CLI Reference
Explore all of the commands and options available in the command-line interface
Enroll with AWS
truepic enroll aws [OPTIONS] --api-key <API_KEY> --region <REGION>
truepic enroll aws [OPTIONS] --api-key <API_KEY> --region <REGION>Store keys in AWS Key Management Service and their certificates in AWS Secrets Manager.
Options
-k, --api-key <API_KEY>
-k, --api-key <API_KEY>Your key that grants access to the Truepic API.
-v, --app-version <VERSION>
-v, --app-version <VERSION>The version of the app calling this binary.
[default: 0.0.0]
-f, --force
-f, --forceProceed with a new enrollment even if the existing key and certificate are valid.
The existing key and certificate will be replaced.
-j, --json
-j, --jsonOutput the profile as JSON on success instead of writing to a file.
-p, --profile <NAME>
-p, --profile <NAME>The profile name to give this key and certificate.
By using different profiles, you can manage multiple keys and their certificates on the same machine.
[default: default]
-c, --subject-cn <COMMON_NAME>
-c, --subject-cn <COMMON_NAME>The common name of the certificate's subject to request.
If not specified, "Truepic Lens CLI in " is used.
--region <REGION>
--region <REGION>The AWS region (e.g., us-east-1) in which to store keys and their certificates.
--access-key-id <ACCESS_KEY_ID>
--access-key-id <ACCESS_KEY_ID>The Access Key ID to use for authentication.
Must be specified with --access_key_secret.
If not specified, the following are tried in order:
- Getting the value from the environment variable
AWS_ACCESS_KEY_ID. - Authenticating via the
credential_processcommand in the AWS CLI's config file, usually located at~/.aws/config. - Authenticating via the AWS CLI's credentials file, usually located at
~/.aws/credentials. - Authenticating via the instance profile assigned to the deployment environment (e.g., EC2).
--access-key-secret <ACCESS_KEY_SECRET>
--access-key-secret <ACCESS_KEY_SECRET>The Access Key Secret to use for authentication.
Must be specified with --access_key_id.
If not specified, the following are tried in order:
- Getting the value from the environment variable
AWS_ACCESS_KEY_ID. - Authenticating via the
credential_processcommand in the AWS CLI's config file, usually located at~/.aws/config. - Authenticating via the AWS CLI's credentials file, usually located at
~/.aws/credentials. - Authenticating via the instance profile assigned to the deployment environment (e.g., EC2).
--cli-profile <CLI_PROFILE>
--cli-profile <CLI_PROFILE>If authenticating via the AWS CLI, the name of the profile to use if it's different than default.
--key-id <KEY_ID>
--key-id <KEY_ID>If using a pre-existing key, the identifier of the key.
This can be either a key ID, a key ARN, an alias name, or an alias ARN.
Must be specified with --certificate_secret_id.
If not specified, a new key is created.
--certificate-secret-id <CERTIFICATE_SECRET_ID>
--certificate-secret-id <CERTIFICATE_SECRET_ID>If using a pre-existing key, the identifier of the secret where the certificate is stored.
This can be either the ARN or the name of the secret.
Must be specified with --key-id.
If not specified, a new secret is created to store the key's certificate.
Enroll with Azure
truepic enroll azure [OPTIONS] --api-key <API_KEY> --vault-uri <VAULT_URI>
truepic enroll azure [OPTIONS] --api-key <API_KEY> --vault-uri <VAULT_URI>Store keys and their certificates in Azure Key Vault.
Options
-k, --api-key <API_KEY>
-k, --api-key <API_KEY>Your key that grants access to the Truepic API.
-v, --app-version <VERSION>
-v, --app-version <VERSION>The version of the app calling this binary.
[default: 0.0.0]
-f, --force
-f, --forceProceed with a new enrollment even if the existing key and certificate are valid.
The existing key and certificate will be replaced.
-j, --json
-j, --jsonOutput the profile as JSON on success instead of writing to a file.
-p, --profile <NAME>
-p, --profile <NAME>The profile name to give this key and certificate.
By using different profiles, you can manage multiple keys and their certificates on the same machine.
[default: default]
-c, --subject-cn <COMMON_NAME>
-c, --subject-cn <COMMON_NAME>The common name of the certificate's subject to request.
If not specified, "Truepic Lens CLI in " is used.
--tenant-id <TENANT_ID>
--tenant-id <TENANT_ID>The ID of the tenant/directory to authenticate with, found on Active Directory > Overview.
Must be specified with --client_id and --client_secret.
If not specified, the following are tried in order:
- Getting the value from the environment variable
AZURE_TENANT_ID. - Authenticating via the managed identity assigned to the deployment environment (Azure VMs, App Services, Function Apps).
- Authenticating via the Azure CLI.
--client-id <CLIENT_ID>
--client-id <CLIENT_ID>The client ID of the app registered in Active Directory to use for authentication.
Must be specified with --tenant_id and --client_secret.
If not specified, the following are tried in order:
- Getting the value from the environment variable
AZURE_CLIENT_ID. - Authenticating via the managed identity assigned to the deployment environment (Azure VMs, App Services, Function Apps).
- Authenticating via the Azure CLI.
--client-secret <CLIENT_SECRET>
--client-secret <CLIENT_SECRET>The client secret of the app registered in Active Directory to use for authentication.
Must be specified with --tenant_id and --client_id.
If not specified, the following are tried in order:
- Getting the value from the environment variable
AZURE_CLIENT_SECRET. - Authenticating via the managed identity assigned to the deployment environment (Azure VMs, App Services, Function Apps).
- Authenticating via the Azure CLI.
--vault-uri <VAULT_URI>
--vault-uri <VAULT_URI>The URI of the vault in which to store keys and their certificates.
This is found on the vault's "Overview" page.
--key-id <KEY_ID>
--key-id <KEY_ID>If using a pre-existing key, the identifier (URI) of the key, including version.
Must be specified with --certificate_secret_id.
If not specified, a new key is created.
--certificate-secret-id <CERTIFICATE_SECRET_ID>
--certificate-secret-id <CERTIFICATE_SECRET_ID>If using a pre-existing key, the identifier (URI) of the secret where the certificate is stored.
Must be specified with --key_id.
If not specified, a new secret is created to store the key's certificate.
Enroll with File System
truepic enroll file-system [OPTIONS] --api-key <API_KEY>
truepic enroll file-system [OPTIONS] --api-key <API_KEY>Store keys and their certificates in the file system.
Options
-k, --api-key <API_KEY>
-k, --api-key <API_KEY>Your key that grants access to the Truepic API.
-v, --app-version <VERSION>
-v, --app-version <VERSION>The version of the app calling this binary.
[default: 0.0.0]
-f, --force
-f, --forceProceed with a new enrollment even if the existing key and certificate are valid.
The existing key and certificate will be replaced.
-j, --json
-j, --jsonOutput the profile as JSON on success instead of writing to a file.
-p, --profile <NAME>
-p, --profile <NAME>The profile name to give this key and certificate.
By using different profiles, you can manage multiple keys and their certificates on the same machine.
[default: default]
-c, --subject-cn <COMMON_NAME>
-c, --subject-cn <COMMON_NAME>The common name of the certificate's subject to request.
If not specified, "Truepic Lens CLI in " is used.
--private-key <FILE>
--private-key <FILE>If using a pre-existing key, the path to the private key file.
Must be specified with --certificate.
If not specified, a new key is created.
--certificate <FILE>
--certificate <FILE>If using a pre-existing key, the path to the certificate file.
Must be specified with --private_key.
If not specified, a new file is created to store the key's certificate.
Enroll with Inline
truepic enroll inline [OPTIONS] --api-key <API_KEY>
truepic enroll inline [OPTIONS] --api-key <API_KEY>Store keys and their certificates inline with the profile.
Options
-k, --api-key <API_KEY>
-k, --api-key <API_KEY>Your key that grants access to the Truepic API.
-v, --app-version <VERSION>
-v, --app-version <VERSION>The version of the app calling this binary.
[default: 0.0.0]
-f, --force
-f, --forceProceed with a new enrollment even if the existing key and certificate are valid.
The existing key and certificate will be replaced.
-j, --json
-j, --jsonOutput the profile as JSON on success instead of writing to a file.
-p, --profile <NAME>
-p, --profile <NAME>The profile name to give this key and certificate.
By using different profiles, you can manage multiple keys and their certificates on the same machine.
[default: default]
-c, --subject-cn <COMMON_NAME>
-c, --subject-cn <COMMON_NAME>The common name of the certificate's subject to request.
If not specified, "Truepic Lens CLI in " is used.
--private-key <PEM>
--private-key <PEM>If using a pre-existing key, the private key as a PEM-encoded string.
Must be specified with --certificate.
If not specified, a new key is created.
--certificate <PEM>
--certificate <PEM>If using a pre-existing key, the certificate as a PEM-encoded string.
Must be specified with --private_key.
If not specified, a new certificate is requested.
Enroll with JSON
truepic enroll json [OPTIONS]
truepic enroll json [OPTIONS]Pass the profile to enroll with as JSON.
Unlike the other key provider-specific commands, this allows any key provider to be configured with JSON.
An updated profile will be output as JSON on success.
Options
--file <FILE>
--file <FILE>The path to a JSON file containing the profile.
Cannot be used with --inline at the same time.
This is the output from --json when enrolling with one of the key provider-specific commands.
-f, --force
-f, --forceProceed with a new enrollment even if the existing key and certificate are valid.
The existing key and certificate will be replaced.
--inline <JSON>
--inline <JSON>The profile passed inline as a JSON string.
Cannot be used with --file at the same time.
This is the output from --json when enrolling with one of the key provider-specific commands.
Sign a Media File
truepic sign [OPTIONS] <FILE>
truepic sign [OPTIONS] <FILE>Cryptographically sign history/origin details into a media file.
Arguments
<FILE>
<FILE>The path to the media file to sign.
This file will be replaced with the signed version unless a new path is specified with --output.
Options
-a, --assertions <FILE>
-a, --assertions <FILE>The path to a JSON file containing the assertions to sign into the file.
Cannot be used with --assertions-inline at the same time.
See the Assertions JSON documentation for how the JSON should be structured, along with various examples.
--assertions-inline <JSON>
--assertions-inline <JSON>A string of JSON containing the assertions to sign into the file.
Cannot be used with --assertions at the same time.
See the Assertions JSON documentation for how the JSON should be structured, along with various examples.
-i, --ingredient <FILE>
-i, --ingredient <FILE>The path to a media file that the <FILE> being signed has been created or derived from.
If the ingredient file contains an internal manifest, that manifest will be used with the ingredient.
If an external manifest is found (same file name with a .c2pa extension in the same location), that manifest will be used.
If the file contains a manifest store URI in embedded XMP, the manifest store file with be automatically downloaded.
Otherwise, it will use the unsigned ingredient file.
The ingredient file may optionally be prefixed with "parent:" or "component:" to indicate the relationship of the ingredient to the input media <FILE>.
This option can be specified multiple times, once for each media file.
--no-tsa
--no-tsaDon't request a trusted timestamp from the Truepic time stamping authority (TSA)
-o, --output <FILE>
-o, --output <FILE>A new path where the signed media file should be output.
If not specified, the input <FILE> is replaced with the signed version.
--output-manifest-store <FILE>
--output-manifest-store <FILE>A path where the signed manifest store file should be output. This option will not modify the input media <FILE>
Cannot be used with --output.
-p, --profile <NAME>
-p, --profile <NAME>The name of the profile to use for signing.
This name is specified with --profile when enrolling.
Cannot be used with --profile-file or --profile-inline at the same time.
[default: default]
--profile-file <FILE>
--profile-file <FILE>The profile as a JSON file to use for signing.
This is the output from --json when enrolling.
Cannot be used with --profile or --profile-inline at the same time.
--profile-inline <JSON>
--profile-inline <JSON>The profile as a JSON string to use for signing instead of loading from a file.
This is the output from --json when enrolling.
Cannot be used with --profile or --profile-file at the same time.
--claim-generator-name <NAME>
--claim-generator-name <NAME>The name of the claim generator, to be used in the claim-generator-info field of the claim.
--claim-generator-version <VERSION>
--claim-generator-version <VERSION>The version of the claim generator, to be used in the claim-generator-info field of the claim.
If specified, then --claim-generator-name must also be specified.
--claim-generator-icon-file <ICON_FILE>
--claim-generator-icon-file <ICON_FILE>An icon file to use as the claim generator's icon in the claim-generator-info field of the claim.
If specified, then --claim-generator-name must also be specified.
--target-spec-version <TARGET_SPEC_VERSION>
--target-spec-version <TARGET_SPEC_VERSION>Can be used to specify the target C2PA spec version used for claim generation. The default value is "1.4"
--minimum-ingredient-spec-version <MINIMUM_INGREDIENT_SPEC_VERSION>
--minimum-ingredient-spec-version <MINIMUM_INGREDIENT_SPEC_VERSION>Can be used to specify the minimum C2PA spec version used for validating ingredient manifests during claim generation. The default value is "1.4"
--provided-thumbnail <PROVIDED_THUMBNAIL>
--provided-thumbnail <PROVIDED_THUMBNAIL>Path to either a JPEG or a PNG image to use as the thumbnail
--provided-thumbnail-assertion-source <PROVIDED_THUMBNAIL_ASSERTION_SOURCE>
--provided-thumbnail-assertion-source <PROVIDED_THUMBNAIL_ASSERTION_SOURCE>An enumeration ("created" or "gathered") indicating if the provided thumbnail data is added as a gathered or a created assertion. For spec 1.4 and previous, the value is ignored. Defaults to "gathered". If specified, then --provided-thumbnail must also be specified
Verify a Media File
truepic verify [OPTIONS] <FILE>
truepic verify [OPTIONS] <FILE>Verify the cryptographically signed history/origin details in a media file.
Arguments
<FILE>
<FILE>The path to the media file to verify. If the file uses an external manifest store (.c2pa) on the filesystem, it must exist in the same folder as the signed file. If the file contains a manifest store URI in embedded XMP, the manifest store file with be automatically downloaded.
Options
--no-ocsp
--no-ocspDon't check the revocation status of the signing certificate via OCSP.
--minimum-spec-version <MINIMUM_SPEC_VERSION>
--minimum-spec-version <MINIMUM_SPEC_VERSION>Can be used to specify the minimum C2PA spec version allowed for validation. The default value is "1.4".
Extract a Manifest Store
truepic manifest extract [OPTIONS] <FILE>
truepic manifest extract [OPTIONS] <FILE>Extract the manifest store from a media file.
Arguments
<FILE>
<FILE>The path to the media file to extract the manifest from.
Options
-o, --output <FILE>
-o, --output <FILE>Required. A new path where the manifest file should be output. .c2pa extension recommended.
Insert a Manifest Store
truepic manifest insert [OPTIONS] <FILE> <MANIFEST_FILE>
truepic manifest insert [OPTIONS] <FILE> <MANIFEST_FILE> Insert a manifest store, from a file, into an unsigned media file.
Arguments
<FILE>
<FILE>The path to the media file to verify.
<MANIFEST_FILE>
<MANIFEST_FILE>The path to the manifest file.
Options
-o, --output <FILE>
-o, --output <FILE>A new path where the signed media file should be output.
Remove a Manifest Store
truepic manifest remove [OPTIONS] <FILE>
truepic manifest remove [OPTIONS] <FILE>Remove the manifest store from a signed media file.
Arguments
<FILE>
<FILE>The path to the media file to remove the manifest from.
Options
-o, --output <FILE>
-o, --output <FILE>A new path where the file should be output.
Help
truepic help [<COMMAND>]
truepic help [<COMMAND>]truepic [<COMMAND>] --help
truepic [<COMMAND>] --helpPrint the full help documentation of the given command.
If no command is specified, the documentation for the root commands is shown.
truepic [<COMMAND>] -h
truepic [<COMMAND>] -hPrint the summary help documentation of the given command.
If no command is specified, the documentation for the root commands is shown.
Version
truepic -V
truepic -Vtruepic --version
truepic --versionPrint the name and version of the command-line interface.
Updated 1 day ago