CLI Reference
Explore all of the commands and options available in the command-line interface
Enroll with AWS
truepic enroll aws [OPTIONS] --api-key <API_KEY> --region <REGION>
truepic enroll aws [OPTIONS] --api-key <API_KEY> --region <REGION>
Store keys in AWS Key Management Service and their certificates in AWS Secrets Manager.
Options
-k, --api-key <API_KEY>
-k, --api-key <API_KEY>
Your key that grants access to the Truepic API.
-v, --app-version <VERSION>
-v, --app-version <VERSION>
The version of the app calling this binary.
[default: 0.0.0
]
-f, --force
-f, --force
Proceed with a new enrollment even if the existing key and certificate are valid.
The existing key and certificate will be replaced.
-j, --json
-j, --json
Output the profile as JSON on success instead of writing to a file.
-p, --profile <NAME>
-p, --profile <NAME>
The profile name to give this key and certificate.
By using different profiles, you can manage multiple keys and their certificates on the same machine.
[default: default
]
-c, --subject-cn <COMMON_NAME>
-c, --subject-cn <COMMON_NAME>
The common name of the certificate's subject to request.
If not specified, "Truepic Lens CLI in " is used.
--region <REGION>
--region <REGION>
The AWS region (e.g., us-east-1
) in which to store keys and their certificates.
--access-key-id <ACCESS_KEY_ID>
--access-key-id <ACCESS_KEY_ID>
The Access Key ID to use for authentication.
Must be specified with --access_key_secret
.
If not specified, the following are tried in order:
- Getting the value from the environment variable
AWS_ACCESS_KEY_ID
. - Authenticating via the
credential_process
command in the AWS CLI's config file, usually located at~/.aws/config
. - Authenticating via the AWS CLI's credentials file, usually located at
~/.aws/credentials
. - Authenticating via the instance profile assigned to the deployment environment (e.g., EC2).
--access-key-secret <ACCESS_KEY_SECRET>
--access-key-secret <ACCESS_KEY_SECRET>
The Access Key Secret to use for authentication.
Must be specified with --access_key_id
.
If not specified, the following are tried in order:
- Getting the value from the environment variable
AWS_ACCESS_KEY_ID
. - Authenticating via the
credential_process
command in the AWS CLI's config file, usually located at~/.aws/config
. - Authenticating via the AWS CLI's credentials file, usually located at
~/.aws/credentials
. - Authenticating via the instance profile assigned to the deployment environment (e.g., EC2).
--cli-profile <CLI_PROFILE>
--cli-profile <CLI_PROFILE>
If authenticating via the AWS CLI, the name of the profile to use if it's different than default
.
--key-id <KEY_ID>
--key-id <KEY_ID>
If using a pre-existing key, the identifier of the key.
This can be either a key ID, a key ARN, an alias name, or an alias ARN.
Must be specified with --certificate_secret_id
.
If not specified, a new key is created.
--certificate-secret-id <CERTIFICATE_SECRET_ID>
--certificate-secret-id <CERTIFICATE_SECRET_ID>
If using a pre-existing key, the identifier of the secret where the certificate is stored.
This can be either the ARN or the name of the secret.
Must be specified with --key-id
.
If not specified, a new secret is created to store the key's certificate.
Enroll with Azure
truepic enroll azure [OPTIONS] --api-key <API_KEY> --vault-uri <VAULT_URI>
truepic enroll azure [OPTIONS] --api-key <API_KEY> --vault-uri <VAULT_URI>
Store keys and their certificates in Azure Key Vault.
Options
-k, --api-key <API_KEY>
-k, --api-key <API_KEY>
Your key that grants access to the Truepic API.
-v, --app-version <VERSION>
-v, --app-version <VERSION>
The version of the app calling this binary.
[default: 0.0.0
]
-f, --force
-f, --force
Proceed with a new enrollment even if the existing key and certificate are valid.
The existing key and certificate will be replaced.
-j, --json
-j, --json
Output the profile as JSON on success instead of writing to a file.
-p, --profile <NAME>
-p, --profile <NAME>
The profile name to give this key and certificate.
By using different profiles, you can manage multiple keys and their certificates on the same machine.
[default: default
]
-c, --subject-cn <COMMON_NAME>
-c, --subject-cn <COMMON_NAME>
The common name of the certificate's subject to request.
If not specified, "Truepic Lens CLI in " is used.
--tenant-id <TENANT_ID>
--tenant-id <TENANT_ID>
The ID of the tenant/directory to authenticate with, found on Active Directory > Overview.
Must be specified with --client_id
and --client_secret
.
If not specified, the following are tried in order:
- Getting the value from the environment variable
AZURE_TENANT_ID
. - Authenticating via the managed identity assigned to the deployment environment (Azure VMs, App Services, Function Apps).
- Authenticating via the Azure CLI.
--client-id <CLIENT_ID>
--client-id <CLIENT_ID>
The client ID of the app registered in Active Directory to use for authentication.
Must be specified with --tenant_id
and --client_secret
.
If not specified, the following are tried in order:
- Getting the value from the environment variable
AZURE_CLIENT_ID
. - Authenticating via the managed identity assigned to the deployment environment (Azure VMs, App Services, Function Apps).
- Authenticating via the Azure CLI.
--client-secret <CLIENT_SECRET>
--client-secret <CLIENT_SECRET>
The client secret of the app registered in Active Directory to use for authentication.
Must be specified with --tenant_id
and --client_id
.
If not specified, the following are tried in order:
- Getting the value from the environment variable
AZURE_CLIENT_SECRET
. - Authenticating via the managed identity assigned to the deployment environment (Azure VMs, App Services, Function Apps).
- Authenticating via the Azure CLI.
--vault-uri <VAULT_URI>
--vault-uri <VAULT_URI>
The URI of the vault in which to store keys and their certificates.
This is found on the vault's "Overview" page.
--key-id <KEY_ID>
--key-id <KEY_ID>
If using a pre-existing key, the identifier (URI) of the key, including version.
Must be specified with --certificate_secret_id
.
If not specified, a new key is created.
--certificate-secret-id <CERTIFICATE_SECRET_ID>
--certificate-secret-id <CERTIFICATE_SECRET_ID>
If using a pre-existing key, the identifier (URI) of the secret where the certificate is stored.
Must be specified with --key_id
.
If not specified, a new secret is created to store the key's certificate.
Enroll with File System
truepic enroll file-system [OPTIONS] --api-key <API_KEY>
truepic enroll file-system [OPTIONS] --api-key <API_KEY>
Store keys and their certificates in the file system.
Options
-k, --api-key <API_KEY>
-k, --api-key <API_KEY>
Your key that grants access to the Truepic API.
-v, --app-version <VERSION>
-v, --app-version <VERSION>
The version of the app calling this binary.
[default: 0.0.0
]
-f, --force
-f, --force
Proceed with a new enrollment even if the existing key and certificate are valid.
The existing key and certificate will be replaced.
-j, --json
-j, --json
Output the profile as JSON on success instead of writing to a file.
-p, --profile <NAME>
-p, --profile <NAME>
The profile name to give this key and certificate.
By using different profiles, you can manage multiple keys and their certificates on the same machine.
[default: default
]
-c, --subject-cn <COMMON_NAME>
-c, --subject-cn <COMMON_NAME>
The common name of the certificate's subject to request.
If not specified, "Truepic Lens CLI in " is used.
--private-key <FILE>
--private-key <FILE>
If using a pre-existing key, the path to the private key file.
Must be specified with --certificate
.
If not specified, a new key is created.
--certificate <FILE>
--certificate <FILE>
If using a pre-existing key, the path to the certificate file.
Must be specified with --private_key
.
If not specified, a new file is created to store the key's certificate.
Enroll with Inline
truepic enroll inline [OPTIONS] --api-key <API_KEY>
truepic enroll inline [OPTIONS] --api-key <API_KEY>
Store keys and their certificates inline with the profile.
Options
-k, --api-key <API_KEY>
-k, --api-key <API_KEY>
Your key that grants access to the Truepic API.
-v, --app-version <VERSION>
-v, --app-version <VERSION>
The version of the app calling this binary.
[default: 0.0.0
]
-f, --force
-f, --force
Proceed with a new enrollment even if the existing key and certificate are valid.
The existing key and certificate will be replaced.
-j, --json
-j, --json
Output the profile as JSON on success instead of writing to a file.
-p, --profile <NAME>
-p, --profile <NAME>
The profile name to give this key and certificate.
By using different profiles, you can manage multiple keys and their certificates on the same machine.
[default: default
]
-c, --subject-cn <COMMON_NAME>
-c, --subject-cn <COMMON_NAME>
The common name of the certificate's subject to request.
If not specified, "Truepic Lens CLI in " is used.
--private-key <PEM>
--private-key <PEM>
If using a pre-existing key, the private key as a PEM-encoded string.
Must be specified with --certificate
.
If not specified, a new key is created.
--certificate <PEM>
--certificate <PEM>
If using a pre-existing key, the certificate as a PEM-encoded string.
Must be specified with --private_key
.
If not specified, a new certificate is requested.
Enroll with JSON
truepic enroll json [OPTIONS]
truepic enroll json [OPTIONS]
Pass the profile to enroll with as JSON.
Unlike the other key provider-specific commands, this allows any key provider to be configured with JSON.
An updated profile will be output as JSON on success.
Options
--file <FILE>
--file <FILE>
The path to a JSON file containing the profile.
Cannot be used with --inline
at the same time.
This is the output from --json
when enrolling with one of the key provider-specific commands.
-f, --force
-f, --force
Proceed with a new enrollment even if the existing key and certificate are valid.
The existing key and certificate will be replaced.
--inline <JSON>
--inline <JSON>
The profile passed inline as a JSON string.
Cannot be used with --file
at the same time.
This is the output from --json
when enrolling with one of the key provider-specific commands.
Sign a Media File
truepic sign [OPTIONS] <FILE>
truepic sign [OPTIONS] <FILE>
Cryptographically sign history/origin details into a media file.
Arguments
<FILE>
<FILE>
The path to the media file to sign.
This file will be replaced with the signed version unless a new path is specified with --output
.
Options
-a, --assertions <FILE>
-a, --assertions <FILE>
The path to a JSON file containing the assertions to sign into the file
--assertions-inline <JSON>
--assertions-inline <JSON>
A string of JSON containing the assertions to sign into the file
-i, --ingredient <FILE>
-i, --ingredient <FILE>
The path to a media file that the <FILE>
being signed has been created or derived from
--no-tsa
--no-tsa
Don't request a trusted timestamp from the Truepic time stamping authority (TSA)
-o, --output <FILE>
-o, --output <FILE>
A new path where the signed media file should be output.
--output-manifest-store <FILE>
--output-manifest-store <FILE>
A path where the signed manifest store file should be output. This option will not modify the input media <FILE>
-p, --profile <NAME>
-p, --profile <NAME>
The name of the profile to use for signing [default: default]
--profile-file <FILE>
--profile-file <FILE>
The profile as a JSON file to use for signing
--profile-inline <JSON>
--profile-inline <JSON>
The profile as a JSON string to use for signing instead of loading from a file
--claim-generator-name <NAME>
--claim-generator-name <NAME>
The name of the claim generator, to be used in the claim-generator-info
field of the claim
--claim-generator-version <VERSION>
--claim-generator-version <VERSION>
The version of the claim generator, to be used in the claim-generator-info
field of the claim
--claim-generator-icon-file <ICON_FILE>
--claim-generator-icon-file <ICON_FILE>
An icon file to use as the claim generator's icon in the claim-generator-info
field of the claim
--target-spec-version <TARGET_SPEC_VERSION>
--target-spec-version <TARGET_SPEC_VERSION>
Can be used to specify the target C2PA spec version used for claim generation. The default value is "1.4"
--minimum-ingredient-spec-version <MINIMUM_INGREDIENT_SPEC_VERSION>
--minimum-ingredient-spec-version <MINIMUM_INGREDIENT_SPEC_VERSION>
Can be used to specify the minimum C2PA spec version used for validating ingredient manifests during claim generation. The default value is "1.4"
--provided-thumbnail <PROVIDED_THUMBNAIL>
--provided-thumbnail <PROVIDED_THUMBNAIL>
Path to either a JPEG or a PNG image to use as the thumbnail
--provided-thumbnail-assertion-source <PROVIDED_THUMBNAIL_ASSERTION_SOURCE>
--provided-thumbnail-assertion-source <PROVIDED_THUMBNAIL_ASSERTION_SOURCE>
An enumeration ("created" or "gathered") indicating if the provided thumbnail data is added as a gathered or a created assertion. For spec 1.4 and previous, the value is ignored. Defaults to "gathered". If specified, then --provided-thumbnail
must also be specified
Verify a Media File
truepic verify [OPTIONS] <FILE>
truepic verify [OPTIONS] <FILE>
Verify the cryptographically signed history/origin details in a media file.
Arguments
<FILE>
<FILE>
The path to the media file to verify.
Options
--no-ocsp
--no-ocsp
Don't check the revocation status of the signing certificate via OCSP.
--minimum-spec-version <MINIMUM_SPEC_VERSION>
--minimum-spec-version <MINIMUM_SPEC_VERSION>
Can be used to specify the minimum C2PA spec version allowed for validation. The default value is "1.4".
Extract a Manifest Store
truepic manifest extract [OPTIONS] <FILE>
truepic manifest extract [OPTIONS] <FILE>
Extract the manifest store from a media file.
Arguments
<FILE>
<FILE>
The path to the media file to extract the manifest from.
Options
-o, --output <FILE>
-o, --output <FILE>
Required. A new path where the manifest file should be output. .c2pa
extension recommended.
Insert a Manifest Store
truepic manifest insert [OPTIONS] <FILE> <MANIFEST_FILE>
truepic manifest insert [OPTIONS] <FILE> <MANIFEST_FILE>
Insert a manifest store, from a file, into an unsigned media file.
Arguments
<FILE>
<FILE>
The path to the media file to verify.
<MANIFEST_FILE>
<MANIFEST_FILE>
The path to the manifest file.
Options
-o, --output <FILE>
-o, --output <FILE>
A new path where the signed media file should be output.
Remove a Manifest Store
truepic manifest remove [OPTIONS] <FILE>
truepic manifest remove [OPTIONS] <FILE>
Remove the manifest store from a signed media file.
Arguments
<FILE>
<FILE>
The path to the media file to remove the manifest from.
Options
-o, --output <FILE>
-o, --output <FILE>
A new path where the file should be output.
Help
truepic help [<COMMAND>]
truepic help [<COMMAND>]
truepic [<COMMAND>] --help
truepic [<COMMAND>] --help
Print the full help documentation of the given command.
If no command is specified, the documentation for the root commands is shown.
truepic [<COMMAND>] -h
truepic [<COMMAND>] -h
Print the summary help documentation of the given command.
If no command is specified, the documentation for the root commands is shown.
Version
truepic -V
truepic -V
truepic --version
truepic --version
Print the name and version of the command-line interface.
Updated 13 days ago