apptainer-sign

Cryptographically sign container images

TLDR

Sign a container image using the default PGP key

$ apptainer sign [path/to/image.sif]

Sign a container image using a specific private key file

$ apptainer sign --key [path/to/private.pem] [path/to/image.sif]

Sign a container image using a specific PGP key index

$ apptainer sign -k [key_index] [path/to/image.sif]

Sign a specific object group within the image

$ apptainer sign -g [group_id] [path/to/image.sif]

Sign a specific object by ID within the image

$ apptainer sign -i [object_id] [path/to/image.sif]

SYNOPSIS

apptainer sign [options] image.sif

apptainer sign adds digital signatures to SIF container images, enabling verification of image integrity and authenticity. Signatures can use PGP keys or X.509 certificates.
Signing containers is essential for establishing trust in shared container images and meeting security requirements in production environments.

PARAMETERS

--key file

Path to a private key file for signing

-k, --keyidx index

Index of the PGP key to use from the keyring

-g, --group-id id

Sign only a specific object group within the SIF

-i, --sif-id id

Sign only a specific object by ID within the SIF

CAVEATS

A PGP key pair or X.509 certificate must be configured before signing. The private key must be kept secure; compromised keys should be revoked immediately.