gcloud beta container binauthz attestations sign-and-create - sign and create a Binary Authorization Attestation using a Cloud KMS key

gcloud beta container binauthz attestations sign-and-create--artifact-url=ARTIFACT_URL(--keyversion=KEYVERSION :--keyversion-key=KEYVERSION_KEY--keyversion-keyring=KEYVERSION_KEYRING--keyversion-location=KEYVERSION_LOCATION--keyversion-project=KEYVERSION_PROJECT)[--dsse-type=DSSE_TYPE; default="application/vnd.dev.cosign.simplesigning.v1+json"][--pae-encode-payload][--public-key-id-override=PUBLIC_KEY_ID_OVERRIDE][[--note=NOTE :--note-project=NOTE_PROJECT]    |--validate [--attestor=ATTESTOR :--attestor-project=ATTESTOR_PROJECT]][GCLOUD_WIDE_FLAG …]

gcloudbetacontainerbinauthzattestationssign-and-create--project=my_proj--artifact-url='gcr.io/example-project/example-image@sha256:abcd'--attestor=projects/foo/attestors/bar--keyversion-project=foo--keyversion-location=us-west1--keyversion-keyring=aring--keyversion-key=akey--keyversion=1

To sign and create an attestation in the project "my_proj" in note "bar" withthe key"projects/foo/locations/us-west1/keyRings/aring/cryptoKeys/akey/cryptoKeyVersions/1",run:

gcloudbetacontainerbinauthzattestationssign-and-create--project=my_proj--artifact-url='gcr.io/example-project/example-image@sha256:abcd'--note=projects/my_proj/notes/bar--keyversion-project=foo--keyversion-location=us-west1--keyversion-keyring=aring--keyversion-key=akey--keyversion=1

--artifact-url=ARTIFACT_URL

Container URL. May be in thegcr.io/repository/image format, or mayoptionally contain thehttp orhttps scheme

CryptoKeyVersion resource - The Cloud KMS (Key Management Service)CryptoKeyVersion to use to sign the attestation payload. The arguments in thisgroup can be used to specify the attributes of this resource.

This must be specified.

--keyversion=KEYVERSION

ID of the CryptoKeyVersion or fully qualified identifier for theCryptoKeyVersion.

To set theversion attribute:

• provide the argument--keyversion on the command line.

This flag argument must be specified if any of the other arguments in this groupare specified.

--keyversion-key=KEYVERSION_KEY

The key of the CryptoKeyVersion.

To set thekey attribute:

• provide the argument--keyversion on the command line with a fullyspecified name;
• provide the argument--keyversion-key on the command line.

--keyversion-keyring=KEYVERSION_KEYRING

The keyring of the CryptoKeyVersion.

To set thekeyring attribute:

• provide the argument--keyversion on the command line with a fullyspecified name;
• provide the argument--keyversion-keyring on the command line.

--keyversion-location=KEYVERSION_LOCATION

The location of the CryptoKeyVersion.

To set thelocation attribute:

• provide the argument--keyversion on the command line with a fullyspecified name;
• provide the argument--keyversion-location on the command line.

--keyversion-project=KEYVERSION_PROJECT

Project ID of the Google Cloud project for the CryptoKeyVersion.

To set theproject attribute:

• provide the argument--keyversion on the command line with a fullyspecified name;
• provide the argument--keyversion-project on the command line;
• provide the argument--project on the command line;
• set the propertycore/project.

--dsse-type=DSSE_TYPE; default="application/vnd.dev.cosign.simplesigning.v1+json"

DSSE type used for pae encoding.

--pae-encode-payload

Whether to pae-encode the payload before signing.

--public-key-id-override=PUBLIC_KEY_ID_OVERRIDE

If provided, the ID of the public key that will be used to verify theAttestation instead of the default generated one. This ID should match the onefound on the Attestor resource(s) which will use this Attestation.

This parameter is only necessary if the--public-key-id-overrideflag was provided when this KMS key was added to the Attestor.

At most one of these can be specified:

Note resource - The Container Analysis Note which will be used to host thecreated attestation. In order to successfully attach the attestation, the activegcloud account (core/account) must have thecontaineranalysis.notes.attachOccurrence permission for the Note(usually via thecontaineranalysis.notes.attacher role). Thearguments in this group can be used to specify the attributes of this resource.

--note=NOTE

ID of the note or fully qualified identifier for the note.

To set thenote attribute:

• provide the argument--note on the command line.

This flag argument must be specified if any of the other arguments in this groupare specified.

--note-project=NOTE_PROJECT

The Container Analysis project for the note.

To set theproject attribute:

• provide the argument--note on the command line with a fullyspecified name;
• provide the argument--note-project on the command line.

--validate

Whether to validate that the Attestation can be verified by the providedAttestor.

Attestor resource - The Attestor whose Container Analysis Note will be used tohost the created attestation. In order to successfully attach the attestation,the active gcloud account (core/account) must be able to read this attestor andmust have thecontaineranalysis.notes.attachOccurrence permissionfor the Attestor's underlying Note resource (usually via thecontaineranalysis.notes.attacher role). The arguments in this groupcan be used to specify the attributes of this resource.

--attestor=ATTESTOR

ID of the attestor or fully qualified identifier for the attestor.

To set thename attribute:

• provide the argument--attestor on the command line.

This flag argument must be specified if any of the other arguments in this groupare specified.

--attestor-project=ATTESTOR_PROJECT

Project ID of the Google Cloud project for the attestor.

To set theproject attribute:

• provide the argument--attestor on the command line with a fullyspecified name;
• provide the argument--attestor-project on the command line;
• provide the argument--project on the command line;
• set the propertycore/project.

Run$gcloud help for details.