NAME¶

sigsum-submit - create and/or submit add-leaf requests

SYNOPSIS¶

sigsum-submit [--diagnostics level] [--help] [-k file] [--leaf-hash] [-o file] [--output-dir directory] [-p file] [--raw-hash] [--timeout duration] [--token-domain value] [--token-signing-key file] [input files]

DESCRIPTION¶

--diagnostics=level: One of "fatal", "error", "warning", "info", or "debug" [info]
--help: Display help
-k, --signing-key=file: Key for signing the leaf
--leaf-hash: Output leaf hash
-o file: Write output to file, instead of stdout
--output-dir=directory: Directory for output files
-p, --policy=file: Sigsum policy
--raw-hash: Input is already hashed
--timeout=duration: Per-log submission timeout. Zero means library default, currently 45s
--token-domain=value: Create a Sigsum-Token: header for this domain
--token-signing-key=file: Key for signing Sigsum-Token: header

: Create and/or submit add-leaf request(s).
: If no input files are listed on the command line, a single request is processed, reading from standard input, and writing to standard output (or file specified with the -o option). See further below for processing of multiple files.
: If a signing key (-k option) is specified, a new request is created by signing the the SHA256 hash of the input (or, if --raw-hash is given, input is the hash value, either exactly 32 octets, or a hex string). The key file uses openssh format, it must be either an unencrypted private key, or a public key, in which case the corresponding private key is accessed via ssh-agent.
: If no signing key is provided, input should instead be the body of an add-leaf request, which is parsed and verified.
: If a Sigsum policy (-p option) is provided, the request is submitted to the log specified by the policy, and a Sigsum proof is collected and output. If there are multiple logs in the policy, they are tried in randomized order.
: With -k but without -p, the add-leaf request itself is output. With no -k and no -p, the request syntax and signature of the input request are verified, but there is no output.
: The --leaf-hash option can be used to output the hash of the resulting leaf, instead of submitting it.
: If input files are provided on the command line, each file corresponds to one request, and result is written to a corresponding output file, based on these rules:
: 1. If there's exactly one input file, and the -o option is used,
: output is written to that file. Any existing file is overwritten.
: 2. For a request output, the suffix ".req" is added to the input
: file name.
: 3. For a proof output, if the input is a request, any ".req"
: suffix on the input file name is stripped. Then the suffix ".proof" is added.
: 4. If the --output-dir option is provided, any directory part of
: the input file name is stripped, and the output is written as a file in the specified output directory.
: If a corresponding .proof file already exists, that proof is read and verified. If the proof is valid, the input file is skipped. If the proof is not valid, sigsum-submit exits with an error.
: If a corresponding .req output file already exists, it is overwritten (TODO: Figure out if that is the proper behavior).

February 2024

sigsum-submit 0.7.2-1

Source file:	sigsum-submit.1.en.gz (from golang-sigsum-sigsum-go-dev 0.7.2-1)
Source last updated:	2024-02-12T08:53:08Z
Converted to HTML:	2024-02-12T15:50:07Z