Skip to main content
Raw signature requests are done through the subcommand obj-sign-req, so invocations are generally through fxcli.kmes obj-sign-req.
None
 Object Sign Request Management

    Commands:
        list                 Enumerate the existing signing requests
        get                  Fetch info on a signing request
        submit               Submit a new request to sign the given file
        download             Download a signature from a signed request
        approve              Approve a signing request
        deny                 Deny a signing request
        delete               Delete a signing request
The obj-sign-req subcommand can manage raw signature requests. For actually producing the raw signatures, the two main commands are submit and download.
None
Usage: obj-sign-req submit <Options>

       -h  --help                       Show this message
       -i  --uuid <Value>               UUID of the issuance policy to use to sign with.
       -t  --hash-type <Value>          Type of digest to use.
       -f  --file <Value>               Signable file to hash.
       -n  --name <Value>               Human readable name of the request for viewing
       -m  --padding <Value>            Padding to use for the signature.
       -s  --salt-len <Value>           Length of salt for PSS padding
       --hex <Value>                    Digest to submit for signing in hex
       -b  --base64 <Value>             Digest to submit for signing in base64
None
Usage: obj-sign-req download <Options>

       -h  --help                       Show this message
       -i  --id <Value>                 Identifier recognizing the request to download
       -f  --file <Value>               File to write raw signature into
The output of obj-sign-req submit contains a request ID unique to the submitted request. This allows you to submit and monitor many requests in parallel. Example output of obj-sign-req submit:
None
$ obj-sign-req submit -i 01d5bf1d-bcad-0000-0000-129510e94d83 -f vcpkg.json -n vcpkg.json -t sha256

result:
    status: success
    statusCode: 0
request:
    id: "303C9AEB15CABDAB"
    hashType: "SHA256"
    requestName: "vcpkg.json"
Example output of obj-sign-req download:
None
$ obj-sign-req download -f vcpkg.json.sig -i 303C9AEB15CABDAB

result:
    status: success
    statusCode: 0
request:
    requestName: "vcpkg.json"
    id: "303C9AEB15CABDAB"
    type: invalid
    hashType: SHA256
    status: signed
    signature: "t/fnpekPK/CmLslHTHLprwTmdavGyDzbexSPSgdUybxY1+goLj9z5sm/GJ4qT+zWYcc444xuuBJ72alVWWCE0DjBjTxFLHdtHQneP1h+hdTkEkeCS/n7aail7NLw1Cw6UkdUXdumudzj+tEOC4sjpceot5mTo1v08buqvVGtx3wfUSk3PPloa2ooaH0dP1K3yUTRmg64t0FTlHofRcJMqfcKN8grGr2KUpQuzDOhNjP+7ZJstcVQw12gqxodm1VSsvHXP/031emKjtsKxJIWKWB5RQOYHi2aBEwzy2sTqVEQwR3XjQiC/6luFv4dvXX4iHmFmJUaVULmPE7/WDJwjw=="
The above command produces a vcpkg.json.sig file containing a 256-byte raw signature based on the digest of vcpkg.json.