gcloud container binauthz

NAME: gcloud container binauthz - manage attestations for Binary Authorization on Google Cloud Platform
SYNOPSIS: gcloud container binauthz GROUP | COMMAND [GCLOUD_WIDE_FLAG …]
DESCRIPTION: Binary Authorization is a feature which allows binaries to run on Google Cloud Platform only if they are appropriately attested. Binary Authorization is configured by creating a policy.
EXAMPLES: This example assumes that you have created a keypair using gpg, usually by running gpg --gen-key …, with Name-Email set to attesting_user@example.com for your attestor.
First, some convenience variables for brevity:
ATTESTING_USER="attesting_user@example.com" DIGEST="000000000000000000000000000000000000000000000000000000000000abcd" ARTIFACT_URL="gcr.io/example-project/example-image@sha256:${DIGEST}" ATTESTOR_NAME="projects/example-project/attestors/canary"

Export your key's fingerprint (note this may differ based on version and implementations of gpg):
gpg \ --with-colons \ --with-fingerprint \ --force-v4-certs \ --list-keys \ "${ATTESTING_USER}" | grep fpr | cut --delimiter=':' --fields 10

This should produce a 40 character, hexidecimal encoded string. See https://tools.ietf.org/html/rfc4880#section-12.2 for more information on key fingerprints.
Create your attestation payload:
gcloud container binauthz create-signature-payload \ --artifact-url="${ARTIFACT_URL}" \ > example_payload.txt

Create a signature from your attestation payload:
gpg \ --local-user "${ATTESTING_USER}" \ --armor \ --clearsign \ --output example_signature.pgp \ example_payload.txt

Upload the attestation:
gcloud container binauthz attestations create \ --public-key-id=${KEY_FINGERPRINT} \ --signature-file=example_signature.pgp \ --artifact-url="${ARTIFACT_URL}" \ --attestor=${ATTESTOR_NAME}

List the attestation by artifact URL. --format can be passed to output the attestations as json or another supported format:
gcloud container binauthz attestations list \ --artifact-url="${ARTIFACT_URL}" \ --format=yaml --- - | -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 … SNIP … -----END PGP PUBLIC KEY BLOCK----- - | -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 … SNIP … -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 … SNIP … -----END PGP SIGNATURE-----

List all artifact URLs on the project for which Container Analysis Occurrences exist. This list includes the list of all URLs with BinAuthz attestations:
gcloud container binauthz attestations list --- https://gcr.io/example-project/example-image@sha256:000000000000000000000000000000000000000000000000000000000000abcd …

Listing also works for kind=ATTESTATION_AUTHORITY attestations, just pass the attestor:
gcloud container binauthz attestations list \ --artifact-url="${ARTIFACT_URL}" \ --attestor=${ATTESTOR_NAME} \ --format=yaml …
GCLOUD WIDE FLAGS: These flags are available to all commands: --help.
Run $ gcloud help for details.
GROUPS: GROUP is one of the following:

attestations

Create and manage Google Binary Authorization attestations.

attestors

Create and manage Google Binary Authorization Attestors.

policy

Create and manage Google Binary Authorization policies.
COMMANDS: COMMAND is one of the following:

create-signature-payload

Create a JSON container image signature object.
NOTES: These variants are also available:
gcloud alpha container binauthz

gcloud beta container binauthz