Synopsis

fcli ssc action sign [-y] [-p[=<privateKeyPassword>]] --in=<actionFileToSign> [--info=<extraInfoPath>] --out=<signedActionFile> [--pubout=<publicKeyPath>] [--signer=<signer>] --with=<privateKeyPath> [[-h] [--env-prefix=<prefix>] [--log-file=<logFile>] [--log-level=<logLevel>] [--log-mask=<level>] [--debug]] [[-o=<type+args>] [--style*=<style>,…​]…​ ] [--to-file=<outputFile>_]]

Description

This command allows for signing custom actions, allowing those actions to be run without confirmation if the corresponding public key has been imported through the fcli config public-key import command or passed in the --pubkey option on various action commands. The action to be signed must be a local file.

This command requires an existing private key for signing; fcli will not generate private keys. Private keys must be generated using OpenSSL or similar tools. Only RSA keys in PEM format are supported. For encrypted private keys, only a limited set of encryption schemes are supported. It is recommended to use AES-256 encryption, which is supported by both native fcli executables and the .jar version of fcli (the latter requires Java 19 or above for AES-encrypted private keys).

To generate a private key using OpenSSL: Unencrypted: openssl genpkey -algorithm RSA -out private-key.pem -pkeyopt rsa_keygen_bits:2048 Encrypted: openssl genpkey -algorithm RSA -out private-key.pem -pkeyopt rsa_keygen_bits:2048 -aes-256-cbc

To extract the corresponding public key for distribution: openssl rsa -in private-key.pem -pubout -out public-key.pem

Alternatively, use the --pubout option to output the public key when signing. Note that public keys are not automatically added to the fcli trusted public key store; you must import the public key using the fcli config public-key import command.

Options

--in=<actionFileToSign>

Action YAML file to sign.

--info=<extraInfoPath>

YAML file containing informational properties to be added to signature metadata. For example, this can be used to document where the public key can be retrieved from, or some extra information about the action being signed.

--out=<signedActionFile>

Signed action output file.

-p, --password[=<privateKeyPassword>]

Private key password (if the private key is encrypted).

--pubout=<publicKeyPath>

Optional public key output file. Use this to extract the public key from the private key for distribution.

--signer=<signer>

Free-format text string describing who signed this action, for example a person, team or organization name. If not specified, signer will be taken from a property named 'signer' in the file specified with the --info option if available, otherwise the current user name will be used as the signer.

--with=<privateKeyPath>

PEM file containing the private key used for signing. The private key must already exist; fcli will not generate keys.

-y, --confirm

Confirm overwriting existing output file.

Output options (also see documentation link below)

-o, --output=<type+args>

Select output type (csv, table, expr, json, xml, yaml) and optional type arguments.

--store=<var>[:<prop>]

Store JSON results in an fcli variable for later reference.

*--style*=<style>,…​

Select output style: header, no-header, pretty, no-pretty, flat, no-flat, array, single, border, no-border, md-border, wrap, no-wrap, fast-output, no-fast-output.

--to-file=<outputFile>

Write output to the specified file.

Generic fcli options (also see documentation link below)

--debug

Enable collection of debug logs.

--env-prefix=<prefix>

Prefix for resolving default option values. Default value: FCLI_DEFAULT.

-h, --help

Use 'fcli [command] -h' to display help for fcli (sub-)commands.

--log-file=<logFile>

Write log output to file. Default: ./fcli.log if logging is enabled.

--log-level=<logLevel>

Set logging level: TRACE, DEBUG, INFO, WARN, ERROR, NONE.

--log-mask=<level>

Log mask level: high, medium, low, none. Default: medium. Masking is done on a best-effort basis; no guarantee that all sensitive data will be masked.