1podman-image-sign(1) General Commands Manual podman-image-sign(1)
2
3
4
6 podman-image-sign - Create a signature for an image
7
8
10 podman image sign [options] image [image ...]
11
12
14 podman image sign will create a local signature for one or more local
15 images that have been pulled from a registry. The signature will be
16 written to a directory derived from the registry configuration files in
17 $HOME/.config/containers/registries.d if it exists, otherwise /etc/con‐
18 tainers/registries.d (unless overridden at compile-time), see contain‐
19 ers-registries.d(5) for more information. By default, the signature
20 will be written into /var/lib/containers/sigstore for root and
21 $HOME/.local/share/containers/sigstore for non-root users
22
23
25 --all, -a
26 Sign all the manifests of the multi-architecture image (default false).
27
28
29 --authfile=path
30 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
31 ers/auth.json, which is set using podman login. If the authorization
32 state is not found there, $HOME/.docker/config.json is checked, which
33 is set using docker login.
34
35
36 Note: There is also the option to override the default path of the au‐
37 thentication file by setting the REGISTRY_AUTH_FILE environment vari‐
38 able. This can be done with export REGISTRY_AUTH_FILE=path.
39
40
41 --cert-dir=path
42 Use certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
43 istry. (Default: /etc/containers/certs.d) Please refer to containers-
44 certs.d(5) for details. (This option is not available with the remote
45 Podman client, including Mac and Windows (excluding WSL2) machines)
46
47
48 --directory, -d=dir
49 Store the signatures in the specified directory. Default:
50 /var/lib/containers/sigstore
51
52
53 --help, -h
54 Print usage statement.
55
56
57 --sign-by=identity
58 Override the default identity of the signature.
59
60
62 Sign the busybox image with the identity of foo@bar.com with a user's
63 keyring and save the signature in /tmp/signatures/.
64
65
66 sudo podman image sign --sign-by foo@bar.com --directory /tmp/signa‐
67 tures docker://privateregistry.example.com/foobar
68
69
70 sudo podman image sign --authfile=/tmp/foobar.json --sign-by
71 foo@bar.com --directory /tmp/signatures docker://privateregistry.exam‐
72 ple.com/foobar
73
74
76 The write (and read) location for signatures is defined in YAML-based
77 configuration files in /etc/containers/registries.d/ for root, or
78 $HOME/.config/containers/registries.d for non-root users. When you
79 sign an image, Podman will use those configuration files to determine
80 where to write the signature based on the name of the originating reg‐
81 istry or a default storage value unless overridden with the --directory
82 option. For example, consider the following configuration file.
83
84
85 docker:
86 privateregistry.example.com:
87 sigstore: file:///var/lib/containers/sigstore
88
89
90 When signing an image preceded with the registry name 'privatereg‐
91 istry.example.com', the signature will be written into sub-directories
92 of /var/lib/containers/sigstore/privateregistry.example.com. The use of
93 'sigstore' also means the signature will be 'read' from that same loca‐
94 tion on a pull-related function.
95
96
98 containers-certs.d(5), containers-registries.d(5)
99
100
102 November 2018, Originally compiled by Qi Wang (qiwan at redhat dot com)
103
104
105
106 podman-image-sign(1)