1ATOMIC(1)                       September 2016                       ATOMIC(1)
2
3
4

NAME

6       atomic-trust - Manage system container trust policy
7
8
9

SYNOPSIS

11       atomic trust add|delete|default|reset|show [-h|--help] [-j|--json]
12       [--raw] [-k|--pubkeys KEY1 [-k|--pubkeys KEY2,...]]  [-f|--pubkeysfile
13       KEY1 [f|--pubkeysfile KEY2,...]]  [--keytype GPGKeys] [-t|--type
14       signedBy|insecureAcceptAnything|reject] [-s|--sigstore
15https://URL[:PORT][/PATH]|file:///PATH⟩] [--sigstoretype
16       web|atomic|local] REGISTRY[/REPOSITORY]
17
18
19

DESCRIPTION

21       atomic trust manages the trust policy of the host system. Trust policy
22       describes a registry scope (registry and/or repository) that must be
23       signed by public keys. Trust is defined in /etc/containers/policy.json.
24       Trust is enforced when a user attempts to pull an image from a
25       registry.
26
27
28       Trust scope is evaluated by most specific to least specific. In other
29       words, policy may be defined for an entire registry, but refined for a
30       particular repository in that registry. See below for examples.
31
32
33       Trust type provides a way to whitelist ("insecureAcceptAnything") or
34       blacklist ("reject") registries.
35
36
37       Signature servers, or sigstores, configure where image signatures are
38       served for a particular registry scope. This cofiguration is a flat
39       list of arbitrarily named YAML files in /etc/containers/registries.d/.
40       Filenames must end in .yaml. A sigstore may be either an absolute path
41       to a local directory (file:///PATH) or a remote web server (
42https://URL⟩).
43
44
45       Trust may be updated using the command atomic trust add for an existing
46       trust scope.
47
48
49       The default trust policy is managed by the default command. Options are
50       accept or reject.
51
52
53       The default /etc/containers/policy.json file may be overriden using
54       environment variable TRUST_POLICY. This is typically only useful for
55       testing.
56
57
58

OPTIONS

60       -h --help
61         Print usage statement.
62
63
64       -k --pubkeys
65         A reference to a local file, download URL to an exported public key
66       or a
67         local user GPG keyring ID (see output of 'gpg2 --list-keys'). Keys
68       are
69         parsed and encoded inline with policy.json. Option may be used
70       multiple
71         times to require an image be sigend by multiple keys. One of
72         --pubkeys or --pubkeysfile is required for signedBy type. This
73         option is recommended over --pubkeysfile.
74
75
76       -f --pubkeysfile
77         A path to an exported public key on the local system. Key paths
78         will be referenced in policy.json. Any path may be used but path
79         /etc/pki/containers is recommended. Option may be used multiple times
80       to
81         require an image be sigend by multiple keys. One of --pubkeys or
82         --pubkeysfile is required for signedBy type.
83
84
85       --keytype
86         The public key type. Default: GPGKeys (only supported value)
87
88
89       -t --type
90         The trust type for this policy entry. Accepted values:
91           signedBy (default): Require signatures with corresponding list of
92                                   public keys
93           insecureAcceptAnything: do not require any signatures for this
94                                       registry scope
95           reject: do not accept images for this registry scope
96
97
98       -u --sigstore
99         A path or remote URL where signatures are found. Prefix filesystem
100       path with
101         file:///PATH and remote web server with
102       https://URL[:PORT][/PATH/TO/SIGNATURES⟩].
103
104
105       -s --sigstoretype
106         Type of signature transport. Accepted values:
107           web (default): remote web server
108           atomic: OpenShift-based Atomic Registry API
109           local: Local filesystem path
110
111
112

delete OPTIONS

114       --save-sigstore
115         Do not remove local sigstore configuration.
116
117
118

default OPTIONS

120       The default trust policy is managed by the default command. Options are
121       accept or reject.
122
123
124

show OPTIONS

126       --raw
127         Output trust policy file as raw JSON
128
129
130       -j --json
131         Output trust as JSON for machine parsing
132
133
134

reset

136       Resets policy.json to the default. Removes all YAML files in
137         /etc/containers/registries.d/ except default.yaml.
138
139
140

EXAMPLES

142       Add public key trust to specific registry repository
143
144
145              atomic trust add \
146                     --pubkeys /etc/pki/containers/foo@example.com \
147                     --sigstore https://s3.bucket/foobar/sigstore/ \
148                     docker.io/foobar
149
150
151
152       Modify a trust scope, adding a second public key and changing the
153       sigstore web server
154
155
156              atomic trust add \
157                     --pubkeys https://example.com/keys/example.pub \
158                     --pubkeys /etc/pki/containers/foo@example.com \
159                     --sigstore https://server.example.com/foobar/sigstore/ \
160                     docker.io/foobar
161
162
163
164       Accept all unsigned images from a registry
165
166
167              atomic trust add --type insecureAcceptAnything docker.io
168
169
170
171       Remove a trust scope
172
173
174              atomic trust delete docker.io
175
176
177
178       Remove a trust scope but retain the sigstore configuration
179
180
181              atomic trust delete docker.io --sigstore
182
183
184
185       Modify default trust policy
186
187
188              atomic trust default reject
189
190
191
192       Display system trust policy
193
194
195              atomic trust show
196
197
198
199       Display trust policy file
200
201
202              atomic trust show --raw
203
204
205
206       Display trust as JSON
207
208
209              atomic trust show --json
210
211
212
213

HISTORY

215       September 2016, originally compiled by Aaron Weitekamp (aweiteka at
216       redhat dot com)
217
218
219
220Aaron Weitekamp                 Atomic Man Pages                     ATOMIC(1)
Impressum