1podman-image-trust(1) General Commands Manual podman-image-trust(1)
2
3
4
6 podman-image-trust - Manage container registry image trust policy
7
8
10 podman image trust set|show [options] registry[/repository]
11
12
14 Manages which registries you trust as a source of container images
15 based on its location. (This option is not available with the remote
16 Podman client, including Mac and Windows (excluding WSL2) machines)
17
18
19 The location is determined by the transport and the registry host of
20 the image. Using this container image docker://docker.io/library/busy‐
21 box as an example, docker is the transport and docker.io is the reg‐
22 istry host.
23
24
25 Trust is defined in /etc/containers/policy.json and is enforced when a
26 user attempts to pull a remote image from a registry. The trust policy
27 in policy.json describes a registry scope (registry and/or repository)
28 for the trust. This trust can use public keys for signed images.
29
30
31 The scope of the trust is evaluated from most specific to the least
32 specific. In other words, a policy may be defined for an entire reg‐
33 istry. Or it could be defined for a particular repository in that reg‐
34 istry. Or it could be defined down to a specific signed image inside of
35 the registry.
36
37
38 For example, the following list includes valid scope values that could
39 be used in policy.json from most specific to the least specific:
40
41
42 docker.io/library/busybox:notlatest docker.io/library/busybox
43 docker.io/library docker.io
44
45
46 If no configuration is found for any of these scopes, the default value
47 (specified by using "default" instead of REGISTRY[/REPOSITORY]) is
48 used.
49
50
51 Trust type provides a way to:
52
53
54 Allowlist ("accept") or Denylist ("reject") registries or Require a
55 simple signing signature (“signedBy”), Require a sigstore signature
56 ("sigstoreSigned").
57
58
59 Trust may be updated using the command podman image trust set for an
60 existing trust scope.
61
62
64 --help, -h
65 Print usage statement.
66
67
68 set OPTIONS
69 --pubkeysfile, -f=KEY1
70 A path to an exported public key on the local system. Key paths
71 will be referenced in policy.json. Any path to a file may be used but
72 locating the file in /etc/pki/containers is recommended. Options may be
73 used multiple times to
74 require an image be signed by multiple keys. The --pubkeysfile op‐
75 tion is required for the signedBy and sigstoreSigned types.
76
77
78 --type, -t=value
79 The trust type for this policy entry.
80 Accepted values:
81 signedBy (default): Require simple signing signatures with corre‐
82 sponding list of
83 public keys
84 sigstoreSigned: Require sigstore signatures with corresponding list
85 of
86 public keys
87 accept: do not require any signatures for this
88 registry scope
89 reject: do not accept images for this registry scope
90
91
92 show OPTIONS
93 --json, -j
94 Output trust as JSON for machine parsing
95
96
97 --noheading, -n
98 Omit the table headings from the trust listings
99
100
101 --raw
102 Output trust policy file as raw JSON
103
104
106 Accept all unsigned images from a registry
107
108
109 sudo podman image trust set --type accept docker.io
110
111
112
113 Modify default trust policy
114
115
116 sudo podman image trust set -t reject default
117
118
119
120 Display system trust policy
121
122
123 podman image trust show
124
125
126
127 TRANSPORT NAME TYPE ID STORE
128 all default reject
129 repository docker.io/library accept
130 repository registry.access.redhat.com signed security@redhat.com https://access.redhat.com/webassets/docker/content/sigstore
131 repository registry.redhat.io signed security@redhat.com https://registry.redhat.io/containers/sigstore
132 repository docker.io reject
133 docker-daemon accept
134
135
136
137 Display trust policy file
138
139
140 podman image trust show --raw
141
142
143
144 {
145 "default": [
146 {
147 "type": "reject"
148 }
149 ],
150 "transports": {
151 "docker": {
152 "docker.io": [
153 {
154 "type": "reject"
155 }
156 ],
157 "docker.io/library": [
158 {
159 "type": "insecureAcceptAnything"
160 }
161 ],
162 "registry.access.redhat.com": [
163 {
164 "type": "signedBy",
165 "keyType": "GPGKeys",
166 "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
167 }
168 ],
169 "registry.redhat.io": [
170 {
171 "type": "signedBy",
172 "keyType": "GPGKeys",
173 "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
174 }
175 ]
176 },
177 "docker-daemon": {
178 "": [
179 {
180 "type": "insecureAcceptAnything"
181 }
182 ]
183 }
184 }
185 }
186
187
188
189 Display trust as JSON
190
191
192 podman image trust show --json
193
194
195
196 [
197 {
198 "transport": "all",
199 "name": "* (default)",
200 "repo_name": "default",
201 "type": "reject"
202 },
203 {
204 "transport": "repository",
205 "name": "docker.io",
206 "repo_name": "docker.io",
207 "type": "reject"
208 },
209 {
210 "transport": "repository",
211 "name": "docker.io/library",
212 "repo_name": "docker.io/library",
213 "type": "accept"
214 },
215 {
216 "transport": "repository",
217 "name": "registry.access.redhat.com",
218 "repo_name": "registry.access.redhat.com",
219 "sigstore": "https://access.redhat.com/webassets/docker/content/sigstore",
220 "type": "signed",
221 "gpg_id": "security@redhat.com"
222 },
223 {
224 "transport": "repository",
225 "name": "registry.redhat.io",
226 "repo_name": "registry.redhat.io",
227 "sigstore": "https://registry.redhat.io/containers/sigstore",
228 "type": "signed",
229 "gpg_id": "security@redhat.com"
230 },
231 {
232 "transport": "docker-daemon",
233 "type": "accept"
234 }
235 ]
236
237
238
240 containers-policy.json(5)
241
242
244 January 2019, updated by Tom Sweeney (tsweeney at redhat dot com) De‐
245 cember 2018, originally compiled by Qi Wang (qiwan at redhat dot com)
246
247
248
249 podman-image-trust(1)