podman-image-sign(1)

1podman-image-sign(1)()                                  podman-image-sign(1)()
2
3
4

NAME

6       podman-image-sign - Create a signature for an image
7
8

SYNOPSIS

10       podman image sign [options] image [image ...]
11
12

DESCRIPTION

14       podman  image  sign will create a local signature for one or more local
15       images that have been pulled from a registry.  The  signature  will  be
16       written to a directory derived from the registry configuration files in
17       /etc/containers/registries.d. By default, the signature will be written
18       into /var/lib/containers/sigstore directory.
19
20

OPTIONS

22       --help, -h
23
24
25       Print usage statement.
26
27
28       --cert-dir=path
29
30
31       Use  certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
32       istry.  Default certificates directory is /etc/containers/certs.d. (Not
33       available for remote commands)
34
35
36       --directory, -d=dir
37
38
39       Store   the   signatures   in   the   specified   directory.   Default:
40       /var/lib/containers/sigstore
41
42
43       --sign-by=identity
44
45
46       Override the default identity of the signature.
47
48

EXAMPLES

50       Sign the busybox image with the identify of foo@bar.com with  a  user's
51       keyring and save the signature in /tmp/signatures/.
52
53
54       sudo  podman  image  sign --sign-by foo@bar.com --directory /tmp/signa‐
55       tures docker://privateregistry.example.com/foobar
56
57

RELATED CONFIGURATION

59       The write (and read) location for signatures is defined  in  YAML-based
60       configuration files in /etc/containers/registries.d/.  When you sign an
61       image, Podman will use those configuration files to determine where  to
62       write  the  signature based on the the name of the originating registry
63       or a default  storage  value  unless  overriden  with  the  --directory
64       option. For example, consider the following configuration file.
65
66
67       docker:
68         privateregistry.example.com:
69           sigstore: file:///var/lib/containers/sigstore
70
71
72       When  signing  an  image  preceded  with the registry name 'privatereg‐
73       istry.example.com', the signature will be written into  sub-directories
74       of /var/lib/containers/sigstore/privateregistry.example.com. The use of
75       'sigstore' also means the signature will be 'read' from that same loca‐
76       tion on a pull-related function.
77
78

HISTORY

80       November 2018, Originally compiled by Qi Wang (qiwan at redhat dot com)
81
82
83
84                                                        podman-image-sign(1)()