npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

@sigstore/cli

v0.8.1

Published

Sigstore CLI

Downloads

25,116

Readme

@sigstore/cli

CLI for creating and verifying Sigstore bundles.

Usage

$ npm install -g @sigstore/cli
$ sigstore COMMAND
running command...
$ sigstore (--version)
@sigstore/cli/0.8.1 linux-x64 node-v18.17.0
$ sigstore --help [COMMAND]
USAGE
  $ sigstore COMMAND
...

Commands

sigstore attach IMAGE-URI

attach an attestation to a container image

USAGE
  $ sigstore attach IMAGE-URI --attestation <value> [-u <value> -p <value>]

ARGUMENTS
  IMAGE-URI  fully qualified URI to the image

FLAGS
  -p, --password=<value>     password for the registry
  -u, --username=<value>     username for the registry
      --attestation=<value>  (required) attestation bundle to attach

DESCRIPTION
  attach an attestation to a container image

EXAMPLES
  $ sigstore attach --attestation <file> <name>{:<tag>|@<digest>}

sigstore attest FILE

attest the supplied file

USAGE
  $ sigstore attest FILE [--json] [--fulcio-url <value>] [--rekor-url <value>] [--tsa-server-url <value>]
    [--tlog-upload] [--oidc-client-id <value>] [--oidc-client-secret <value>] [--oidc-issuer <value>]
    [--oidc-redirect-url <value>] [-t <value>] [-o <value>] [--timeout <value>]

ARGUMENTS
  FILE  file to attest

FLAGS
  -o, --output-file=<value>         write output to file
  -t, --payload-type=<value>        [default: application/vnd.in-toto+json] MIME or content type to apply to the DSSE
                                    envelope
      --fulcio-url=<value>          [default: https://fulcio.sigstore.dev] URL to the Sigstore PKI server
      --oidc-client-id=<value>      [default: sigstore] OIDC client ID for application
      --oidc-client-secret=<value>  OIDC client secret for application
      --oidc-issuer=<value>         [default: https://oauth2.sigstore.dev/auth] OIDC provider to be used to issue ID
                                    token
      --oidc-redirect-url=<value>   OIDC redirect URL
      --rekor-url=<value>           [default: https://rekor.sigstore.dev] URL to the Rekor transparency log
      --timeout=<value>             [default: 5] timeout in seconds for API requests
      --[no-]tlog-upload            whether or not to upload entry to the transparency log
      --tsa-server-url=<value>      URL to the Timestamping Authority

GLOBAL FLAGS
  --json  Format output as json.

DESCRIPTION
  attest the supplied file

EXAMPLES
  $ sigstore attest ./statement.json

sigstore help [COMMAND]

Display help for sigstore.

USAGE
  $ sigstore help [COMMAND...] [-n]

ARGUMENTS
  COMMAND...  Command to show help for.

FLAGS
  -n, --nested-commands  Include all nested commands in the output.

DESCRIPTION
  Display help for sigstore.

sigstore initialize

initialize the Sigstore TUF root to retrieve trusted certificates and keys for verification

USAGE
  $ sigstore initialize [--mirror <value>] [--root <value>] [--cache-path <value>] [--force]

FLAGS
  --cache-path=<value>  Absolute path to the directory to be used for caching downloaded TUF metadata and targets
  --force               force initialization even if the cache already exists
  --mirror=<value>      [default: https://tuf-repo-cdn.sigstore.dev] URL to the Sigstore TUF repository
  --root=<value>        path to the initial trusted root. Defaults to the embedded root.

DESCRIPTION
  initialize the Sigstore TUF root to retrieve trusted certificates and keys for verification

ALIASES
  $ sigstore init

EXAMPLES
  $ sigstore initialize

sigstore verify BUNDLE

verify the supplied .sigstore bundle file

USAGE
  $ sigstore verify BUNDLE [--json] [--tlog-threshold <value>] [--ctlog-threshold <value>]
    [--certificate-identity-email <value> --certificate-issuer <value>] [--certificate-identity-uri <value> ]
    [--tuf-mirror-url <value>] [--tuf-root-path <value>] [--tuf-cache-path <value>] [--tuf-force-cache] [--blob-file
    <value> | --blob <value>]

ARGUMENTS
  BUNDLE  bundle to verify

FLAGS
  --blob=<value>                        Base64 encoded data to verify. Only required if bundle was not signed using
                                        attest
  --blob-file=<value>                   File containing data to verify. Only required if bundle was not signed using
                                        attest
  --certificate-identity-email=<value>  Email address which must appear in the signing certificate's Subject Alternative
                                        Name (SAN) extension. Not verified if no value is supplied
  --certificate-identity-uri=<value>    URI which must appear in the signing certificate's Subject Alternative Name
                                        (SAN) extension. Not verified if no value is supplied
  --certificate-issuer=<value>          Value that must appear in the signing certificate's issuer extension (OID
                                        1.3.6.1.4.1.57264.1.1 or 1.3.6.1.4.1.57264.1.8). Not verified if no value is
                                        supplied
  --ctlog-threshold=<value>             [default: 1] number of certificate transparency log entries required to verify
  --tlog-threshold=<value>              [default: 1] number of transparency log entries required to verify
  --tuf-cache-path=<value>              Absolute path to the directory to be used for caching downloaded TUF metadata
                                        and targets
  --tuf-force-cache                     Whether to give precedence to cached, un-expired TUF metadata and targets over
                                        remote versions
  --tuf-mirror-url=<value>              Base URL for the Sigstore TUF repository
  --tuf-root-path=<value>               Path to the initial trust root for the TUF repository

GLOBAL FLAGS
  --json  Format output as json.

DESCRIPTION
  verify the supplied .sigstore bundle file

EXAMPLES
  $ sigstore verify ./bundle.sigstore