NAME

       podman-image-sign - Create a signature for an image

SYNOPSIS

       podman image sign [options] image [image ...]

DESCRIPTION

       podman image sign will create a local signature for one or more local images that have been pulled from a
       registry.  The  signature will be written to a directory derived from the registry configuration files in
       $HOME/.config/containers/registries.d  if  it  exists,  otherwise  /etc/containers/registries.d   (unless
       overridden  at  compile-time),  see  containers-registries.d(5)  for  more  information.  By default, the
       signature     will     be     written     into     /var/lib/containers/sigstore     for     root      and
       $HOME/.local/share/containers/sigstore for non-root users

OPTIONS

   --help, -h
       Print usage statement.

   --all, -a
       Sign all the manifests of the multi-architecture image (default false).

   --cert-dir=path
       Use   certificates   at   path   (*.crt,   *.cert,   *.key)   to   connect  to  the  registry.  (Default:
       /etc/containers/certs.d) Please refer to containers-certs.d(5) for details. (This option is not available
       with the remote Podman client)

   --directory, -d=dir
       Store the signatures in the specified directory.  Default: /var/lib/containers/sigstore

   --sign-by=identity
       Override the default identity of the signature.

EXAMPLES

       Sign the busybox image with the identity of foo@bar.com with a user's keyring and save the  signature  in
       /tmp/signatures/.

       sudo      podman      image      sign      --sign-by      foo@bar.com     --directory     /tmp/signatures
       docker://privateregistry.example.com/foobar

RELATED CONFIGURATION

       The  write  (and  read)  location  for  signatures  is  defined  in  YAML-based  configuration  files  in
       /etc/containers/registries.d/  for  root,  or  $HOME/.config/containers/registries.d  for non-root users.
       When you sign an image, Podman will use those  configuration  files  to  determine  where  to  write  the
       signature  based on the the name of the originating registry or a default storage value unless overridden
       with the --directory option. For example, consider the following configuration file.

       docker:
         privateregistry.example.com:
           sigstore: file:///var/lib/containers/sigstore

       When signing an image preceded with the registry name 'privateregistry.example.com', the  signature  will
       be  written  into sub-directories of /var/lib/containers/sigstore/privateregistry.example.com. The use of
       'sigstore' also means the signature will be 'read' from that same location on a pull-related function.

SEE ALSO

       containers-certs.d(5), containers-registries.d(5)

HISTORY

       November 2018, Originally compiled by Qi Wang (qiwan at redhat dot com)

                                                                                          podman-image-sign(1)()