oracular (1) docker-image-sign.1.gz

Provided by: podman_5.0.3+ds1-5ubuntu1_amd64 bug

NAME
       podman-image-sign - Create a signature for an image


SYNOPSIS
       podman image sign [options] image [image ...]


DESCRIPTION
       podman  image  sign  creates  a local signature for one or more local images that have been pulled from a
       registry. The signature is written to a directory  derived  from  the  registry  configuration  files  in
       $HOME/.config/containers/registries.d   if  it  exists,  otherwise  /etc/containers/registries.d  (unless
       overridden at compile-time), see  containers-registries.d(5)  for  more  information.   By  default,  the
       signature       is       written       into      /var/lib/containers/sigstore      for      root      and
       $HOME/.local/share/containers/sigstore for non-root users


OPTIONS
   --all, -a
       Sign all the manifests of the multi-architecture image (default false).

   --authfile=path
       Path of the  authentication  file.  Default  is  ${XDG_RUNTIME_DIR}/containers/auth.json  on  Linux,  and
       $HOME/.config/containers/auth.json  on  Windows/macOS.   The  file  is  created  by  podman login. If the
       authorization state is not found there, $HOME/.docker/config.json is checked, which is set  using  docker
       login.

       Note:  There  is  also  the option to override the default path of the authentication file by setting the
       REGISTRY_AUTH_FILE environment variable. This can be done with export REGISTRY_AUTH_FILE=path.

   --cert-dir=path
       Use  certificates  at  path  (*.crt,   *.cert,   *.key)   to   connect   to   the   registry.   (Default:
       /etc/containers/certs.d)  For details, see containers-certs.d(5).  (This option is not available with the
       remote Podman client, including Mac and Windows (excluding WSL2) machines)

   --directory, -d=dir
       Store the signatures in the specified directory.  Default: /var/lib/containers/sigstore

   --help, -h
       Print usage statement.

   --sign-by=identity
       Override the default identity of the signature.


EXAMPLES
       Sign the busybox image with the identity of foo@bar.com with a user's keyring and save the  signature  in
       /tmp/signatures/.

          $ sudo podman image sign --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar

          $ sudo podman image sign --authfile=/tmp/foobar.json --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar


       The  write  (and  read)  location  for  signatures  is  defined  in  YAML-based  configuration  files  in
       /etc/containers/registries.d/ for root,  or  $HOME/.config/containers/registries.d  for  non-root  users.
       When  signing  an  image, Podman uses those configuration files to determine where to write the signature
       based on the name of the originating registry or a default  storage  value  unless  overridden  with  the
       --directory option. For example, consider the following configuration file.

       docker:
         privateregistry.example.com:
           sigstore: file:///var/lib/containers/sigstore

       When  signing  an  image  preceded with the registry name 'privateregistry.example.com', the signature is
       written into sub-directories  of  /var/lib/containers/sigstore/privateregistry.example.com.  The  use  of
       'sigstore' also means the signature is 'read' from that same location on a pull-related function.


SEE ALSO
       containers-certs.d(5), containers-registries.d(5)


HISTORY
       November 2018, Originally compiled by Qi Wang (qiwan at redhat dot com)

                                                                                            podman-image-sign(1)