DOKK / manpages / debian 13 / sigsum-go / sigsum-submit.1.en
SIGSUM-SUBMIT(1) User Commands SIGSUM-SUBMIT(1)

sigsum-submit - sign and log checksums

sigsum-submit [-v] [-a key-file] [--diagnostics log-level] [-d domain-name] [--help] [-k key-file] [--leaf-hash] [-o output-file] [-O output-dir] [-p policy-file] [--raw-hash] [-t timeout] [input files]

Sign checksums and submit them for logging with add-leaf requests.

If no input files and output options are specified, a single add-leaf request is processed by reading from stdin and writing to stdout.

If no signing key is provided (-k option), the input must be the body of an add-leaf request. It is parsed and verified before submission.

If no trust policy is specified (-p option), the output will be the body of an add-leaf request. This is useful to sign a checksum on one system and then submit the request for logging on a different system.

If a signing key is specified (-k option), an add-leaf request is created by signing the input as a signed checksum. Use the --raw-hash option if the input has already been hashed with SHA256.

If a trust policy is specified (-p option), the proof is collected such that the policy is satisfied. In other words, the checksum will be in any of the logs with enough witness cosignatures.

If one or more input files are specified, each file corresponds to a separate add-leaf request. Output is written to file(s) based on:

1. If there's exactly one input file and the -o option is used, then output is written to that file. Any existing file is overwritten.
2. If the output is an add-leaf request (no -p option), then the output file name is formed by adding ".req" to the input file name.
3. If the output is a proof (-p option), then the output file name is formed by adding ".proof" to the input file name. If the input is an add-leaf request, any ".req" suffix is removed first.
4. If the output is written to a directory (-O option), then any directory part of the input file name is stripped and the output is written as a file in the specified output directory.

If a ".proof" file already exists, then sigsum-submit just ensures the proof is valid without performing a new add-leaf request. An invalid proof will cause sigsum-submit to exit with an error.

If a ".req" file already exists, then it is simply overwritten.

-a, --token-signing-key=key-file

Private key in OpenSSH format to sign DNS rate-limit tokens; or a corresponding public key where the private part is accessed using the SSH agent protocol

--diagnostics=log-level

Available levels: fatal, error, warning, info, debug [info]

-d, --token-domain=domain-name

Domain name to use for rate-limiting; "_sigsum_v1." will be prepended
Show usage message and exit

-k, --signing-key=key-file

Private key in OpenSSH format to sign checksums; or a corresponding public key where the private part is accessed using the SSH agent protocol
Output the request's leaf hash without submission and exit

-o, --output=output-file

Store output in a file, only works for a single input

-O, --output-dir=output-dir

Store output in a directory [same as corresponding input file]

-p, --policy=policy-file

Trust policy defining logs, witnesses, and a quorum rule; omit to only output requests and exit
Input has already been hashed and formatted as 32 octets or a hex string

-t, --timeout=timeout

Timeout for submitting all signed checksums and collecting the proofs [10m0s]
Show software version and exit

A non-zero return code is used to indicate failure.

Send an email to the sigsum-general mailing list at sigsum-general@lists.sigsum.org. You can also reach out in room #sigsum at OFTC.net and matrix.org.

Use the issue tracker located at https://git.glasklar.is/sigsum/core/sigsum-go/-/issues. To file issues without a GitLab account, send an email to sigsum-core-sigsum-go-issues@incoming.glasklar.is and wait for a maintainer to make the issue public.

sigsum-key(1) sigsum-monitor(1) sigsum-token(1) sigsum-tools(5) sigsum-verify(1)

June 2025 sigsum-submit 0.11.2-1+b3