podman-image-trust(1)

1podman-image-trust(1)()                                podman-image-trust(1)()
2
3
4

NAME

6       podman-image-trust - Manage container registry image trust policy
7
8

SYNOPSIS

10       podman image trust set|show [options] registry[/repository]
11
12

DESCRIPTION

14       Manages  which  registries  you  trust  as a source of container images
15       based on its location. (Not available for remote commands)
16
17
18       The location is determined by the transport and the  registry  host  of
19       the image.  Using this container image docker://docker.io/library/busy‐
20       box as an example, docker is the transport and docker.io  is  the  reg‐
21       istry host.
22
23
24       Trust  is defined in /etc/containers/policy.json and is enforced when a
25       user attempts to pull a remote image from a registry.  The trust policy
26       in  policy.json describes a registry scope (registry and/or repository)
27       for the trust.  This trust can use public keys for signed images.
28
29
30       The scope of the trust is evaluated from most  specific  to  the  least
31       specific.  In  other  words, a policy may be defined for an entire reg‐
32       istry.  Or it could be defined for a particular repository in that reg‐
33       istry. Or it could be defined down to a specific signed image inside of
34       the registry.
35
36
37       For example, the following list includes valid scope values that  could
38       be used in policy.json from most specific to the least specific:
39
40
41       docker.io/library/busybox:notlatest           docker.io/library/busybox
42       docker.io/library docker.io
43
44
45       If no configuration is found for any of these scopes, the default value
46       (specified  by  using  "default"  instead  of REGISTRY[/REPOSITORY]) is
47       used.
48
49
50       Trust type provides a way to:
51
52
53       Allowlist ("accept") or Denylist ("reject") registries or Require  sig‐
54       nature (“signedBy”).
55
56
57       Trust  may  be  updated using the command podman image trust set for an
58       existing trust scope.
59
60

OPTIONS

62   --help, -h
63       Print usage statement.
64
65
66   --pubkeysfile=KEY1, -f
67       A path to an exported public key on the local system. Key paths
68         will be referenced in policy.json. Any path to a file may be used but
69       locating the file in /etc/pki/containers is recommended. Options may be
70       used multiple times to
71         require an image be  signed  by  multiple  keys.   The  --pubkeysfile
72       option is required for the signedBy type.
73
74
75   --type=value, -t
76       The trust type for this policy entry.
77         Accepted values:
78           signedBy (default): Require signatures with corresponding list of
79                               public keys
80           accept: do not require any signatures for this
81                   registry scope
82           reject: do not accept images for this registry scope
83
84

show OPTIONS

86   --raw
87       Output trust policy file as raw JSON
88
89
90   --json, -j
91       Output trust as JSON for machine parsing
92
93

EXAMPLES

95       Accept all unsigned images from a registry
96
97
98              sudo podman image trust set --type accept docker.io
99
100
101
102       Modify default trust policy
103
104
105              sudo podman image trust set -t reject default
106
107
108
109       Display system trust policy
110
111
112              sudo podman image trust show
113
114
115
116       Display trust policy file
117
118
119       sudo podman image trust show --raw
120
121
122       Display trust as JSON
123
124
125       sudo podman image trust show --json
126
127

HISTORY

133       January  2019,  updated  by  Tom  Sweeney  (tsweeney at redhat dot com)
134       December 2018, originally compiled by Qi Wang (qiwan at redhat dot com)
135
136
137
138                                                       podman-image-trust(1)()