cosign policy sign

Sign a keyless policy


--output-file <output-file>Log output to a file
--timeout, -t <timeout>Timeout for commands
--verbose, -dLog debug output
--allow-insecure-registryWhether to allow insecure connections to registries. Don't use this for anything but testing
--attachment-tag-prefix <attachment-tag-prefix>Optional custom prefix to use for attached image tags. Attachment images are tagged as: `[AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]`
--fulcio-url <fulcio-url>[EXPERIMENTAL] address of sigstore PKI server
--identity-token <identity-token>[EXPERIMENTAL] identity token to use for certificate from fulcio
--insecure-skip-verify[EXPERIMENTAL] skip verifying fulcio published to the SCT (this should only be used for testing)
--k8s-keychainWhether to use the kubernetes keychain instead of the default keychain (supports workload identity)
--namespace <namespace>Registry namespace that the root policy belongs to
--oidc-client-id <oidc-client-id>[EXPERIMENTAL] OIDC client ID for application
--oidc-client-secret <oidc-client-secret>[EXPERIMENTAL] OIDC client secret for application
--oidc-issuer <oidc-issuer>[EXPERIMENTAL] OIDC provider to be used to issue ID token
--out <out>Output policy locally
--rekor-url <rekor-url>[EXPERIMENTAL] address of rekor STL server
--help, -hHelp for sign