1podman-image-sign(1)() podman-image-sign(1)()
2
3
4
6 podman-image-sign - Create a signature for an image
7
8
10 podman image sign [options] image [image ...]
11
12
14 podman image sign will create a local signature for one or more local
15 images that have been pulled from a registry. The signature will be
16 written to a directory derived from the registry configuration files in
17 $HOME/.config/containers/registries.d if it exists, otherwise /etc/con‐
18 tainers/registries.d (unless overridden at compile-time), see contain‐
19 ers-registries.d(5) for more information. By default, the signature
20 will be written into /var/lib/containers/sigstore for root and
21 $HOME/.local/share/containers/sigstore for non-root users
22
23
25 --help, -h
26 Print usage statement.
27
28
29 --all, -a
30 Sign all the manifests of the multi-architecture image (default false).
31
32
33 --cert-dir=path
34 Use certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
35 istry. Please refer to containers-certs.d(5) for details. (This option
36 is not available with the remote Podman client)
37
38
39 --directory, -d=dir
40 Store the signatures in the specified directory. Default:
41 /var/lib/containers/sigstore
42
43
44 --sign-by=identity
45 Override the default identity of the signature.
46
47
49 Sign the busybox image with the identity of foo@bar.com with a user's
50 keyring and save the signature in /tmp/signatures/.
51
52
53 sudo podman image sign --sign-by foo@bar.com --directory /tmp/signa‐
54 tures docker://privateregistry.example.com/foobar
55
56
58 The write (and read) location for signatures is defined in YAML-based
59 configuration files in /etc/containers/registries.d/ for root, or
60 $HOME/.config/containers/registries.d for non-root users. When you
61 sign an image, Podman will use those configuration files to determine
62 where to write the signature based on the the name of the originating
63 registry or a default storage value unless overridden with the --direc‐
64 tory option. For example, consider the following configuration file.
65
66
67 docker:
68 privateregistry.example.com:
69 sigstore: file:///var/lib/containers/sigstore
70
71
72 When signing an image preceded with the registry name 'privatereg‐
73 istry.example.com', the signature will be written into sub-directories
74 of /var/lib/containers/sigstore/privateregistry.example.com. The use of
75 'sigstore' also means the signature will be 'read' from that same loca‐
76 tion on a pull-related function.
77
78
80 containers-certs.d(5), containers-registries.d(5)
81
82
84 November 2018, Originally compiled by Qi Wang (qiwan at redhat dot com)
85
86
87
88 podman-image-sign(1)()