Sign, verify, and manage keys for snapshot attestation.
Subcommands:
sign Sign a snapshot's assets with an Ed25519 private key
verify Verify an attested snapshot against a public key
keygen Generate a new Ed25519 key pair
Exit Codes:
0 Operation succeeded
2 Invalid input
3 Verification failed
Usage:
stave attest [command]
Available Commands:
keygen Generate a new Ed25519 key pair for snapshot attestation
sign Sign a snapshot's assets with an Ed25519 private key
verify Verify an attested snapshot against a public key
Flags:
-h, --help help for attest
Global Flags:
--allow-symlink-output Allow writing output through symlinks (default: refuse)
--force Allow overwriting existing output files
--log-file string Write logs to file (default: stderr)
--log-format string Log format: text|json (default "text")
--log-level string Log level: debug|info|warn|error (overrides -v)
--log-timestamps Include timestamps in logs (breaks determinism)
--log-timings Include timing information (breaks determinism)
--no-color Disable ANSI colors in output
--path-mode string Path rendering in errors/logs: base (basename only) or full (absolute paths) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--quiet Suppress output (exit code only) Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--require-offline Assert offline operation: fail if proxy env vars (HTTP_PROXY, HTTPS_PROXY, ALL_PROXY) are set
--sanitize Sanitize infrastructure identifiers (bucket names, ARNs, policies) from output Resolved default may come from STAVE_* env vars, stave.yaml, user config, or built-in.
--strict Enable strict integrity checks for embedded registries and references
-v, --verbose count Increase verbosity (-v=INFO, -vv=DEBUG)
-y, --yes Auto-confirm all interactive prompts (distinct from --force which controls file overwriting)
Use "stave attest [command] --help" for more information about a command.