1podman-image-sign(1)        General Commands Manual       podman-image-sign(1)
2
3
4

NAME

6       podman-image-sign - Create a signature for an image
7
8

SYNOPSIS

10       podman image sign [options] image [image ...]
11
12

DESCRIPTION

14       podman  image  sign will create a local signature for one or more local
15       images that have been pulled from a registry.  The  signature  will  be
16       written to a directory derived from the registry configuration files in
17       $HOME/.config/containers/registries.d if it exists, otherwise /etc/con‐
18       tainers/registries.d  (unless overridden at compile-time), see contain‐
19       ers-registries.d(5) for more information.  By  default,  the  signature
20       will   be   written  into  /var/lib/containers/sigstore  for  root  and
21       $HOME/.local/share/containers/sigstore for non-root users
22
23

OPTIONS

25   --all, -a
26       Sign all the manifests of the multi-architecture image (default false).
27
28
29   --authfile=path
30       Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
31       ers/auth.json,  which  is set using podman login.  If the authorization
32       state is not found there, $HOME/.docker/config.json is  checked,  which
33       is set using docker login.
34
35
36       Note:  There is also the option to override the default path of the au‐
37       thentication file by setting the REGISTRY_AUTH_FILE  environment  vari‐
38       able. This can be done with export REGISTRY_AUTH_FILE=path.
39
40
41   --cert-dir=path
42       Use  certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
43       istry. (Default: /etc/containers/certs.d) Please refer  to  containers-
44       certs.d(5)  for details.  (This option is not available with the remote
45       Podman client, including Mac and Windows (excluding WSL2) machines)
46
47
48   --directory, -d=dir
49       Store  the   signatures   in   the   specified   directory.    Default:
50       /var/lib/containers/sigstore
51
52
53   --help, -h
54       Print usage statement.
55
56
57   --sign-by=identity
58       Override the default identity of the signature.
59
60

EXAMPLES

62       Sign  the  busybox image with the identity of foo@bar.com with a user's
63       keyring and save the signature in /tmp/signatures/.
64
65
66       sudo podman image sign --sign-by  foo@bar.com  --directory  /tmp/signa‐
67       tures docker://privateregistry.example.com/foobar
68
69
70       sudo    podman   image   sign   --authfile=/tmp/foobar.json   --sign-by
71       foo@bar.com --directory /tmp/signatures  docker://privateregistry.exam‐
72       ple.com/foobar
73
74

RELATED CONFIGURATION

76       The  write  (and read) location for signatures is defined in YAML-based
77       configuration  files  in  /etc/containers/registries.d/  for  root,  or
78       $HOME/.config/containers/registries.d  for  non-root  users.   When you
79       sign an image, Podman will use those configuration files  to  determine
80       where  to write the signature based on the name of the originating reg‐
81       istry or a default storage value unless overridden with the --directory
82       option. For example, consider the following configuration file.
83
84
85       docker:
86         privateregistry.example.com:
87           sigstore: file:///var/lib/containers/sigstore
88
89
90       When  signing  an  image  preceded  with the registry name 'privatereg‐
91       istry.example.com', the signature will be written into  sub-directories
92       of /var/lib/containers/sigstore/privateregistry.example.com. The use of
93       'sigstore' also means the signature will be 'read' from that same loca‐
94       tion on a pull-related function.
95
96

SEE ALSO

98       containers-certs.d(5), containers-registries.d(5)
99
100

HISTORY

102       November 2018, Originally compiled by Qi Wang (qiwan at redhat dot com)
103
104
105
106                                                          podman-image-sign(1)