Scroll to navigation

SIGSUM-SUBMIT(1) User Commands SIGSUM-SUBMIT(1)

NAME

sigsum-submit - create and/or submit add-leaf requests

SYNOPSIS

sigsum-submit [-v] [--diagnostics level] [--help] [-k file] [--leaf-hash] [-o file] [--output-dir directory] [-p file] [--raw-hash] [--timeout duration] [--token-domain value] [--token-signing-key file] [input files]

DESCRIPTION

One of "fatal", "error", "warning", "info", or "debug" [info]
Display help
Key for signing the leaf
Output leaf hash
Write output to file, instead of stdout
Directory for output files
Sigsum policy
Input is already hashed
Per-log submission timeout. Zero means library default, currently 45s
Create a Sigsum-Token: header for this domain
Key for signing Sigsum-Token: header
Display software version
Create and/or submit add-leaf request(s).
If no input files are listed on the command line, a single request is processed, reading from standard input, and writing to standard output (or file specified with the -o option). See further below for processing of multiple files.
If a signing key (-k option) is specified, a new request is created by signing the the SHA256 hash of the input (or, if --raw-hash is given, input is the hash value, either exactly 32 octets, or a hex string). The key file uses openssh format, it must be either an unencrypted private key, or a public key, in which case the corresponding private key is accessed via ssh-agent.
If no signing key is provided, input should instead be the body of an add-leaf request, which is parsed and verified.
If a Sigsum policy (-p option) is provided, the request is submitted to the log specified by the policy, and a Sigsum proof is collected and output. If there are multiple logs in the policy, they are tried in randomized order.
With -k but without -p, the add-leaf request itself is output. With no -k and no -p, the request syntax and signature of the input request are verified, but there is no output.
The --leaf-hash option can be used to output the hash of the resulting leaf, instead of submitting it.
If input files are provided on the command line, each file corresponds to one request, and result is written to a corresponding output file, based on these rules:
1. If there's exactly one input file, and the -o option is used,
output is written to that file. Any existing file is overwritten.
2. For a request output, the suffix ".req" is added to the input
file name.
3. For a proof output, if the input is a request, any ".req"
suffix on the input file name is stripped. Then the suffix ".proof" is added.
4. If the --output-dir option is provided, any directory part of
the input file name is stripped, and the output is written as a file in the specified output directory.
If a corresponding .proof file already exists, that proof is read and verified. If the proof is valid, the input file is skipped. If the proof is not valid, sigsum-submit exits with an error.
If a corresponding .req output file already exists, it is overwritten (TODO: Figure out if that is the proper behavior).
October 2024 sigsum-submit 0.9.1-1~bpo12+1