github.com/hanks177/podman/v4@v4.1.3-0.20220613032544-16d90015bc83/docs/source/markdown/podman-image-sign.1.md (about) 1 % podman-image-sign(1) 2 3 ## NAME 4 podman-image-sign - Create a signature for an image 5 6 ## SYNOPSIS 7 **podman image sign** [*options*] *image* [*image* ...] 8 9 ## DESCRIPTION 10 **podman image sign** will create a local signature for one or more local images that have 11 been pulled from a registry. The signature will be written to a directory 12 derived from the registry configuration files in `$HOME/.config/containers/registries.d` if it exists, 13 otherwise `/etc/containers/registries.d` (unless overridden at compile-time), see **containers-registries.d(5)** for more information. 14 By default, the signature will be written into `/var/lib/containers/sigstore` for root and `$HOME/.local/share/containers/sigstore` for non-root users 15 16 ## OPTIONS 17 18 #### **--all**, **-a** 19 20 Sign all the manifests of the multi-architecture image (default false). 21 22 #### **--authfile**=*path* 23 24 Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json 25 26 Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE 27 environment variable. `export REGISTRY_AUTH_FILE=path` 28 29 #### **--cert-dir**=*path* 30 31 Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry. (Default: /etc/containers/certs.d) 32 Please refer to containers-certs.d(5) for details. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) 33 34 #### **--directory**, **-d**=*dir* 35 36 Store the signatures in the specified directory. Default: /var/lib/containers/sigstore 37 38 #### **--help**, **-h** 39 40 Print usage statement. 41 42 #### **--sign-by**=*identity* 43 44 Override the default identity of the signature. 45 46 ## EXAMPLES 47 Sign the busybox image with the identity of foo@bar.com with a user's keyring and save the signature in /tmp/signatures/. 48 49 sudo podman image sign --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar 50 51 sudo podman image sign --authfile=/tmp/foobar.json --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar 52 53 ## RELATED CONFIGURATION 54 55 The write (and read) location for signatures is defined in YAML-based 56 configuration files in /etc/containers/registries.d/ for root, 57 or $HOME/.config/containers/registries.d for non-root users. When you sign 58 an image, Podman will use those configuration files to determine 59 where to write the signature based on the name of the originating 60 registry or a default storage value unless overridden with the --directory 61 option. For example, consider the following configuration file. 62 63 docker: 64 privateregistry.example.com: 65 sigstore: file:///var/lib/containers/sigstore 66 67 When signing an image preceded with the registry name 'privateregistry.example.com', 68 the signature will be written into sub-directories of 69 /var/lib/containers/sigstore/privateregistry.example.com. The use of 'sigstore' also means 70 the signature will be 'read' from that same location on a pull-related function. 71 72 ## SEE ALSO 73 **[containers-certs.d(5)](https://github.com/containers/image/blob/main/docs/containers-certs.d.5.md)**, **[containers-registries.d(5)](https://github.com/containers/image/blob/main/docs/containers-registries.d.5.md)** 74 75 ## HISTORY 76 November 2018, Originally compiled by Qi Wang (qiwan at redhat dot com)