summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--cmd/podman/cliconfig/config.go1
-rw-r--r--cmd/podman/sign.go19
-rw-r--r--completions/bash/podman1
-rw-r--r--docs/podman-image-sign.1.md15
4 files changed, 29 insertions, 7 deletions
diff --git a/cmd/podman/cliconfig/config.go b/cmd/podman/cliconfig/config.go
index 9bc47333d..98e7aed4b 100644
--- a/cmd/podman/cliconfig/config.go
+++ b/cmd/podman/cliconfig/config.go
@@ -509,6 +509,7 @@ type SignValues struct {
PodmanCommand
Directory string
SignBy string
+ CertDir string
}
type StartValues struct {
diff --git a/cmd/podman/sign.go b/cmd/podman/sign.go
index de289047a..63ba9b904 100644
--- a/cmd/podman/sign.go
+++ b/cmd/podman/sign.go
@@ -46,7 +46,7 @@ func init() {
flags := signCommand.Flags()
flags.StringVarP(&signCommand.Directory, "directory", "d", "", "Define an alternate directory to store signatures")
flags.StringVar(&signCommand.SignBy, "sign-by", "", "Name of the signing key")
-
+ flags.StringVar(&signCommand.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys")
}
// SignatureStoreDir defines default directory to store signatures
@@ -76,6 +76,13 @@ func signCmd(c *cliconfig.SignValues) error {
}
}
+ sc := runtime.SystemContext()
+ sc.DockerCertPath = c.CertDir
+
+ dockerRegistryOptions := image.DockerRegistryOptions{
+ DockerCertPath: c.CertDir,
+ }
+
mech, err := signature.NewGPGSigningMechanism()
if err != nil {
return errors.Wrap(err, "error initializing GPG")
@@ -85,7 +92,7 @@ func signCmd(c *cliconfig.SignValues) error {
return errors.Wrap(err, "signing is not supported")
}
- systemRegistriesDirPath := trust.RegistriesDirPath(runtime.SystemContext())
+ systemRegistriesDirPath := trust.RegistriesDirPath(sc)
registryConfigs, err := trust.LoadAndMergeConfig(systemRegistriesDirPath)
if err != nil {
return errors.Wrapf(err, "error reading registry configuration")
@@ -96,10 +103,14 @@ func signCmd(c *cliconfig.SignValues) error {
if err != nil {
return errors.Wrapf(err, "error parsing image name")
}
- rawSource, err := srcRef.NewImageSource(getContext(), runtime.SystemContext())
+ rawSource, err := srcRef.NewImageSource(getContext(), sc)
if err != nil {
return errors.Wrapf(err, "error getting image source")
}
+ err = rawSource.Close()
+ if err != nil {
+ logrus.Errorf("unable to close new image source %q", err)
+ }
manifest, _, err := rawSource.GetManifest(getContext(), nil)
if err != nil {
return errors.Wrapf(err, "error getting manifest")
@@ -114,7 +125,7 @@ func signCmd(c *cliconfig.SignValues) error {
if err != nil {
return err
}
- newImage, err := runtime.ImageRuntime().New(getContext(), signimage, rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{SignBy: signby}, nil, util.PullImageMissing)
+ newImage, err := runtime.ImageRuntime().New(getContext(), signimage, rtc.SignaturePolicyPath, "", os.Stderr, &dockerRegistryOptions, image.SigningOptions{SignBy: signby}, nil, util.PullImageMissing)
if err != nil {
return errors.Wrapf(err, "error pulling image %s", signimage)
}
diff --git a/completions/bash/podman b/completions/bash/podman
index 7280f4040..e6ffb135f 100644
--- a/completions/bash/podman
+++ b/completions/bash/podman
@@ -2669,6 +2669,7 @@ _podman_container_runlabel() {
_podman_image_sign() {
local options_with_args="
+ --cert-dir
-d
--directory
--sign-by
diff --git a/docs/podman-image-sign.1.md b/docs/podman-image-sign.1.md
index 61df3b3bd..ca438b438 100644
--- a/docs/podman-image-sign.1.md
+++ b/docs/podman-image-sign.1.md
@@ -12,14 +12,23 @@ been pulled from a registry. The signature will be written to a directory
derived from the registry configuration files in /etc/containers/registries.d. By default, the signature will be written into /var/lib/containers/sigstore directory.
## OPTIONS
+
**--help**, **-h**
- Print usage statement.
+
+Print usage statement.
+
+**--cert-dir**=*path*
+
+Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry.
+Default certificates directory is _/etc/containers/certs.d_. (Not available for remote commands)
**--directory**, **-d**=*dir*
- Store the signatures in the specified directory. Default: /var/lib/containers/sigstore
+
+Store the signatures in the specified directory. Default: /var/lib/containers/sigstore
**--sign-by**=*identity*
- Override the default identity of the signature.
+
+Override the default identity of the signature.
## EXAMPLES
Sign the busybox image with the identify of foo@bar.com with a user's keyring and save the signature in /tmp/signatures/.