Provided by: sigsum-go_0.11.2-1_amd64 
NAME
sigsum-submit - sign and log checksums
SYNOPSIS
sigsum-submit [-v] [-a key-file] [--diagnostics log-level] [-d domain-name] [--help] [-k key-file]
[--leaf-hash] [-o output-file] [-O output-dir] [-p policy-file] [--raw-hash] [-t timeout] [input files]
DESCRIPTION
Sign checksums and submit them for logging with add-leaf requests.
If no input files and output options are specified, a single add-leaf request is processed by reading
from stdin and writing to stdout.
If no signing key is provided (-k option), the input must be the body of an add-leaf request. It is
parsed and verified before submission.
If no trust policy is specified (-p option), the output will be the body of an add-leaf request. This is
useful to sign a checksum on one system and then submit the request for logging on a different system.
If a signing key is specified (-k option), an add-leaf request is created by signing the input as a
signed checksum. Use the --raw-hash option if the input has already been hashed with SHA256.
If a trust policy is specified (-p option), the proof is collected such that the policy is satisfied. In
other words, the checksum will be in any of the logs with enough witness cosignatures.
If one or more input files are specified, each file corresponds to a separate add-leaf request. Output
is written to file(s) based on:
1. If there's exactly one input file and the -o option is used, then output is written to that
file. Any existing file is overwritten.
2. If the output is an add-leaf request (no -p option), then the output file name is formed by
adding ".req" to the input file name.
3. If the output is a proof (-p option), then the output file name is formed by adding ".proof" to
the input file name. If the input is an add-leaf request, any ".req" suffix is removed first.
4. If the output is written to a directory (-O option), then any directory part of the input file
name is stripped and the output is written as a file in the specified output directory.
If a ".proof" file already exists, then sigsum-submit just ensures the proof is valid without performing
a new add-leaf request. An invalid proof will cause sigsum-submit to exit with an error.
If a ".req" file already exists, then it is simply overwritten.
OPTIONS
-a, --token-signing-key=key-file
Private key in OpenSSH format to sign DNS rate-limit tokens; or a corresponding public key where
the private part is accessed using the SSH agent protocol
--diagnostics=log-level
Available levels: fatal, error, warning, info, debug [info]
-d, --token-domain=domain-name
Domain name to use for rate-limiting; "_sigsum_v1." will be prepended
--help
Show usage message and exit
-k, --signing-key=key-file
Private key in OpenSSH format to sign checksums; or a corresponding public key where the private
part is accessed using the SSH agent protocol
--leaf-hash
Output the request's leaf hash without submission and exit
-o, --output=output-file
Store output in a file, only works for a single input
-O, --output-dir=output-dir
Store output in a directory [same as corresponding input file]
-p, --policy=policy-file
Trust policy defining logs, witnesses, and a quorum rule; omit to only output requests and exit
--raw-hash
Input has already been hashed and formatted as 32 octets or a hex string
-t, --timeout=timeout
Timeout for submitting all signed checksums and collecting the proofs [10m0s]
-v, --version
Show software version and exit
RETURN CODES
A non-zero return code is used to indicate failure.
CONTACT
Send an email to the sigsum-general mailing list at sigsum-general@lists.sigsum.org. You can also reach
out in room #sigsum at OFTC.net and matrix.org.
REPORTING BUGS
Use the issue tracker located at https://git.glasklar.is/sigsum/core/sigsum-go/-/issues. To file issues
without a GitLab account, send an email to sigsum-core-sigsum-go-issues@incoming.glasklar.is and wait for
a maintainer to make the issue public.
SEE ALSO
sigsum-key(1) sigsum-monitor(1) sigsum-token(1) sigsum-tools(5) sigsum-verify(1)
sigsum-submit 0.11.2-1 March 2025 SIGSUM-SUBMIT(1)