Skip to content
Zarf

zarf package sign

zarf package sign

Section titled “zarf package sign”

Signs an existing Zarf package

Synopsis

Section titled “Synopsis”

Signs an existing Zarf package with a private key. The package can be a local tarball or pulled from an OCI registry. The signature is created by signing the zarf.yaml file and does not modify the package checksums.

zarf package sign PACKAGE_SOURCE [flags]

Examples

Section titled “Examples”
# Sign an unsigned package
$ zarf package sign zarf-package-demo-amd64-1.0.0.tar.zst --signing-key ./private-key.pem


# Re-sign with a new key (overwrite existing signature)
$ zarf package sign zarf-package-demo-amd64-1.0.0.tar.zst --signing-key ./new-key.pem --overwrite


# Sign a package from an OCI registry and output to local directory
$ zarf package sign oci://ghcr.io/my-org/my-package:1.0.0 --signing-key ./private-key.pem --output ./signed/


# Sign a package and publish directly to OCI registry
$ zarf package sign zarf-package-demo-amd64-1.0.0.tar.zst --signing-key ./private-key.pem --output oci://ghcr.io/my-org/signed-packages


# Sign with a cloud KMS key
$ zarf package sign zarf-package-demo-amd64-1.0.0.tar.zst --signing-key awskms://alias/my-signing-key

Options

Section titled “Options”
      --confirm                   Skip the interactive confirmation prompt before uploading to the Rekor transparency log (equivalent to cosign --yes).
      --fulcio-auth-flow string   Fulcio OAuth flow: normal (browser), device (device code), token, client_credentials
      --fulcio-url string         Fulcio certificate authority URL. Override for private Sigstore deployments. (default "https://fulcio.sigstore.dev")
  -h, --help                      help for sign
      --identity-token string     Pre-acquired OIDC identity token (or path to a file containing one) for non-interactive keyless signing
  -k, --key string                Public key to verify the existing signature before re-signing (optional)
      --keyless                   Sign without a private key using Sigstore's keyless flow (Fulcio/OIDC)
      --oci-concurrency int       Number of concurrent layer operations when pulling or pushing images or packages to/from OCI registries. (default 6)
      --oidc-client-id string     OIDC client ID used when requesting an identity token. Override for private Sigstore deployments. (default "sigstore")
      --oidc-issuer string        OIDC issuer URL used to obtain an identity token for keyless signing. Override for private Sigstore deployments. (default "https://oauth2.sigstore.dev/auth")
  -o, --output string             Output destination for the signed package. Can be a local directory or an OCI registry URL (oci://). Default: same directory as source package for files, current directory for OCI sources
      --overwrite                 Overwrite an existing signature if the package is already signed
      --rekor-url string          Rekor transparency log URL. Override for private Sigstore deployments. (default "https://rekor.sigstore.dev")
      --retries int               Number of retries to perform for Zarf operations like git/image pushes (default 3)
      --signing-key string        Private key for signing packages. Accepts either a local file path or a Cosign-supported key provider (awskms://, gcpkms://, azurekms://, hashivault://)
      --signing-key-pass string   Password for encrypted private key
      --tlog-upload               Upload the signature to the Rekor transparency log. Auto-enabled when --keyless is set (allows for keyless signatures to remain verifiable past the ~10 minute Fulcio certificate validity window).
      --tsa-server-url string     RFC3161 timestamp authority URL (e.g. https://timestamp.sigstore.dev/api/v1/timestamp). When set, a signed timestamp is embedded in the bundle as an alternative or complement to --tlog-upload for proving the signature was made while the Fulcio certificate was valid.
      --verify                    Verify the Zarf package signature

Options inherited from parent commands

Section titled “Options inherited from parent commands”
  -a, --architecture string        Architecture for OCI images and Zarf packages
      --features stringToString    Provide a comma-separated list of feature names to bools to enable or disable. Ex. --features "foo=true,bar=false,baz=true" (default [])
      --insecure-skip-tls-verify   Skip checking server's certificate for validity. This flag should only be used if you have a specific reason and accept the reduced security posture.
      --log-format string          Select a logging format. Defaults to 'console'. Valid options are: 'console', 'json', 'dev'. (default "console")
  -l, --log-level string           Log level when running Zarf. Valid options are: warn, info, debug, trace (default "info")
      --no-color                   Disable terminal color codes in logging and stdout prints.
      --plain-http                 Force the connections over HTTP instead of HTTPS. This flag should only be used if you have a specific reason and accept the reduced security posture.
      --tmpdir string              Specify the temporary directory to use for intermediate files
      --zarf-cache string          Specify the location of the Zarf cache directory (default "~/.zarf-cache")

SEE ALSO

Section titled “SEE ALSO”
  • zarf package - Zarf package commands for creating, deploying, and inspecting packages