github.com/containers/podman/v2@v2.2.2-0.20210501105131-c1e07d070c4c/docs/source/markdown/podman-image-sign.1.md

github.com/containers/podman/v2@v2.2.2-0.20210501105131-c1e07d070c4c/docs/source/markdown/podman-image-sign.1.md (about)

     1  % podman-image-sign(1)
     2  
     3  ## NAME
     4  podman-image-sign - Create a signature for an image
     5  
     6  ## SYNOPSIS
     7  **podman image sign** [*options*] *image* [*image* ...]
     8  
     9  ## DESCRIPTION
    10  **podman image sign** will create a local signature for one or more local images that have
    11  been pulled from a registry. The signature will be written to a directory
    12  derived from the registry configuration files in /etc/containers/registries.d. By default, the signature will be written into /var/lib/containers/sigstore directory.
    13  
    14  ## OPTIONS
    15  
    16  #### **--help**, **-h**
    17  
    18  Print usage statement.
    19  
    20  #### **--cert-dir**=*path*
    21  
    22  Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry.
    23  Default certificates directory is _/etc/containers/certs.d_. (Not available for remote commands)
    24  
    25  #### **--directory**, **-d**=*dir*
    26  
    27  Store the signatures in the specified directory.  Default: /var/lib/containers/sigstore
    28  
    29  #### **--sign-by**=*identity*
    30  
    31  Override the default identity of the signature.
    32  
    33  ## EXAMPLES
    34  Sign the busybox image with the identify of foo@bar.com with a user's keyring and save the signature in /tmp/signatures/.
    35  
    36     sudo podman image sign --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar
    37  
    38  ## RELATED CONFIGURATION
    39  
    40  The write (and read) location for signatures is defined in YAML-based
    41  configuration files in /etc/containers/registries.d/.  When you sign
    42  an image, Podman will use those configuration files to determine
    43  where to write the signature based on the the name of the originating
    44  registry or a default storage value unless overridden with the --directory
    45  option. For example, consider the following configuration file.
    46  
    47  docker:
    48    privateregistry.example.com:
    49      sigstore: file:///var/lib/containers/sigstore
    50  
    51  When signing an image preceded with the registry name 'privateregistry.example.com',
    52  the signature will be written into sub-directories of
    53  /var/lib/containers/sigstore/privateregistry.example.com. The use of 'sigstore' also means
    54  the signature will be 'read' from that same location on a pull-related function.
    55  
    56  ## HISTORY
    57  November 2018, Originally compiled by Qi Wang (qiwan at redhat dot com)