podman-image-sign(1)

1podman-image-sign(1)        General Commands Manual       podman-image-sign(1)
2
3
4

NAME

6       podman-image-sign - Create a signature for an image
7
8

SYNOPSIS

10       podman image sign [options] image [image ...]
11
12

DESCRIPTION

14       podman  image  sign creates a local signature for one or more local im‐
15       ages that have been pulled from a registry. The signature is written to
16       a   directory   derived   from  the  registry  configuration  files  in
17       $HOME/.config/containers/registries.d if it exists, otherwise /etc/con‐
18       tainers/registries.d  (unless overridden at compile-time), see contain‐
19       ers-registries.d(5) for more information.  By default, the signature is
20       written  into  /var/lib/containers/sigstore  for  root  and  $HOME/.lo‐
21       cal/share/containers/sigstore for non-root users
22
23

OPTIONS

25   --all, -a
26       Sign all the manifests of the multi-architecture image (default false).
27
28
29   --authfile=path
30       Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
31       ers/auth.json  on Linux, and $HOME/.config/containers/auth.json on Win‐
32       dows/macOS.  The file is created by podman login. If the  authorization
33       state  is  not found there, $HOME/.docker/config.json is checked, which
34       is set using docker login.
35
36
37       Note: There is also the option to override the default path of the  au‐
38       thentication  file  by setting the REGISTRY_AUTH_FILE environment vari‐
39       able. This can be done with export REGISTRY_AUTH_FILE=path.
40
41
42   --cert-dir=path
43       Use certificates at path (*.crt, *.cert, *.key) to connect to the  reg‐
44       istry.  (Default: /etc/containers/certs.d) For details, see containers-
45       certs.d(5).  (This option is  not  available  with  the  remote  Podman
46       client, including Mac and Windows (excluding WSL2) machines)
47
48
49   --directory, -d=dir
50       Store   the   signatures   in   the   specified   directory.   Default:
51       /var/lib/containers/sigstore
52
53
54   --help, -h
55       Print usage statement.
56
57
58   --sign-by=identity
59       Override the default identity of the signature.
60
61

EXAMPLES

63       Sign the busybox image with the identity of foo@bar.com with  a  user's
64       keyring and save the signature in /tmp/signatures/.
65
66
67                 $ sudo podman image sign --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar
68
69                 $ sudo podman image sign --authfile=/tmp/foobar.json --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar
70
71
72

RELATED CONFIGURATION

74       The  write  (and read) location for signatures is defined in YAML-based
75       configuration  files  in  /etc/containers/registries.d/  for  root,  or
76       $HOME/.config/containers/registries.d for non-root users.  When signing
77       an image, Podman uses those configuration files to determine  where  to
78       write  the signature based on the name of the originating registry or a
79       default storage value unless overridden with  the  --directory  option.
80       For example, consider the following configuration file.
81
82
83              docker:
84                privateregistry.example.com:
85                  sigstore: file:///var/lib/containers/sigstore
86
87
88
89       When  signing  an  image  preceded  with the registry name 'privatereg‐
90       istry.example.com', the signature is written  into  sub-directories  of
91       /var/lib/containers/sigstore/privateregistry.example.com.  The  use  of
92       'sigstore' also means the signature is 'read' from that  same  location
93       on a pull-related function.
94
95

HISTORY

101       November 2018, Originally compiled by Qi Wang (qiwan at redhat dot com)
102
103
104
105                                                          podman-image-sign(1)