Provided by: sigsum-go_0.7.2-2ubuntu0.24.04.3_amd64 
NAME
sigsum-submit - create and/or submit add-leaf requests
SYNOPSIS
sigsum-submit [--diagnostics level] [--help] [-k file] [--leaf-hash] [-o file] [--output-dir directory]
[-p file] [--raw-hash] [--timeout duration] [--token-domain value] [--token-signing-key file] [input
files]
DESCRIPTION
--diagnostics=level
One of "fatal", "error", "warning", "info", or "debug" [info]
--help Display help
-k, --signing-key=file
Key for signing the leaf
--leaf-hash
Output leaf hash
-o file
Write output to file, instead of stdout
--output-dir=directory
Directory for output files
-p, --policy=file
Sigsum policy
--raw-hash
Input is already hashed
--timeout=duration
Per-log submission timeout. Zero means library default, currently 45s
--token-domain=value
Create a Sigsum-Token: header for this domain
--token-signing-key=file
Key for signing Sigsum-Token: header
Create and/or submit add-leaf request(s).
If no input files are listed on the command line, a single request is processed, reading from
standard input, and writing to standard output (or file specified with the -o option). See further
below for processing of multiple files.
If a signing key (-k option) is specified, a new request is created by signing the the SHA256 hash
of the input (or, if --raw-hash is given, input is the hash value, either exactly 32 octets, or a
hex string). The key file uses openssh format, it must be either an unencrypted private key, or a
public key, in which case the corresponding private key is accessed via ssh-agent.
If no signing key is provided, input should instead be the body of an add-leaf request, which is
parsed and verified.
If a Sigsum policy (-p option) is provided, the request is submitted to the log specified by the
policy, and a Sigsum proof is collected and output. If there are multiple logs in the policy, they
are tried in randomized order.
With -k but without -p, the add-leaf request itself is output. With no -k and no -p, the request
syntax and signature of the input request are verified, but there is no output.
The --leaf-hash option can be used to output the hash of the resulting leaf, instead of submitting
it.
If input files are provided on the command line, each file corresponds to one request, and result
is written to a corresponding output file, based on these rules:
1. If there's exactly one input file, and the -o option is used,
output is written to that file. Any existing file is overwritten.
2. For a request output, the suffix ".req" is added to the input
file name.
3. For a proof output, if the input is a request, any ".req"
suffix on the input file name is stripped. Then the suffix ".proof" is added.
4. If the --output-dir option is provided, any directory part of
the input file name is stripped, and the output is written as a file in the specified output
directory.
If a corresponding .proof file already exists, that proof is read and verified. If the proof is
valid, the input file is skipped. If the proof is not valid, sigsum-submit exits with an error.
If a corresponding .req output file already exists, it is overwritten (TODO: Figure out if that is
the proper behavior).
sigsum-submit 0.7.2-2ubuntu0.24.04.3 July 2025 SIGSUM-SUBMIT(1)