podman-image-trust(1)

1podman-image-trust (1"")                              podman-image-trust (1"")
2
3
4

NAME

6       podman-image-trust - Manage container registry image trust policy
7
8
9

SYNOPSIS

11       podman image trust set|show [-h|--help] [-j|--json] [--raw]
12       [-f|--pubkeysfile KEY1 [-f|--pubkeysfile KEY2,...]]  [-t|--type
13       signedBy|accept|reject] REGISTRY[/REPOSITORY]
14
15
16

DESCRIPTION

18       Manages which registries you trust as a source of container images
19       based on its location.  The location is determined by the transport and
20       the registry host of the image.  Using this container image
21       docker://docker.io/library/busybox as an example, docker is the
22       transport and docker.io is the registry host.
23
24
25       Trust is defined in /etc/containers/policy.json and is enforced when a
26       user attempts to pull a remote image from a registry.  The trust policy
27       in policy.json describes a registry scope (registry and/or repository)
28       for the trust.  This trust can use public keys for signed images.
29
30
31       The scope of the trust is evaluated from most specific to the least
32       specific. In other words, a policy may be defined for an entire
33       registry.  Or it could be defined for a particular repository in that
34       registry. Or it could be defined down to a specific signed image inside
35       of the registry.
36
37
38       For example, the following list includes valid scope values that could
39       be used in policy.json from most specific to the least specific:
40
41
42       docker.io/library/busybox:notlatest docker.io/library/busybox
43       docker.io/library docker.io
44
45
46       If no configuration is found for any of these scopes, the default value
47       (specified by using "default" instead of REGISTRY[/REPOSITORY]) is
48       used.
49
50
51       Trust type provides a way to:
52
53
54       Whitelist ("accept") or Blacklist ("reject") registries or Require
55       signature (“signedBy”).
56
57
58       Trust may be updated using the command podman image trust set for an
59       existing trust scope.
60
61
62

OPTIONS

64       -h --help
65         Print usage statement.
66
67
68       -f --pubkeysfile
69         A path to an exported public key on the local system. Key paths
70         will be referenced in policy.json. Any path to a file may be used but
71       locating the file in /etc/pki/containers is recommended. Options may be
72       used multiple times to
73         require an image be signed by multiple keys.  The --pubkeysfile
74       option is required for the signedBy type.
75
76
77       -t --type
78         The trust type for this policy entry. Accepted values:
79           signedBy (default): Require signatures with corresponding list of
80                               public keys
81           accept: do not require any signatures for this
82                   registry scope
83           reject: do not accept images for this registry scope
84
85
86

show OPTIONS

88       --raw
89         Output trust policy file as raw JSON
90
91
92       -j --json
93         Output trust as JSON for machine parsing
94
95
96

EXAMPLES

98       Accept all unsigned images from a registry
99
100
101              sudo podman image trust set --type accept docker.io
102
103
104
105       Modify default trust policy
106
107
108              sudo podman image trust set -t reject default
109
110
111
112       Display system trust policy
113
114
115              sudo podman image trust show
116
117
118
119       Display trust policy file
120
121
122       sudo podman image trust show --raw
123
124
125       Display trust as JSON
126
127
128       sudo podman image trust show --json
129
130
131

HISTORY

138       January 2019, updated by Tom Sweeney (tsweeney at redhat dot com)
139       December 2018, originally compiled by Qi Wang (qiwan at redhat dot com)
140
141
142
143                                                      podman-image-trust (1"")