Generates (unsigned) signature payloads from the supplied container image.
Generates an unsigned payload from the supplied container image and flags. This payload matches the one generated by the "cosign sign" command and can be used if you need to sign payloads with your own tooling or algorithms.
cosign generate [flags]
cosign generate [--a key=value] <image uri>
# Generate a simple payload for an image
cosign generate <IMAGE>
# Generate a payload with specific annotations
cosign generate -a foo=bar <IMAGE>
# Use this payload in another tool
gpg --output image.sig --detach-sig <(cosign generate <IMAGE>)
--allow-insecure-registry whether to allow insecure connections to registries. Don't use this for anything but testing
-a, --annotations strings extra key=value pairs to sign
--attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]
-h, --help help for generate
--k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity).
--output-file string log output to a file
-t, --timeout duration timeout for commands (default 3m0s)
-d, --verbose log debug output
-y, --yes skip confirmation prompts for non-destructive operations
- cosign - A tool for Container Signing, Verification and Storage in an OCI registry.