Skip to content
Zarf

zarf package sign

zarf package sign

Section titled “zarf package sign”

Signs an existing Zarf package

Synopsis

Section titled “Synopsis”

Signs an existing Zarf package with a private key. The package can be a local tarball or pulled from an OCI registry. The signature is created by signing the zarf.yaml file and does not modify the package checksums.

zarf package sign PACKAGE_SOURCE [flags]

Examples

Section titled “Examples”
# Sign an unsigned package
$ zarf package sign zarf-package-demo-amd64-1.0.0.tar.zst --signing-key ./private-key.pem


# Re-sign with a new key (overwrite existing signature)
$ zarf package sign zarf-package-demo-amd64-1.0.0.tar.zst --signing-key ./new-key.pem --overwrite


# Sign a package from an OCI registry and output to local directory
$ zarf package sign oci://ghcr.io/my-org/my-package:1.0.0 --signing-key ./private-key.pem --output ./signed/


# Sign a package and publish directly to OCI registry
$ zarf package sign zarf-package-demo-amd64-1.0.0.tar.zst --signing-key ./private-key.pem --output oci://ghcr.io/my-org/signed-packages


# Sign with a cloud KMS key
$ zarf package sign zarf-package-demo-amd64-1.0.0.tar.zst --signing-key awskms://alias/my-signing-key

Options

Section titled “Options”
  -h, --help                      help for sign
  -k, --key string                Public key to verify the existing signature before re-signing (optional)
      --oci-concurrency int       Number of concurrent layer operations when pulling or pushing images or packages to/from OCI registries. (default 6)
  -o, --output string             Output destination for the signed package. Can be a local directory or an OCI registry URL (oci://). Default: same directory as source package for files, current directory for OCI sources
      --overwrite                 Overwrite an existing signature if the package is already signed
      --retries int               Number of retries to perform for Zarf operations like git/image pushes (default 3)
      --signing-key string        Private key for signing packages. Accepts either a local file path or a Cosign-supported key provider (awskms://, gcpkms://, azurekms://, hashivault://)
      --signing-key-pass string   Password for encrypted private key

Options inherited from parent commands

Section titled “Options inherited from parent commands”
  -a, --architecture string        Architecture for OCI images and Zarf packages
      --features stringToString    [ALPHA] Provide a comma-separated list of feature names to bools to enable or disable. Ex. --features "foo=true,bar=false,baz=true" (default [])
      --insecure-skip-tls-verify   Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture.
      --log-format string          Select a logging format. Defaults to 'console'. Valid options are: 'console', 'json', 'dev'. (default "console")
  -l, --log-level string           Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info")
      --no-color                   Disable terminal color codes in logging and stdout prints.
      --plain-http                 Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture.
      --tmpdir string              Specify the temporary directory to use for intermediate files
      --zarf-cache string          Specify the location of the Zarf cache directory (default "~/.zarf-cache")

SEE ALSO

Section titled “SEE ALSO”
  • zarf package - Zarf package commands for creating, deploying, and inspecting packages