1podman-image-sign(1)()                                  podman-image-sign(1)()
2
3
4

NAME

6       podman-image-sign - Create a signature for an image
7
8

SYNOPSIS

10       podman image sign [options] image [image ...]
11
12

DESCRIPTION

14       podman  image  sign will create a local signature for one or more local
15       images that have been pulled from a registry.  The  signature  will  be
16       written to a directory derived from the registry configuration files in
17       $HOME/.config/containers/registries.d if it exists, otherwise /etc/con‐
18       tainers/registries.d  (unless overridden at compile-time), see contain‐
19       ers-registries.d(5) for more information.  By  default,  the  signature
20       will   be   written  into  /var/lib/containers/sigstore  for  root  and
21       $HOME/.local/share/containers/sigstore for non-root users
22
23

OPTIONS

25   --all, -a
26       Sign all the manifests of the multi-architecture image (default false).
27
28
29   --authfile=path
30       Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
31       ers/auth.json
32
33
34       Note: You can also override the default path of the authentication file
35       by setting the REGISTRY_AUTH_FILE  environment  variable.  export  REG‐
36       ISTRY_AUTH_FILE=path
37
38
39   --cert-dir=path
40       Use  certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
41       istry. (Default: /etc/containers/certs.d) Please refer  to  containers-
42       certs.d(5)  for  details. (This option is not available with the remote
43       Podman client, including Mac and Windows (excluding WSL2) machines)
44
45
46   --directory, -d=dir
47       Store  the   signatures   in   the   specified   directory.    Default:
48       /var/lib/containers/sigstore
49
50
51   --help, -h
52       Print usage statement.
53
54
55   --sign-by=identity
56       Override the default identity of the signature.
57
58

EXAMPLES

60       Sign  the  busybox image with the identity of foo@bar.com with a user's
61       keyring and save the signature in /tmp/signatures/.
62
63
64       sudo podman image sign --sign-by  foo@bar.com  --directory  /tmp/signa‐
65       tures docker://privateregistry.example.com/foobar
66
67
68       sudo    podman   image   sign   --authfile=/tmp/foobar.json   --sign-by
69       foo@bar.com --directory /tmp/signatures  docker://privateregistry.exam‐
70       ple.com/foobar
71
72

RELATED CONFIGURATION

74       The  write  (and read) location for signatures is defined in YAML-based
75       configuration  files  in  /etc/containers/registries.d/  for  root,  or
76       $HOME/.config/containers/registries.d  for  non-root  users.   When you
77       sign an image, Podman will use those configuration files  to  determine
78       where  to write the signature based on the name of the originating reg‐
79       istry or a default storage value unless overridden with the --directory
80       option. For example, consider the following configuration file.
81
82
83       docker:
84         privateregistry.example.com:
85           sigstore: file:///var/lib/containers/sigstore
86
87
88       When  signing  an  image  preceded  with the registry name 'privatereg‐
89       istry.example.com', the signature will be written into  sub-directories
90       of /var/lib/containers/sigstore/privateregistry.example.com. The use of
91       'sigstore' also means the signature will be 'read' from that same loca‐
92       tion on a pull-related function.
93
94

SEE ALSO

96       containers-certs.d(5), containers-registries.d(5)
97
98

HISTORY

100       November 2018, Originally compiled by Qi Wang (qiwan at redhat dot com)
101
102
103
104                                                        podman-image-sign(1)()