Evidence Service
Overview
This page describes how to use the JFrog CLI to create external evidence files, which are then deployed to Artifactory. You can create evidence for:
Artifacts
Packages
Builds
Release Bundles v2
Note
The Evidence service requires Artifactory 7.104.2 or above.
The ability to create external evidence files and deploy them to Artifactory requires an Enterprise+ subscription.
In the current release, an evidence file can be signed with one key only.
For more information about the API used for deploying evidence to Artifactory, see Deploy Evidence.
Authentication
To deploy external evidence, use an access token or the web login mechanism for authentication. Basic authentication (username/password) is not supported.
Syntax
JFrog CLI uses the following syntax for creating evidence:
Artifact Evidence
Package Evidence
Build Evidence
Release Bundle v2 Evidence
Command parameters
--predicatefile-path Mandatory field. Defines the path to a locally-stored, arbitrary json file that contains the predicates.
--predicate-typepredicate-type-uri Mandatory field. The type of predicate defined by the json file. Sample predicate type uris include:
--keylocal-private-key-path Optional path for a private key (see Tip below). Supported key types include:
Tip
You can define the key using the
JFROG_CLI_SIGNING_KEYenvironment variable as an alternative to using the--keycommand parameter. If the environment variable is not defined, the--keycommand is mandatory.
Note
Two key formats are supported: PEM and SSH
--key-aliasRSA-1024 Optional case-sensitive name for the public key created from the private key. The public key is used to verify the DSSE envelope that contains the evidence.If the
key-aliasis included, DSSE verification will fail if the samekey-nameis not found in Artifactory.If the
key-aliasis not included, DSSE verification with the public key is not performed during creation.
Tip
You can define a key alias using the
JFROG_CLI_KEY_ALIASenvironment variable as an alternative to using the--key-aliascommand parameter.
Note
In the unlikely event the public key is deleted from Artifactory, it may take up to 4 hours for the Evidence service to clear the key from the cache. Evidence can still be signed with the deleted key during this time.
--markdownmd file Optional path to a file that contains evidence formatted in markdown.
Artifact command parameters
--subject-repo-pathtarget-path Mandatory field. Each evidence file must have a single subject only and must include the path.--subject-sha256digest Optional digest (sha256) of the artifact.
If a digest is provided, it is verified against the subject's sha256 as it appears in Artifactory.
If a digest is not provided, the sha256 is taken from the path in Artifactory.
Package command parameters
--package-namename Mandatory field.--package-versionversion-number Mandatory field.--package-repo-keyrepo-name Mandatory field.
Build command parameters
--build-namename Mandatory field unless environment variables are used (see tip below).--build-numberversion-number Mandatory field unless environment variables are used (see tip below).
Tip
You can use the
FROG_CLI_BUILD_NAMEandFROG_CLI_BUILD_NUMBERenvironment variables as an alternative to the build command parameters.
Release Bundle v2 command parameters
--release-bundlename Mandatory field.--release-bundle-versionversion-number Mandatory field.
Note
When DSSE verification is successful, the following message is displayed:
When DSSE verification is unsuccessful, the following message is displayed:
Sample commands
Artifact Evidence Sample
In the sample above, the command creates a signed evidence file with a predicate type of SLSA provenance for an artifact named file.txt.
Package Evidence Sample
Build Evidence Sample
Release Bundle v2 Evidence Sample
Last updated