Verify Evidence CLI
The Verify Evidence command provides client-side verification that the evidence related to a given subject has not been altered. Verification of artifact integrity is performed using a checksum (digest), and attestation signatures are validated using public keys.
This command can be run on a variety of evidence subjects, including artifacts, packages, builds, and Release Bundles. It requires you to define the evidence subject and the keys to use for verification.
Note
When working in a Federated environment, evidence can be verified only on those members that contain the public key. You must upload the public key manually to each Federation member.
Syntax
Artifact Evidence
jf evd verify --subject-repo-path <target-path> --public-keys <key-array>Package Evidence
jf evd verify --package-name <package-name> --package-version <package-version> --public-keys <key-array>Build Evidence
jf evd verify --build-name <build-name> --build-number <build-number> --public-keys <key-array>Release Bundle v2 Evidence
jf evd verify --release-bundle <name> --release-bundle-version <version-number> --public-keys <key-array>Command Parameters
Parameter | Required/Optional | Type | Description |
|---|---|---|---|
| required (unless the | array:string | An array of public keys to use for signature verification with ";" separator. Supported key types: |
| optional | string | The project key associated with the created evidence. |
| optional | string | Enables extended output. Supported formats: |
| optional | boolean | Default: false When enabled, the command retrieves keys from Artifactory to perform verification. |
Artifact Command Parameters
| Parameter | Required/Optional | Type | Description |
|---|---|---|---|
--subject-repo-path | optional | string | The full path to the evidence subject. |
Package Command Parameters
| Parameter | Required/Optional | Type | Description |
|---|---|---|---|
--package-name | optional | string | The package name. |
--package-repo-name | optional | string | The package repository name. |
--package-version | optional | string | The package version. |
Bridge Command Parameters
| Parameter | Required/Optional | Type | Description |
|---|---|---|---|
--build-name | optional | string | The build name. |
--build-number | optional | string | The build number. |
Release Bundle Command Parameters
| Parameter | Required/Optional | Type | Description |
|---|---|---|---|
--release-bundle | optional | string | The Release Bundle name. |
--release-bundle-version | optional | string | The Release Bundle version. |
Sample Command
The following command verifies Sigstore bundle evidence on an artifact using keys retrieved from Artifactory.
Subject sha256: 4bf2da010af20d8ed0364caf14f90bcab22b312520c68b9a01bb3479ba9a742c
Subject: cli-sigstore-test/readme.txt
Loaded 3 evidence
Verification passed for 3 out of 3 evidence
- Evidence 1:
- Media type: sigstore.bundle
- Predicate type: in-toto
- Evidence subject sha256: 4bf2da010af20d8ed0364caf14f90bcab22b312520c68b9a01bb3479ba9a742c
- Key source: Sigstore Bundle Key
- Sigstore verification status: success
- Evidence 2:
- Media type: evidence.dsse
- Predicate type: application/vnd.in-toto+json
- Evidence subject sha256: 4bf2da010af20d8ed0364caf14f90bcab22b312520c68b9a01bb3479ba9a742c
- Key source: User Provided Key
- Key fingerprint: /IyvutGSsuTPykv+mGtG4sph4TGh3Cl4HRNxbEZo1z4=
- Sha256 verification status: success
- Signatures verification status: success
- Evidence 3:
- Media type: evidence.dsse
- Predicate type: vulnerability-scan
- Evidence subject sha256: 4bf2da010af20d8ed0364caf14f90bcab22b312520c68b9a01bb3479ba9a742c
- Key source: Artifactory Key
- Key fingerprint: uz1SAgymeLMkH+lJ5ROCvbTCCnbwgUgy3zeDAR4J47k=
- Sha256 verification status: success
- Signatures verification status: successSee the Evidence JSON format output.
Updated 3 months ago