Scroll to navigation

GH-ATTESTATION-TRUSTED-ROOT(1) GitHub CLI manual GH-ATTESTATION-TRUSTED-ROOT(1)

NAME

gh-attestation-trusted-root - Output trusted_root.jsonl contents, likely for offline verification

SYNOPSIS

gh attestation trusted-root [--tuf-url <url> --tuf-root <file-path>] [--verify-only] [flags]

DESCRIPTION

NOTE: This feature is currently in public preview, and subject to change.

Output contents for a trusted_root.jsonl file, likely for offline verification.

When using gh attestation verify, if your machine is on the internet, this will happen automatically. But to do offline verification, you need to supply a trusted root file with --custom-trusted-root; this command will help you fetch a trusted_root.jsonl file for that purpose.

You can call this command without any flags to get a trusted root file covering the Sigstore Public Good Instance as well as GitHub's Sigstore instance.

Otherwise you can use --tuf-url to specify the URL of a custom TUF repository mirror, and --tuf-root should be the path to the root.json file that you securely obtained out-of-band.

If you just want to verify the integrity of your local TUF repository, and don't want the contents of a trusted_root.jsonl file, use --verify-only.

OPTIONS

Configure host to use

Path to the TUF root.json file on disk

URL to the TUF repository mirror

Don't output trusted_root.jsonl contents

EXIT CODES

0: Successful execution

1: Error

2: Command canceled

4: Authentication required

NOTE: Specific commands may have additional exit codes. Refer to the command's help for more information.

EXAMPLE

# Get a trusted_root.jsonl for both Sigstore Public Good and GitHub's instance
gh attestation trusted-root

SEE ALSO

gh-attestation(1)

Dec 2024 GitHub CLI v2.63.2