podman-image-sign(1) General Commands Manual podman-image-sign(1)
NAME
podman-image-sign - Create a signature for an image
SYNOPSIS
podman image sign [options] image [image ...]
DESCRIPTION
podman image sign creates a local signature for one or more local images
that have been pulled from a registry. The signature is written to a di-
rectory derived from the registry configuration files in $HOME/.con-
fig/containers/registries.d if it exists, otherwise /etc/containers/reg-
istries.d (unless overridden at compile-time), see containers-reg-
istries.d(5) for more information. By default, the signature is written
into /var/lib/containers/sigstore for root and $HOME/.local/share/con-
tainers/sigstore for non-root users
OPTIONS
--all, -a
Sign all the manifests of the multi-architecture image (default false).
--authfile=path
Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain-
ers/auth.json on Linux, and $HOME/.config/containers/auth.json on Win-
dows/macOS. The file is created by podman login. If the authorization
state is not found there, $HOME/.docker/config.json is checked, which is
set using docker login.
Note: There is also the option to override the default path of the au-
thentication file by setting the REGISTRY_AUTH_FILE environment vari-
able. This can be done with export REGISTRY_AUTH_FILE=path.
--cert-dir=path
Use certificates at path (*.crt, *.cert, *.key) to connect to the reg-
istry. (Default: /etc/containers/certs.d) For details, see containers-
certs.d(5). (This option is not available with the remote Podman
client, including Mac and Windows (excluding WSL2) machines)
--directory, -d=dir
Store the signatures in the specified directory. Default: /var/lib/con-
tainers/sigstore
--help, -h
Print usage statement.
--sign-by=identity
Override the default identity of the signature.
EXAMPLES
Sign the busybox image with the identity of foo@bar.com with a user's
keyring and save the signature in /tmp/signatures/.
$ sudo podman image sign --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar
$ sudo podman image sign --authfile=/tmp/foobar.json --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar
RELATED CONFIGURATION
The write (and read) location for signatures is defined in YAML-based
configuration files in /etc/containers/registries.d/ for root, or
$HOME/.config/containers/registries.d for non-root users. When signing
an image, Podman uses those configuration files to determine where to
write the signature based on the name of the originating registry or a
default storage value unless overridden with the --directory option. For
example, consider the following configuration file.
docker:
privateregistry.example.com:
sigstore: file:///var/lib/containers/sigstore
When signing an image preceded with the registry name 'privatereg-
istry.example.com', the signature is written into sub-directories of
/var/lib/containers/sigstore/privateregistry.example.com. The use of
'sigstore' also means the signature is 'read' from that same location on
a pull-related function.
SEE ALSO
containers-certs.d(5), containers-registries.d(5)
HISTORY
November 2018, Originally compiled by Qi Wang (qiwan at redhat dot com)
podman-image-sign(1)
Generated by dwww version 1.16 on Tue Dec 16 06:20:50 CET 2025.