1podman-image-sign(1) General Commands Manual podman-image-sign(1)
2
3
4
6 podman-image-sign - Create a signature for an image
7
8
10 podman image sign [options] image [image ...]
11
12
14 podman image sign creates a local signature for one or more local im‐
15 ages that have been pulled from a registry. The signature is written to
16 a directory derived from the registry configuration files in
17 $HOME/.config/containers/registries.d if it exists, otherwise /etc/con‐
18 tainers/registries.d (unless overridden at compile-time), see contain‐
19 ers-registries.d(5) for more information. By default, the signature is
20 written into /var/lib/containers/sigstore for root and $HOME/.lo‐
21 cal/share/containers/sigstore for non-root users
22
23
25 --all, -a
26 Sign all the manifests of the multi-architecture image (default false).
27
28
29 --authfile=path
30 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
31 ers/auth.json on Linux, and $HOME/.config/containers/auth.json on Win‐
32 dows/macOS. The file is created by podman login. If the authorization
33 state is not found there, $HOME/.docker/config.json is checked, which
34 is set using docker login.
35
36
37 Note: There is also the option to override the default path of the au‐
38 thentication file by setting the REGISTRY_AUTH_FILE environment vari‐
39 able. This can be done with export REGISTRY_AUTH_FILE=path.
40
41
42 --cert-dir=path
43 Use certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
44 istry. (Default: /etc/containers/certs.d) For details, see containers-
45 certs.d(5). (This option is not available with the remote Podman
46 client, including Mac and Windows (excluding WSL2) machines)
47
48
49 --directory, -d=dir
50 Store the signatures in the specified directory. Default:
51 /var/lib/containers/sigstore
52
53
54 --help, -h
55 Print usage statement.
56
57
58 --sign-by=identity
59 Override the default identity of the signature.
60
61
63 Sign the busybox image with the identity of foo@bar.com with a user's
64 keyring and save the signature in /tmp/signatures/.
65
66 $ sudo podman image sign --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar
67
68 $ sudo podman image sign --authfile=/tmp/foobar.json --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar
69
70
71
73 The write (and read) location for signatures is defined in YAML-based
74 configuration files in /etc/containers/registries.d/ for root, or
75 $HOME/.config/containers/registries.d for non-root users. When signing
76 an image, Podman uses those configuration files to determine where to
77 write the signature based on the name of the originating registry or a
78 default storage value unless overridden with the --directory option.
79 For example, consider the following configuration file.
80
81 docker:
82 privateregistry.example.com:
83 sigstore: file:///var/lib/containers/sigstore
84
85
86
87 When signing an image preceded with the registry name 'privatereg‐
88 istry.example.com', the signature is written into sub-directories of
89 /var/lib/containers/sigstore/privateregistry.example.com. The use of
90 'sigstore' also means the signature is 'read' from that same location
91 on a pull-related function.
92
93
95 containers-certs.d(5), containers-registries.d(5)
96
97
99 November 2018, Originally compiled by Qi Wang (qiwan at redhat dot com)
100
101
102
103 podman-image-sign(1)