Skip to main content

diagrid workflow archive verify

Verify the signatures in a workflow archive file

Description

Verify the cryptographic signatures in a workflow history archive file.

The archive's signature chain is checked: every history event is covered by a signature, the chain links are intact, each signature verifies against its signing certificate, and each certificate chains to a trusted Sentry CA.

By default the archive is verified against the project's current region trust anchor, fetched from the control plane. Pass --trust-anchor to instead verify against a PEM bundle on disk (fully offline). For example one previously exported with "diagrid workflow archive trust-anchor".

diagrid workflow archive verify <archive-file> [flags]

Examples


# Verify against the project's region trust anchor (fetched from the control plane)
diagrid workflow archive verify wf-123.json -p my-project

# Verify against an out-of-band Sentry CA bundle on disk (offline)
diagrid workflow archive verify wf-123.json --trust-anchor sentry-ca.pem

# Also assert the signing identity, and emit JSON
diagrid workflow archive verify wf-123.json -p my-project -a my-app --namespace default -o json

# Read the archive from stdin
cat wf-123.json | diagrid workflow archive verify - -p my-project

Options

--trust-anchor string Path to a PEM trust anchor (Sentry CA) bundle to verify against; if unset, the project's region trust anchor is fetched from the control plane
-p, --project string Name of existing project
-a, --app-id string Assert the signing identity matches this App ID; defaults to the archive's own app ID when a namespace is known
--namespace string Assert the signing identity matches this namespace; defaults to the project's signing namespace derived from the control plane (only needed with --trust-anchor)
-o, --output string Output format: text or json (default "text")
-h, --help help for verify

Options inherited from parent commands

--api-key string Diagrid Cloud API key

SEE ALSO