1ATOMIC(1) September 2016 ATOMIC(1)
2
6 atomic-trust - Manage system container trust policy
7
11 atomic trust add|delete|default|reset|show [-h|--help] [-j|--json]
12 [--raw] [-k|--pubkeys KEY1 [-k|--pubkeys KEY2,...]] [-f|--pubkeysfile
13 KEY1 [f|--pubkeysfile KEY2,...]] [--keytype GPGKeys] [-t|--type
14 signedBy|insecureAcceptAnything|reject] [-s|--sigstore
15 ⟨https://URL[:PORT][/PATH]|file:///PATH⟩] [--sigstoretype
16 web|atomic|local] REGISTRY[/REPOSITORY]
17
21 atomic trust manages the trust policy of the host system. Trust policy
22 describes a registry scope (registry and/or repository) that must be
23 signed by public keys. Trust is defined in /etc/containers/policy.json.
24 Trust is enforced when a user attempts to pull an image from a
25 registry.
26 Trust scope is evaluated by most specific to least specific. In other
29 words, policy may be defined for an entire registry, but refined for a
30 particular repository in that registry. See below for examples.
31 Trust type provides a way to whitelist ("insecureAcceptAnything") or
34 blacklist ("reject") registries.
35 Signature servers, or sigstores, configure where image signatures are
38 served for a particular registry scope. This cofiguration is a flat
39 list of arbitrarily named YAML files in /etc/containers/registries.d/.
40 Filenames must end in .yaml. A sigstore may be either an absolute path
41 to a local directory (file:///PATH) or a remote web server (
42 ⟨https://URL⟩).
43 Trust may be updated using the command atomic trust add for an existing
46 trust scope.
47 The default trust policy is managed by the default command. Options are
50 accept or reject.
51 The default /etc/containers/policy.json file may be overriden using
54 environment variable TRUST_POLICY. This is typically only useful for
55 testing.
56
60 -h --help
61 Print usage statement.
62 -k --pubkeys
65 A reference to a local file, download URL to an exported public key
66 or a
67 local user GPG keyring ID (see output of 'gpg2 --list-keys'). Keys
68 are
69 parsed and encoded inline with policy.json. Option may be used
70 multiple
71 times to require an image be sigend by multiple keys. One of
72 --pubkeys or --pubkeysfile is required for signedBy type. This
73 option is recommended over --pubkeysfile.
74 -f --pubkeysfile
77 A path to an exported public key on the local system. Key paths
78 will be referenced in policy.json. Any path may be used but path
79 /etc/pki/containers is recommended. Option may be used multiple times
80 to
81 require an image be sigend by multiple keys. One of --pubkeys or
82 --pubkeysfile is required for signedBy type.
83 --keytype
86 The public key type. Default: GPGKeys (only supported value)
87 -t --type
90 The trust type for this policy entry. Accepted values:
91 signedBy (default): Require signatures with corresponding list of
92 public keys
93 insecureAcceptAnything: do not require any signatures for this
94 registry scope
95 reject: do not accept images for this registry scope
96 -u --sigstore
99 A path or remote URL where signatures are found. Prefix filesystem
100 path with
101 file:///PATH and remote web server with
102 ⟨https://URL[:PORT][/PATH/TO/SIGNATURES⟩].
103 -s --sigstoretype
106 Type of signature transport. Accepted values:
107 web (default): remote web server
108 atomic: OpenShift-based Atomic Registry API
109 local: Local filesystem path
110
114 --save-sigstore
115 Do not remove local sigstore configuration.
116
120 The default trust policy is managed by the default command. Options are
121 accept or reject.
122
126 --raw
127 Output trust policy file as raw JSON
128 -j --json
131 Output trust as JSON for machine parsing
132
136 Resets policy.json to the default. Removes all YAML files in
137 /etc/containers/registries.d/ except default.yaml.
138
142 Add public key trust to specific registry repository
143 atomic trust add \
146 --pubkeys /etc/pki/containers/foo@example.com \
147 --sigstore https://s3.bucket/foobar/sigstore/ \
148 docker.io/foobar
149 Modify a trust scope, adding a second public key and changing the
153 sigstore web server
154 atomic trust add \
157 --pubkeys https://example.com/keys/example.pub \
158 --pubkeys /etc/pki/containers/foo@example.com \
159 --sigstore https://server.example.com/foobar/sigstore/ \
160 docker.io/foobar
161 Accept all unsigned images from a registry
165 atomic trust add --type insecureAcceptAnything docker.io
168 Remove a trust scope
172 atomic trust delete docker.io
175 Remove a trust scope but retain the sigstore configuration
179 atomic trust delete docker.io --sigstore
182 Modify default trust policy
186 atomic trust default reject
189 Display system trust policy
193 atomic trust show
196 Display trust policy file
200 atomic trust show --raw
203 Display trust as JSON
207 atomic trust show --json
210
215 September 2016, originally compiled by Aaron Weitekamp (aweiteka at
216 redhat dot com)
217Aaron Weitekamp Atomic Man Pages ATOMIC(1)