Expand description
mkit attest — produce a signed DSSE attestation for a commit.
mkit attest [--commit <hash>] [--algorithm ed25519|secp256k1|p256]
[--signer repo-key|external|keystore]
[--predicate-type <URI>] [--predicate-file <path>]
[--external-signer-arg <V>]...
[--additional-signer "<spec>"]...--external-signer-arg is repeatable; each instance adds one
argv token to the external signer subprocess. If any are passed,
they REPLACE (not append to) attest.external_signer_args from
.mkit/config — per-invocation override for “sign with tag X
this one time” that avoids shell-quoting hell.
Defaults:
--commit— HEAD.--algorithm—attest.default_algorithmin config, elseed25519.--signer—attest.signerin config, elserepo-key.--predicate-type—https://github.com/officialunofficial/mkit/spec/predicate/empty/v1.--predicate-file— omitted ⇒{}.
Multi-signature envelopes are produced by passing one or more
--additional-signer flags after the primary signer. Each spec is
a comma-separated key=value list:
--additional-signer "algorithm=<algo>,signer=<kind>[,path=<file-or-binary>][,args=<a>|<b>|<c>]"The optional args= clause is pipe-separated (commas would clash
with the outer key=value separator) and applies only when
signer=external. Each pipe-separated token becomes one argv
entry for the child process, same as --external-signer-arg on
the primary signer.
Signers are invoked in order (primary first, then each
--additional-signer as they appear on the command line) and the
resulting {keyid, sig} tuples are written into one envelope in
that same order. Any signer failure aborts the attest — no
partial envelopes are written to disk.
On success, prints the att-id (64 hex chars) and exits 0.