%SrSSKJr SSKJr SSKJr SSKrSSKrSSKJr SSKJ r SSKJ r SS KJ r SS KJ r SS KJr SS KJr SS KJr SSKJr SSKJr SSKJr SSKJr SSKJr SSKJr \R8"\R:R<\R:R>5"SS\R@55r!g)zCA command to sign and create attestations for Binary Authorization.)absolute_import)division)unicode_literalsN)apis) attestors)containeranalysis)containeranalysis_apis)kms)base) exceptions)flags)util) validation)log) properties) resources) console_ioc.\rSrSrSr\S5rSrSrg) SignAndCreate(aSign and create a Binary Authorization Attestation using a Cloud KMS key. This command signs and creates a Binary Authorization attestation for your project. The attestation is created for the specified artifact (e.g. a gcr.io container URL), associate with the specified attestor, and stored under the specified project. ## EXAMPLES To sign and create an attestation in the project "my_proj" as the attestor with resource path "projects/foo/attestors/bar" with the key "projects/foo/locations/us-west1/keyRings/aring/cryptoKeys/akey/cryptoKeyVersions/1", run: $ {command} \ --project=my_proj \ --artifact-url='gcr.io/example-project/example-image@sha256:abcd' \ --attestor=projects/foo/attestors/bar \ --keyversion-project=foo \ --keyversion-location=us-west1 \ --keyversion-keyring=aring \ --keyversion-key=akey \ --keyversion=1 To sign and create an attestation in the project "my_proj" in note "bar" with the key "projects/foo/locations/us-west1/keyRings/aring/cryptoKeys/akey/cryptoKeyVersions/1", run: $ {command} \ --project=my_proj \ --artifact-url='gcr.io/example-project/example-image@sha256:abcd' \ --note=projects/my_proj/notes/bar \ --keyversion-project=foo \ --keyversion-location=us-west1 \ --keyversion-keyring=aring \ --keyversion-key=akey \ --keyversion=1 c 2[R"U5 UR5nUR5n[R"U[R "SSSS[ R"S5S95 [R"U[R"SSSS[ R"S5S95 [R"U[R"SSS[ R"S 5S 95 URS [[ R"S 5S 9 URSSS[ R"S5S9 URSSS[ R"S5S9 URS[S[ R"S5S9 g)NattestorFa The Attestor whose Container Analysis Note will be used to host the created attestation. In order to successfully attach the attestation, the active gcloud account (core/account) must be able to read this attestor and must have the `containeranalysis.notes.attachOccurrence` permission for the Attestor's underlying Note resource (usually via the `containeranalysis.notes.attacher` role).) base_namerequired positionaluse_global_project_flag group_help keyversionTz{ The Cloud KMS (Key Management Service) CryptoKeyVersion to use to sign the attestation payload.noteag The Container Analysis Note which will be used to host the created attestation. In order to successfully attach the attestation, the active gcloud account (core/account) must have the `containeranalysis.notes.attachOccurrence` permission for the Note (usually via the `containeranalysis.notes.attacher` role).)rrrrz--public-key-id-overridea If provided, the ID of the public key that will be used to verify the Attestation instead of the default generated one. This ID should match the one found on the Attestor resource(s) which will use this Attestation. This parameter is only necessary if the `--public-key-id-override` flag was provided when this KMS key was added to the Attestor.)typehelpz --validate store_truezo Whether to validate that the Attestation can be verified by the provided Attestor. )actiondefaultr!z--pae-encode-payloadzD Whether to pae-encode the payload before signing. z --dsse-typez0application/vnd.dev.cosign.simplesigning.v1+jsonz* DSSE type used for pae encoding.)r r$r!) r AddArtifactUrlFlagadd_mutually_exclusive_group add_group AddConceptsGetAttestorPresentationSpectextwrapdedent#GetCryptoKeyVersionPresentationSpecGetNotePresentationSpec add_argumentstr)clsparserexclusive_groupgroups >lib/surface/container/binauthz/attestations/sign_and_create.pyArgsSignAndCreate.ArgsQs V$99;O  % % 'E   )) $)(;< $  11"$)(/0     %%(MN   "  __LM   __    __    B __./ c  [RR[RR R RSS9SS9n[R"UR5n[R"UR55nURRR5nUR =(d ["R$"U5nSU;=(a UR&nSnUR((Ga URR(R5n [*R,"U5RU 5n [RR/SU R0R205n U(a%[4R6"[8R:U US9nOU[=SU R0R>55;a7[@RB"S UU RD5 [FRH"S SS 9 OLURJ(a%URRJR5n O[LRN"S 5e[RP"UR5n U n URR(a0[RT"URVU RYS 55n ["R,"5nUR[UR]55nUR_UR]5["R`"URb5U 5n[dR,"[fR"UR555nURiUU UUURjU US9$)NT)rzcloudresourcemanager.projects) collectionvalidatez containeranalysis.projects.notes) attestor_ref api_versionc38# UHoRv M g7f)N)id).0pubkeys r4 $SignAndCreate.Run..s $L&II$Lsz1No public key with ID [%s] found on attestor [%s]z%Create and upload Attestation anyway?) prompt_string cancel_on_noz-One of --attestor or --note must be provided.zutf-8) project_refnote_ref artifact_url public_key_id signature plaintextvalidation_callback)6rREGISTRYParserVALUEScoreprojectGetbinauthz_command_utilRemoveArtifactUrlSchemerGr GetApiVersion ReleaseTrackCONCEPTSrpublic_key_id_overrider GetKeyUrir:rrClientParseResourceIduserOwnedDrydockNote noteReference functoolspartialrvalidate_attestationset publicKeysrwarningnamerPromptContinuerr InvalidArgumentErrorMakeSignaturePayloadpae_encode_payload PaeEncode dsse_typedecode GetPublicKey RelativeNameAsymmetricSignGetAlgorithmDigestType algorithmrca_apisCreateAttestationOccurrencerI)selfargsrEartifact_url_without_schemer<key_refkey_idvalidation_enabledrKr;rrFpayloadpayload_for_signing kms_clientpubkey_response sign_responseclients r4RunSignAndCreate.Runs$$**&&**D*92+K#8"O"O # $$T%6%6%89Kmm&&,,.G  ( ( BCMM',BF$t+=  }}}]]++113l!!+.22<@h##33 ,  ' ' 5 5 h '//  + +%#   $,$A$A$L$L    ++Amm  # #C  ##))+h  + + 9 $889J9JKG! 1;; ..'..1J --g.B.B.DEO-- ""?#<#<=M  % %d//12F  - -0))/ . r7N) __name__ __module__ __qualname____firstlineno____doc__ classmethodr5r~__static_attributes__rr7r4rr(s%%NWWrUr7r)"r __future__rrrr]r*)googlecloudsdk.api_lib.container.binauthzrrrr rpr googlecloudsdk.callioper -googlecloudsdk.command_lib.container.binauthzr r rrRrgooglecloudsdk.corerrrgooglecloudsdk.core.consoler ReleaseTracksrUBETAALPHA CreateCommandrrr7r4rsJ&':?GW9(D?WD#*)2D%%**D,=,=,C,CDWD&&WEWr7