rekor-cli:tldr:e6c3f
The command rekor-cli upload is used to upload a software artifact to a transparency log called Rekor. Transparency logs are public and append-only data structures that store information about software artifacts to ensure they have not been tampered with.
Here is the breakdown of the command and its options:
-
--artifact ${filename-ext}: This specifies the software artifact that you want to upload to Rekor.${filename-ext}is a placeholder for the filename and extension of the artifact file. For example, if your artifact is namedmy_artifact.jar, you would replace${filename-ext}withmy_artifact.jar. -
--signature ${filename-ext-sig}: This option is used if you have a cryptographic signature file for your artifact. It specifies the signature file that corresponds to the artifact.${filename-ext-sig}is a placeholder for the filename and extension of the signature file. For example, if your signature file is namedmy_artifact.jar.sig, you would replace${filename-ext-sig}withmy_artifact.jar.sig. -
--pki-format=${x509}: This option specifies the Public Key Infrastructure (PKI) format to use for the cryptographic operations.${x509}is a placeholder for the specific PKI format you want to use, such asx509. -
--public-key=${path-to-key-pub}: This option is used if you have a public key file that corresponds to the private key used for signing the artifact. It specifies the path to the public key file.${path-to-key-pub}is a placeholder for the actual path to the public key file.
By using this command and providing the necessary options and values, you can upload your software artifact, along with its cryptographic signature and public key, to the Rekor transparency log.