Synopsis

fcli action sign [-y] [-p[=<privateKeyPassword>]] --in=<actionFileToSign> [--info=<extraInfoPath>] --out=<signedActionFile> [--pubout=<publicKeyPath>] [--signer=<signer>] --with=<privateKeyPath> [[-h] [--env-prefix=<prefix>] [--log-file=<logFile>] [--log-level=<logLevel>] [--log-mask=<level>] [--debug]] [[-o=<type+args>] [--style*=<style>,…​]…​ ] [--to-file=<outputFile>_]]

Description

This command allows for signing custom actions, allowing those actions to be run without confirmation if the corresponding public key has been imported through the fcli config public-key import command or passed in the --pubkey option on various action commands. The action to be signed must be a local file.

This command can use an existing private key for signing, or generate a new key pair if the private key file as specified through the --with option doesn’t yet exist and --pubout is specified to output the corresponding public key.

Private keys may also be generated using OpenSSL or similar tools, but note that only RSA keys in PEM format are supported, and only a small set of encryption schemes are supported for encrypted private keys. It is recommended to use AES encryption, which is supported by both native fcli executables and the .jar version of fcli. The latter requires Java 19 or above though to handle AES-encrypted private keys. Following is a sample OpenSSL command for generating an encrypted private key that’s supported by fcli for signing: openssl genpkey -algorithm rsa -out private-key.pem -aes256

For convenience, when using a pre-existing private key, the --pubout option allows for outputting the corresponding public key for use by the fcli config public-key import command. Note that public keys will not be automatically added to the fcli trusted public key store; even if this command generates a key pair on the fly, you’ll still need to import the generated public key using the fcli config public-key import command.

Options

--in=<actionFileToSign>

Action YAML file to sign.

--info=<extraInfoPath>

YAML file containing informational properties to be added to signature metadata. For example, this can be used to document where the public key can be retrieved from, or some extra information about the action being signed.

--out=<signedActionFile>

Signed action output file.

-p, --password[=<privateKeyPassword>]

Private key password.

--pubout=<publicKeyPath>

Public key output file. This option is required when generating a new key pair (if given private key doesn’t exist), and may optionally be used for outputting the public key if an already existing private key is being used.

--signer=<signer>

Free-format text string describing who signed this action, for example a person, team or organization name. If not specified, signer will be taken from a property named 'signer' in the file specified with the --info option if available, otherwise the current user name will be used as the signer.

--with=<privateKeyPath>

PEM file containing private key used for signing.

-y, --confirm

Confirm overwriting existing output file.

Output options (also see documentation link below)

-o, --output=<type+args>

Select output type (csv, table, expr, json, xml, yaml) and optional type arguments.

--store=<var>[:<prop>]

Store JSON results in an fcli variable for later reference.

*--style*=<style>,…​

Select output style: header, no-header, pretty, no-pretty, flat, no-flat, array, single, border, no-border, md-border.

--to-file=<outputFile>

Write output to the specified file.

Generic fcli options (also see documentation link below)

--debug

Enable collection of debug logs.

--env-prefix=<prefix>

Prefix for resolving default option values. Default value: FCLI_DEFAULT.

-h, --help

Use 'fcli [command] -h' to display help for fcli (sub-)commands.

--log-file=<logFile>

Write log output to file. Default: ./fcli.log if logging is enabled.

--log-level=<logLevel>

Set logging level: TRACE, DEBUG, INFO, WARN, ERROR, NONE.

--log-mask=<level>

Log mask level: high, medium, low, none. Default: medium. Masking is done on a best-effort basis; no guarantee that all sensitive data will be masked.