1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
## cosign copy
Copy the supplied container image and signatures.
```
cosign copy [flags]
```
### Examples
```
cosign copy <source image> <destination image>
# copy a container image and its signatures
cosign copy example.com/src:latest example.com/dest:latest
# copy the signatures only
cosign copy --only=sig example.com/src example.com/dest
# copy the signatures, attestations, sbom only
cosign copy --only=sig,att,sbom example.com/src example.com/dest
# overwrite destination image and signatures
cosign copy -f example.com/src example.com/dest
# copy a container image and its signatures for a specific platform
cosign copy --platform=linux/amd64 example.com/src:latest example.com/dest:latest
```
### Options
```
--allow-http-registry whether to allow using HTTP protocol while connecting to registries. Don't use this for anything but testing
--allow-insecure-registry whether to allow insecure connections to registries (e.g., with expired or self-signed TLS certificates). Don't use this for anything but testing
--attachment-tag-prefix [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName] optional custom prefix to use for attached image tags. Attachment images are tagged as: [AttachmentTagPrefix]sha256-[TargetImageDigest].[AttachmentName]
-f, --force overwrite destination image(s), if necessary
-h, --help help for copy
--k8s-keychain whether to use the kubernetes keychain instead of the default keychain (supports workload identity).
--only strings custom string array to only copy specific items, this flag is comma delimited. ex: --only=sig,att,sbom
--platform string only copy container image and its signatures for a specific platform image
--registry-cacert string path to the X.509 CA certificate file in PEM format to be used for the connection to the registry
--registry-client-cert string path to the X.509 certificate file in PEM format to be used for the connection to the registry
--registry-client-key string path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry
--registry-password string registry basic auth password
--registry-server-name string SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry
--registry-token string registry bearer auth token
--registry-username string registry basic auth username
--sig-only [DEPRECATED] only copy the image signature
```
### Options inherited from parent commands
```
--output-file string log output to a file
-t, --timeout duration timeout for commands (default 3m0s)
-d, --verbose log debug output
```
### SEE ALSO
* [cosign](cosign.md) - A tool for Container Signing, Verification and Storage in an OCI registry.
|
