1podman-image-sign(1)()                                  podman-image-sign(1)()
2
3
4

NAME

6       podman-image-sign - Create a signature for an image
7
8

SYNOPSIS

10       podman image sign [options] image [image ...]
11
12

DESCRIPTION

14       podman  image  sign will create a local signature for one or more local
15       images that have been pulled from a registry.  The  signature  will  be
16       written to a directory derived from the registry configuration files in
17       $HOME/.config/containers/registries.d if it exists, otherwise /etc/con‐
18       tainers/registries.d  (unless overridden at compile-time), see contain‐
19       ers-registries.d(5) for more information.  By  default,  the  signature
20       will   be   written  into  /var/lib/containers/sigstore  for  root  and
21       $HOME/.local/share/containers/sigstore for non-root users
22
23

OPTIONS

25   --help, -h
26       Print usage statement.
27
28
29   --all, -a
30       Sign all the manifests of the multi-architecture image (default false).
31
32
33   --cert-dir=path
34       Use certificates at path (*.crt, *.cert, *.key) to connect to the  reg‐
35       istry.  Please refer to containers-certs.d(5) for details. (This option
36       is not available with the remote Podman client)
37
38
39   --directory, -d=dir
40       Store  the   signatures   in   the   specified   directory.    Default:
41       /var/lib/containers/sigstore
42
43
44   --sign-by=identity
45       Override the default identity of the signature.
46
47

EXAMPLES

49       Sign  the  busybox image with the identity of foo@bar.com with a user's
50       keyring and save the signature in /tmp/signatures/.
51
52
53       sudo podman image sign --sign-by  foo@bar.com  --directory  /tmp/signa‐
54       tures docker://privateregistry.example.com/foobar
55
56

RELATED CONFIGURATION

58       The  write  (and read) location for signatures is defined in YAML-based
59       configuration  files  in  /etc/containers/registries.d/  for  root,  or
60       $HOME/.config/containers/registries.d  for  non-root  users.   When you
61       sign an image, Podman will use those configuration files  to  determine
62       where  to  write the signature based on the the name of the originating
63       registry or a default storage value unless overridden with the --direc‐
64       tory option. For example, consider the following configuration file.
65
66
67       docker:
68         privateregistry.example.com:
69           sigstore: file:///var/lib/containers/sigstore
70
71
72       When  signing  an  image  preceded  with the registry name 'privatereg‐
73       istry.example.com', the signature will be written into  sub-directories
74       of /var/lib/containers/sigstore/privateregistry.example.com. The use of
75       'sigstore' also means the signature will be 'read' from that same loca‐
76       tion on a pull-related function.
77
78

SEE ALSO

80       containers-certs.d(5), containers-registries.d(5)
81
82

HISTORY

84       November 2018, Originally compiled by Qi Wang (qiwan at redhat dot com)
85
86
87
88                                                        podman-image-sign(1)()