mirror of
https://github.com/ivuorinen/cheatsheet-tldr.git
synced 2026-02-07 12:45:42 +00:00
38 lines
1.7 KiB
Plaintext
38 lines
1.7 KiB
Plaintext
---
|
|
syntax: markdown
|
|
tags: [tldr, common]
|
|
source: https://github.com/tldr-pages/tldr.git
|
|
---
|
|
# gh attestation
|
|
|
|
> Download and verify artifact attestations to ensure their integrity and provenance.
|
|
> More information: <https://cli.github.com/manual/gh_attestation>.
|
|
|
|
- Download attestations for a local file associated with a specific repository:
|
|
|
|
`gh {{[at|attestation]}} download {{path/to/artifact.bin}} {{[-R|--repo]}} {{owner}}/{{repository}}`
|
|
|
|
- Download attestations for an OCI container image associated with an organization:
|
|
|
|
`gh {{[at|attestation]}} download oci://{{image_uri}} {{[-o|--owner]}} {{organization_name}}`
|
|
|
|
- Verify a local artifact online against attestations from a specific repository:
|
|
|
|
`gh {{[at|attestation]}} verify {{path/to/artifact.bin}} {{[-R|--repo]}} {{owner}}/{{repository}}`
|
|
|
|
- Verify an artifact, requiring it was signed by a specific reusable workflow for enhanced security:
|
|
|
|
`gh {{[at|attestation]}} verify {{path/to/artifact.bin}} {{[-o|--owner]}} {{organization_name}} --signer-workflow {{owner}}/{{repository}}/{{path/to/workflow.yml}}`
|
|
|
|
- Verify an artifact and output the detailed verification results as JSON for use in policy engines:
|
|
|
|
`gh {{[at|attestation]}} verify {{path/to/artifact.bin}} {{[-o|--owner]}} {{organization_name}} --format json`
|
|
|
|
- Perform a fully offline verification using a downloaded bundle and a custom trusted root file:
|
|
|
|
`gh {{[at|attestation]}} verify {{path/to/artifact.bin}} {{[-b|--bundle]}} {{path/to/bundle.jsonl}} --custom-trusted-root {{path/to/trusted_root.jsonl}}`
|
|
|
|
- Save the trusted root of signing certificates to a file for offline verification:
|
|
|
|
`gh {{[at|attestation]}} trusted-root > {{path/to/trusted_root.jsonl}}`
|