to digest):
notation verify <registry>/<repository>:<tag>

# [Experimental] Verify an OCI artifact using the Referrers API, if not supported (returns 404), fallback to the Referrers tag schema
notation verify --allow-referrers-api <registry>/<repository>@<digest>

# [Experimental] Verify a signature on an OCI artifact referenced in an OCI layout using trust policy statement specified by scope.
notation verify --oci-layout <registry>/<repository>@<digest> --scope <trust_policy_scope>

# [Experimental] Verify a signature on an OCI artifact identified by a tag and referenced in an OCI layout using trust policy statement specified by scope.
notation verify --oci-layout <registry>/<repository>:<tag> --scope <trust_policy_scope>

Options

      --allow-referrers-api         [Experimental] use the Referrers API to verify signatures, if not supported (returns 404), fallback to the Referrers tag schema
  -d, --debug                       debug mode
  -h, --help                        help for verify
      --insecure-registry           use HTTP protocol while connecting to registries. Should be used only for testing
      --max-signatures int          maximum number of signatures to evaluate or examine (default 100)
      --oci-layout                  [Experimental] verify the artifact stored as OCI image layout
  -p, --password string             password for registry operations (default to $NOTATION_PASSWORD if not specified)
      --plugin-config stringArray   {key}={value} pairs that are passed as it is to a plugin, if the verification is associated with a verification plugin, refer plugin documentation to set appropriate values
      --scope string                [Experimental] set trust policy scope for artifact verification, required and can only be used when flag "--oci-layout" is set
  -m, --user-metadata stringArray   user defined {key}={value} pairs that must be present in the signature for successful verification if provided
  -u, --username string             username for registry operations (default to $NOTATION_USERNAME if not specified)
  -v, --verbose                     verbose mode

SEE ALSO

  • notation - Notation - a tool to sign and verify artifacts
Auto generated by spf13/cobra on 19-Sep-2023
Last modified November 5, 2023 : added CLI reference content for v1.0.0 (#355) (72786dc)