| GH-ATTESTATION-TRUSTED-ROOT(1) | GitHub CLI manual | GH-ATTESTATION-TRUSTED-ROOT(1) |
NAME
gh-attestation-trusted-root - Output trusted_root.jsonl contents, likely for offline verification
SYNOPSIS
gh attestation trusted-root [--tuf-url <url> --tuf-root <file-path>] [--verify-only] [flags]
DESCRIPTION
NOTE: This feature is currently in public preview, and subject to change.
Output contents for a trusted_root.jsonl file, likely for offline verification.
When using gh attestation verify, if your machine is on the internet, this will happen automatically. But to do offline verification, you need to supply a trusted root file with --custom-trusted-root; this command will help you fetch a trusted_root.jsonl file for that purpose.
You can call this command without any flags to get a trusted root file covering the Sigstore Public Good Instance as well as GitHub's Sigstore instance.
Otherwise you can use --tuf-url to specify the URL of a custom TUF repository mirror, and --tuf-root should be the path to the root.json file that you securely obtained out-of-band.
If you just want to verify the integrity of your local TUF repository, and don't want the contents of a trusted_root.jsonl file, use --verify-only.
OPTIONS
- --hostname <string>
- Configure host to use
- --tuf-root <string>
- Path to the TUF root.json file on disk
- --tuf-url <string>
- URL to the TUF repository mirror
- --verify-only
- Don't output trusted_root.jsonl contents
EXIT CODES
0: Successful execution
1: Error
2: Command canceled
4: Authentication required
NOTE: Specific commands may have additional exit codes. Refer to the command's help for more information.
EXAMPLE
# Get a trusted_root.jsonl for both Sigstore Public Good and GitHub's instance gh attestation trusted-root
SEE ALSO
| Jan 2025 |