1podman-image-trust(1)()                                podman-image-trust(1)()
2
3
4

NAME

6       podman-image-trust - Manage container registry image trust policy
7
8

SYNOPSIS

10       podman image trust set|show [options] registry[/repository]
11
12

DESCRIPTION

14       Manages  which  registries  you  trust  as a source of container images
15       based on its location. (This option is not available  with  the  remote
16       Podman client)
17
18
19       The  location  is  determined by the transport and the registry host of
20       the image.  Using this container image docker://docker.io/library/busy‐
21       box  as  an  example, docker is the transport and docker.io is the reg‐
22       istry host.
23
24
25       Trust is defined in /etc/containers/policy.json and is enforced when  a
26       user attempts to pull a remote image from a registry.  The trust policy
27       in policy.json describes a registry scope (registry and/or  repository)
28       for the trust.  This trust can use public keys for signed images.
29
30
31       The  scope  of  the  trust is evaluated from most specific to the least
32       specific. In other words, a policy may be defined for  an  entire  reg‐
33       istry.  Or it could be defined for a particular repository in that reg‐
34       istry. Or it could be defined down to a specific signed image inside of
35       the registry.
36
37
38       For  example, the following list includes valid scope values that could
39       be used in policy.json from most specific to the least specific:
40
41
42       docker.io/library/busybox:notlatest           docker.io/library/busybox
43       docker.io/library docker.io
44
45
46       If no configuration is found for any of these scopes, the default value
47       (specified by using  "default"  instead  of  REGISTRY[/REPOSITORY])  is
48       used.
49
50
51       Trust type provides a way to:
52
53
54       Allowlist  ("accept") or Denylist ("reject") registries or Require sig‐
55       nature (“signedBy”).
56
57
58       Trust may be updated using the command podman image trust  set  for  an
59       existing trust scope.
60
61

OPTIONS

63   --help, -h
64       Print usage statement.
65
66
67   --pubkeysfile=KEY1, -f
68       A path to an exported public key on the local system. Key paths
69         will be referenced in policy.json. Any path to a file may be used but
70       locating the file in /etc/pki/containers is recommended. Options may be
71       used multiple times to
72         require  an  image be signed by multiple keys.  The --pubkeysfile op‐
73       tion is required for the signedBy type.
74
75
76   --type=value, -t
77       The trust type for this policy entry.
78         Accepted values:
79           signedBy (default): Require signatures with corresponding list of
80                               public keys
81           accept: do not require any signatures for this
82                   registry scope
83           reject: do not accept images for this registry scope
84
85

show OPTIONS

87   --raw
88       Output trust policy file as raw JSON
89
90
91   --json, -j
92       Output trust as JSON for machine parsing
93
94

EXAMPLES

96       Accept all unsigned images from a registry
97
98
99              sudo podman image trust set --type accept docker.io
100
101
102
103       Modify default trust policy
104
105
106              sudo podman image trust set -t reject default
107
108
109
110       Display system trust policy
111
112
113              sudo podman image trust show
114
115
116
117       Display trust policy file
118
119
120       sudo podman image trust show --raw
121
122
123       Display trust as JSON
124
125
126       sudo podman image trust show --json
127
128

SEE ALSO

130       containers-policy.json(5)
131
132

HISTORY

134       January 2019, updated by Tom Sweeney (tsweeney at redhat dot  com)  De‐
135       cember 2018, originally compiled by Qi Wang (qiwan at redhat dot com)
136
137
138
139                                                       podman-image-trust(1)()
Impressum