CLI Reference

Complete reference for all SourceSeal CLI commands. Each command includes usage syntax, available flags, and examples.

`sourceseal init`

Initialize SourceSeal in your environment. Generates an Ed25519 key pair for signing and creates a default configuration file at ~/.sourceseal/.

Usage

bash

sourceseal init

Example

bash

$ sourceseal init
Generating Ed25519 key pair...
Key pair saved to ~/.sourceseal/keys/
Config written to ~/.sourceseal/config.json
SourceSeal initialized successfully.

`sourceseal sign`

Sign a software artifact and create a blockchain-anchored attestation. Computes the SHA-256 hash of the artifact, signs it with your Ed25519 private key, and submits the attestation to the SourceSeal API server.

Usage

bash

sourceseal sign <artifact> [--ecosystem <name>] [--key <path>]

Flags

Flag	Description
`--ecosystem <name>`	Override automatic ecosystem detection. Supported values: npm, pip.
`--key <path>`	Path to a specific private key file. Defaults to the first .key file in the keys directory.

Example

bash

# Sign with automatic ecosystem detection
$ sourceseal sign mypackage.tgz

# Sign with explicit ecosystem and key
$ sourceseal sign mypackage.tgz --ecosystem npm --key ~/.sourceseal/keys/prod.key

`sourceseal verify`

Verify a software artifact against its blockchain-anchored attestation. Computes the artifact hash, queries the API server, and confirms the attestation exists on the Hyperledger Fabric ledger.

Usage

bash

sourceseal verify <artifact> [--offline] [--attestation <path>]

Flags

Flag	Description
`--offline`	Verify against a local attestation JSON file instead of querying the API server.
`--attestation <path>`	Path to a local attestation JSON file. Required when using --offline.

Example

bash

# Online verification (queries the API server)
$ sourceseal verify mypackage.tgz

# Offline verification against a local attestation
$ sourceseal verify mypackage.tgz --offline --attestation attestation.json

`sourceseal keys list`

List all signing keys stored in the local keystore at ~/.sourceseal/keys/. Shows key IDs, creation dates, and public key fingerprints.

Usage

bash

sourceseal keys list

Example

bash

$ sourceseal keys list
KEY ID                            CREATED              ALGORITHM
abcdef0123456789abcdef0123456789  2025-01-15 10:30:00  Ed25519
1234567890abcdef1234567890abcdef  2025-02-20 14:15:00  Ed25519

`sourceseal keys export`

Export a public key in PEM format to stdout. Useful for sharing your public key with others or registering it with the API server.

Usage

bash

sourceseal keys export <key-id>

Example

bash

$ sourceseal keys export abcdef0123456789abcdef0123456789
-----BEGIN SOURCESEAL ED25519 PUBLIC KEY-----
MCowBQYDK2VwAyEA...
-----END SOURCESEAL ED25519 PUBLIC KEY-----

`sourceseal audit`

List all attestations for a given package name. Queries the API server and displays the attestation history, including versions, timestamps, and verification status.

Usage

bash

sourceseal audit <package>

Example

bash

$ sourceseal audit @myorg/my-package
HASH         VERSION  SIGNER       TIMESTAMP             STATUS
a1b2c3d4...  1.0.0    abcdef01...  2025-01-15 10:30:00   verified
b2c3d4e5...  1.1.0    abcdef01...  2025-02-20 14:15:00   verified

`sourceseal sbom generate`

Generate a Software Bill of Materials (SBOM) from a project directory or manifest file. Supports CycloneDX and SPDX formats. The generated SBOM can be linked to attestation records.

Usage

bash

sourceseal sbom generate <path> [--format cyclonedx|spdx] [--output <file>]

Flags

Flag	Description
`--format <format>`	SBOM format: cyclonedx (default) or spdx.
`--output <file>`	Write SBOM to a file instead of stdout.

Example

bash

# Generate CycloneDX SBOM (default)
$ sourceseal sbom generate ./my-project

# Generate SPDX SBOM and write to a file
$ sourceseal sbom generate ./my-project --format spdx --output sbom.spdx.json

Global Commands

Command	Description
`sourceseal version`	Print the CLI version
`sourceseal help`	Show usage information