diagrid workflow archive verify
Verify the signatures in a workflow archive file
Description
Verify the cryptographic signatures in a workflow history archive file.
The archive's signature chain is checked: every history event is covered by a signature, the chain links are intact, each signature verifies against its signing certificate, and each certificate chains to a trusted Sentry CA.
By default the archive is verified against the project's current region trust anchor, fetched from the control plane. Pass --trust-anchor to instead verify against a PEM bundle on disk (fully offline). For example one previously exported with "diagrid workflow archive trust-anchor".
diagrid workflow archive verify <archive-file> [flags]
Examples
# Verify against the project's region trust anchor (fetched from the control plane)
diagrid workflow archive verify wf-123.json -p my-project
# Verify against an out-of-band Sentry CA bundle on disk (offline)
diagrid workflow archive verify wf-123.json --trust-anchor sentry-ca.pem
# Also assert the signing identity, and emit JSON
diagrid workflow archive verify wf-123.json -p my-project -a my-app --namespace default -o json
# Read the archive from stdin
cat wf-123.json | diagrid workflow archive verify - -p my-project
Options
--trust-anchor string Path to a PEM trust anchor (Sentry CA) bundle to verify against; if unset, the project's region trust anchor is fetched from the control plane
-p, --project string Name of existing project
-a, --app-id string Assert the signing identity matches this App ID; defaults to the archive's own app ID when a namespace is known
--namespace string Assert the signing identity matches this namespace; defaults to the project's signing namespace derived from the control plane (only needed with --trust-anchor)
-o, --output string Output format: text or json (default "text")
-h, --help help for verify
Options inherited from parent commands
--api-key string Diagrid Cloud API key
SEE ALSO
- diagrid workflow archive - Work with workflow history archives