add --cert-dir image sign

Requirement from #2726
Add --cert-dir for `podman image sign`.

Signed-off-by: Qi Wang <qiwan@redhat.com>

cmd/podman/cliconfig/config.go

@@ -506,6 +506,7 @@ type SignValues struct {
 	PodmanCommand
 	Directory string
 	SignBy    string
+	CertDir   string
 }
 
 type StartValues struct {

cmd/podman/sign.go

@@ -46,7 +46,7 @@ func init() {
 	flags := signCommand.Flags()
 	flags.StringVarP(&signCommand.Directory, "directory", "d", "", "Define an alternate directory to store signatures")
 	flags.StringVar(&signCommand.SignBy, "sign-by", "", "Name of the signing key")
-
+	flags.StringVar(&signCommand.CertDir, "cert-dir", "", "`Pathname` of a directory containing TLS certificates and keys")
 }
 
 // SignatureStoreDir defines default directory to store signatures
@@ -76,6 +76,13 @@ func signCmd(c *cliconfig.SignValues) error {
 		}
 	}
 
+	sc := runtime.SystemContext()
+	sc.DockerCertPath = c.CertDir
+
+	dockerRegistryOptions := image.DockerRegistryOptions{
+		DockerCertPath: c.CertDir,
+	}
+
 	mech, err := signature.NewGPGSigningMechanism()
 	if err != nil {
 		return errors.Wrap(err, "error initializing GPG")
@@ -85,7 +92,7 @@ func signCmd(c *cliconfig.SignValues) error {
 		return errors.Wrap(err, "signing is not supported")
 	}
 
-	systemRegistriesDirPath := trust.RegistriesDirPath(runtime.SystemContext())
+	systemRegistriesDirPath := trust.RegistriesDirPath(sc)
 	registryConfigs, err := trust.LoadAndMergeConfig(systemRegistriesDirPath)
 	if err != nil {
 		return errors.Wrapf(err, "error reading registry configuration")
@@ -96,10 +103,14 @@ func signCmd(c *cliconfig.SignValues) error {
 		if err != nil {
 			return errors.Wrapf(err, "error parsing image name")
 		}
-		rawSource, err := srcRef.NewImageSource(getContext(), runtime.SystemContext())
+		rawSource, err := srcRef.NewImageSource(getContext(), sc)
 		if err != nil {
 			return errors.Wrapf(err, "error getting image source")
 		}
+		err = rawSource.Close()
+		if err != nil {
+			logrus.Errorf("unable to close new image source %q", err)
+		}
 		manifest, _, err := rawSource.GetManifest(getContext(), nil)
 		if err != nil {
 			return errors.Wrapf(err, "error getting manifest")
@@ -114,7 +125,7 @@ func signCmd(c *cliconfig.SignValues) error {
 		if err != nil {
 			return err
 		}
-		newImage, err := runtime.ImageRuntime().New(getContext(), signimage, rtc.SignaturePolicyPath, "", os.Stderr, nil, image.SigningOptions{SignBy: signby}, nil, util.PullImageMissing)
+		newImage, err := runtime.ImageRuntime().New(getContext(), signimage, rtc.SignaturePolicyPath, "", os.Stderr, &dockerRegistryOptions, image.SigningOptions{SignBy: signby}, nil, util.PullImageMissing)
 		if err != nil {
 			return errors.Wrapf(err, "error pulling image %s", signimage)
 		}

completions/bash/podman

@@ -2668,6 +2668,7 @@ _podman_container_runlabel() {
 
 _podman_image_sign() {
     local options_with_args="
+	--cert-dir
 	-d
 	--directory
 	--sign-by

docs/podman-image-sign.1.md

@@ -12,14 +12,23 @@ been pulled from a registry. The signature will be written to a directory
 derived from the registry configuration files in /etc/containers/registries.d. By default, the signature will be written into /var/lib/containers/sigstore directory.
 
 ## OPTIONS
+
 **--help**, **-h**
-  Print usage statement.
+
+Print usage statement.
+
+**--cert-dir**=*path*
+
+Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry.
+Default certificates directory is _/etc/containers/certs.d_. (Not available for remote commands)
 
 **--directory**, **-d**=*dir*
-  Store the signatures in the specified directory.  Default: /var/lib/containers/sigstore
+
+Store the signatures in the specified directory.  Default: /var/lib/containers/sigstore
 
 **--sign-by**=*identity*
-  Override the default identity of the signature.
+
+Override the default identity of the signature.
 
 ## EXAMPLES
 Sign the busybox image with the identify of foo@bar.com with a user's keyring and save the signature in /tmp/signatures/.