Synopsis
fcli ssc action sign [-y] [-p[=<privateKeyPassword>]] --in=<actionFileToSign> [--info=<extraInfoPath>] --out=<signedActionFile> [--pubout=<publicKeyPath>] [--signer=<signer>] --with=<privateKeyPath> [[-h] [--env-prefix=<envPrefix>] [--log-file=<logFile>] [--log-level=<logLevel>]] ] [--store=_variableName[: _ <propertyNames>]] [--to-file=<outputFile>_]]
Description
This command allows for signing custom actions, allowing those actions to be run without confirmation if the corresponding public key has been imported through the fcli config public-key import
command or passed in the --pubkey
option on various action commands. The action to be signed must be a local file.
This command can use an existing private key for signing, or generate a new key pair if the private key file as specified through the --with
option doesn’t yet exist and --pubout
is specified to output the corresponding public key.
Private keys may also be generated using OpenSSL or similar tools, but note that only RSA keys in PEM format are supported, and only a small set of encryption schemes are supported for encrypted private keys. It is recommended to use AES encryption, which is supported by both native fcli executables and the .jar version of fcli. The latter requires Java 19 or above though to handle AES-encrypted private keys. Following is a sample OpenSSL command for generating an encrypted private key that’s supported by fcli for signing: openssl genpkey -algorithm rsa -out private-key.pem -aes256
For convenience, when using a pre-existing private key, the --pubout
option allows for outputting the corresponding public key for use by the fcli config public-key import
command. Note that public keys will not be automatically added to the fcli trusted public key store; even if this command generates a key pair on the fly, you’ll still need to import the generated public key using the fcli config public-key import
command.
Options
- --in=<actionFileToSign>
-
Action YAML file to sign.
- --info=<extraInfoPath>
-
YAML file containing informational properties to be added to signature metadata. For example, this can be used to document where the public key can be retrieved from, or some extra information about the action being signed.
- --out=<signedActionFile>
-
Signed action output file.
- -p, --password[=<privateKeyPassword>]
-
Private key password.
- --pubout=<publicKeyPath>
-
Public key output file. This option is required when generating a new key pair (if given private key doesn’t exist), and may optionally be used for outputting the public key if an already existing private key is being used.
- --signer=<signer>
-
Free-format text string describing who signed this action, for example a person, team or organization name. If not specified, signer will be taken from a property named 'signer' in the file specified with the --info option if available, otherwise the current user name will be used as the signer.
- --with=<privateKeyPath>
-
PEM file containing private key used for signing.
- -y, --confirm
-
Confirm overwriting existing output file.
Output options
- -o, --output=format[=<options>]
-
Specify output format and options. Available output formats: csv, csv-plain, json, json-flat, table, table-plain, tree, tree-flat, xml, xml-flat, yaml, yaml-flat, expr, json-properties. The 'expr' output format takes a string containing '{property}' placeholders, other output formats take an optional, comma-separated list of properties to include in the output. Use '-o json-properties' on the current command to see available properties.
- --store=variableName[:<propertyNames>]
-
Store the JSON results of this command in a variable. Variables can be managed through the 'fcli util variable' command, and can be referenced using ::variable::[property] on any subsequent command.
- --to-file=<outputFile>
-
Write command output to the specified file instead of stdout.
Generic fcli options
- --env-prefix=<envPrefix>
-
Environment variable prefix for resolving default option and parameter values. Default value is FCLI_DEFAULT.
- -h, --help
-
Show this help message and exit. Use 'fcli <command> -h' to display help for subcommands.
- --log-file=<logFile>
-
File where logging data will be written. Defaults to fcli.log in current directory if --log-level is specified.
- --log-level=<logLevel>
-
Set logging level. Note that DEBUG and TRACE levels may result in sensitive data being written to the log file. Allowed values: TRACE, DEBUG, INFO, WARN, ERROR.