1podman-image-trust(1)() podman-image-trust(1)()
2
3
4
6 podman-image-trust - Manage container registry image trust policy
7
8
10 podman image trust set|show [options] registry[/repository]
11
12
14 Manages which registries you trust as a source of container images
15 based on its location. (This option is not available with the remote
16 Podman client)
17
18
19 The location is determined by the transport and the registry host of
20 the image. Using this container image docker://docker.io/library/busy‐
21 box as an example, docker is the transport and docker.io is the reg‐
22 istry host.
23
24
25 Trust is defined in /etc/containers/policy.json and is enforced when a
26 user attempts to pull a remote image from a registry. The trust policy
27 in policy.json describes a registry scope (registry and/or repository)
28 for the trust. This trust can use public keys for signed images.
29
30
31 The scope of the trust is evaluated from most specific to the least
32 specific. In other words, a policy may be defined for an entire reg‐
33 istry. Or it could be defined for a particular repository in that reg‐
34 istry. Or it could be defined down to a specific signed image inside of
35 the registry.
36
37
38 For example, the following list includes valid scope values that could
39 be used in policy.json from most specific to the least specific:
40
41
42 docker.io/library/busybox:notlatest docker.io/library/busybox
43 docker.io/library docker.io
44
45
46 If no configuration is found for any of these scopes, the default value
47 (specified by using "default" instead of REGISTRY[/REPOSITORY]) is
48 used.
49
50
51 Trust type provides a way to:
52
53
54 Allowlist ("accept") or Denylist ("reject") registries or Require sig‐
55 nature (“signedBy”).
56
57
58 Trust may be updated using the command podman image trust set for an
59 existing trust scope.
60
61
63 --help, -h
64 Print usage statement.
65
66
67 --pubkeysfile=KEY1, -f
68 A path to an exported public key on the local system. Key paths
69 will be referenced in policy.json. Any path to a file may be used but
70 locating the file in /etc/pki/containers is recommended. Options may be
71 used multiple times to
72 require an image be signed by multiple keys. The --pubkeysfile op‐
73 tion is required for the signedBy type.
74
75
76 --type=value, -t
77 The trust type for this policy entry.
78 Accepted values:
79 signedBy (default): Require signatures with corresponding list of
80 public keys
81 accept: do not require any signatures for this
82 registry scope
83 reject: do not accept images for this registry scope
84
85
87 --raw
88 Output trust policy file as raw JSON
89
90
91 --json, -j
92 Output trust as JSON for machine parsing
93
94
96 Accept all unsigned images from a registry
97
98
99 sudo podman image trust set --type accept docker.io
100
101
102
103 Modify default trust policy
104
105
106 sudo podman image trust set -t reject default
107
108
109
110 Display system trust policy
111
112
113 sudo podman image trust show
114
115
116
117 Display trust policy file
118
119
120 sudo podman image trust show --raw
121
122
123 Display trust as JSON
124
125
126 sudo podman image trust show --json
127
128
130 containers-policy.json(5)
131
132
134 January 2019, updated by Tom Sweeney (tsweeney at redhat dot com) De‐
135 cember 2018, originally compiled by Qi Wang (qiwan at redhat dot com)
136
137
138
139 podman-image-trust(1)()