sigsum-submit - create and/or submit add-leaf requests
sigsum-submit [--diagnostics level] [--help]
[-k file] [--leaf-hash] [-o file] [--output-dir
directory] [-p file] [--raw-hash] [--timeout
duration] [--token-domain value] [--token-signing-key
file] [input files]
- --diagnostics=level
- One of "fatal", "error", "warning",
"info", or "debug" [info]
- --help
- Display help
- -k,
--signing-key=file
- Key for signing the leaf
- --leaf-hash
- Output leaf hash
- -o file
- Write output to file, instead of stdout
- --output-dir=directory
- Directory for output files
- -p,
--policy=file
- Sigsum policy
- --raw-hash
- Input is already hashed
- --timeout=duration
- Per-log submission timeout. Zero means library default, currently 45s
- --token-domain=value
- Create a Sigsum-Token: header for this domain
- --token-signing-key=file
- Key for signing Sigsum-Token: header
- Create and/or submit add-leaf request(s).
- If no input files are listed on the command line, a single request is
processed, reading from standard input, and writing to standard output (or
file specified with the -o option). See further below for
processing of multiple files.
- If a signing key (-k option) is specified, a new request is created
by signing the the SHA256 hash of the input (or, if --raw-hash is
given, input is the hash value, either exactly 32 octets, or a hex
string). The key file uses openssh format, it must be either an
unencrypted private key, or a public key, in which case the corresponding
private key is accessed via ssh-agent.
- If no signing key is provided, input should instead be the body of an
add-leaf request, which is parsed and verified.
- If a Sigsum policy (-p option) is provided, the request is
submitted to the log specified by the policy, and a Sigsum proof is
collected and output. If there are multiple logs in the policy, they are
tried in randomized order.
- With -k but without -p, the add-leaf request itself is
output. With no -k and no -p, the request syntax and
signature of the input request are verified, but there is no output.
- The --leaf-hash option can be used to output the hash of the
resulting leaf, instead of submitting it.
- If input files are provided on the command line, each file corresponds to
one request, and result is written to a corresponding output file, based
on these rules:
- 1. If there's exactly one input file, and the -o option is
used,
- output is written to that file. Any existing file is overwritten.
- 2. For a request output, the suffix ".req" is added to the
input
- file name.
- 3. For a proof output, if the input is a request, any
".req"
- suffix on the input file name is stripped. Then the suffix
".proof" is added.
- 4. If the --output-dir option is provided, any directory part
of
- the input file name is stripped, and the output is written as a file in
the specified output directory.
- If a corresponding .proof file already exists, that proof is read and
verified. If the proof is valid, the input file is skipped. If the proof
is not valid, sigsum-submit exits with an error.
- If a corresponding .req output file already exists, it is overwritten
(TODO: Figure out if that is the proper behavior).