1podman-image-trust(1)       General Commands Manual      podman-image-trust(1)
2
3
4

NAME

6       podman-image-trust - Manage container registry image trust policy
7
8

SYNOPSIS

10       podman image trust set|show [options] registry[/repository]
11
12

DESCRIPTION

14       Manages  which  registries  you  trust  as a source of container images
15       based on its location. (This option is not available  with  the  remote
16       Podman client, including Mac and Windows (excluding WSL2) machines)
17
18
19       The  location  is  determined by the transport and the registry host of
20       the image.  Using this container image docker://docker.io/library/busy‐
21       box  as  an  example, docker is the transport and docker.io is the reg‐
22       istry host.
23
24
25       Trust is defined in /etc/containers/policy.json and is enforced when  a
26       user attempts to pull a remote image from a registry.  The trust policy
27       in policy.json describes a registry scope (registry and/or  repository)
28       for the trust.  This trust can use public keys for signed images.
29
30
31       The  scope  of  the  trust is evaluated from most specific to the least
32       specific. In other words, a policy may be defined for  an  entire  reg‐
33       istry.  Or it could be defined for a particular repository in that reg‐
34       istry. Or it could be defined down to a specific signed image inside of
35       the registry.
36
37
38       For  example, the following list includes valid scope values that could
39       be used in policy.json from most specific to the least specific:
40
41
42       docker.io/library/busybox:notlatest           docker.io/library/busybox
43       docker.io/library docker.io
44
45
46       If no configuration is found for any of these scopes, the default value
47       (specified by using  "default"  instead  of  REGISTRY[/REPOSITORY])  is
48       used.
49
50
51       Trust type provides a way to:
52
53
54       Allowlist  ("accept")  or  Denylist  ("reject") registries or Require a
55       simple signing signature (“signedBy”),  Require  a  sigstore  signature
56       ("sigstoreSigned").
57
58
59       Trust  may  be  updated using the command podman image trust set for an
60       existing trust scope.
61
62

OPTIONS

64   --help, -h
65       Print usage statement.
66
67
68   set OPTIONS
69   --pubkeysfile, -f=KEY1
70       A path to an exported public key on the local system. Key paths
71         will be referenced in policy.json. Any path to a file may be used but
72       locating the file in /etc/pki/containers is recommended. Options may be
73       used multiple times to
74         require an image be signed by multiple keys.  The  --pubkeysfile  op‐
75       tion is required for the signedBy and sigstoreSigned types.
76
77
78   --type, -t=value
79       The trust type for this policy entry.
80         Accepted values:
81           signedBy  (default):  Require simple signing signatures with corre‐
82       sponding list of
83                               public keys
84           sigstoreSigned: Require sigstore signatures with corresponding list
85       of
86                               public keys
87           accept: do not require any signatures for this
88                   registry scope
89           reject: do not accept images for this registry scope
90
91
92   show OPTIONS
93   --json, -j
94       Output trust as JSON for machine parsing
95
96
97   --noheading, -n
98       Omit the table headings from the trust listings
99
100
101   --raw
102       Output trust policy file as raw JSON
103
104

EXAMPLES

106       Accept all unsigned images from a registry
107
108
109              sudo podman image trust set --type accept docker.io
110
111
112
113       Modify default trust policy
114
115
116              sudo podman image trust set -t reject default
117
118
119
120       Display system trust policy
121
122
123              podman image trust show
124
125
126
127              TRANSPORT      NAME                        TYPE        ID                   STORE
128              all            default                     reject
129              repository     docker.io/library           accept
130              repository     registry.access.redhat.com  signed      security@redhat.com  https://access.redhat.com/webassets/docker/content/sigstore
131              repository     registry.redhat.io          signed      security@redhat.com  https://registry.redhat.io/containers/sigstore
132              repository     docker.io                   reject
133              docker-daemon                              accept
134
135
136
137       Display trust policy file
138
139
140              podman image trust show --raw
141
142
143
144              {
145                  "default": [
146                      {
147                          "type": "reject"
148                      }
149                  ],
150                  "transports": {
151                      "docker": {
152                          "docker.io": [
153                              {
154                                  "type": "reject"
155                              }
156                          ],
157                          "docker.io/library": [
158                              {
159                                  "type": "insecureAcceptAnything"
160                              }
161                          ],
162                          "registry.access.redhat.com": [
163                              {
164                                  "type": "signedBy",
165                                  "keyType": "GPGKeys",
166                                  "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
167                              }
168                          ],
169                          "registry.redhat.io": [
170                              {
171                                  "type": "signedBy",
172                                  "keyType": "GPGKeys",
173                                  "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
174                              }
175                          ]
176                      },
177                      "docker-daemon": {
178                          "": [
179                              {
180                                  "type": "insecureAcceptAnything"
181                              }
182                          ]
183                      }
184                  }
185              }
186
187
188
189       Display trust as JSON
190
191
192              podman image trust show --json
193
194
195
196              [
197                {
198                  "transport": "all",
199                  "name": "* (default)",
200                  "repo_name": "default",
201                  "type": "reject"
202                },
203                {
204                  "transport": "repository",
205                  "name": "docker.io",
206                  "repo_name": "docker.io",
207                  "type": "reject"
208                },
209                {
210                  "transport": "repository",
211                  "name": "docker.io/library",
212                  "repo_name": "docker.io/library",
213                  "type": "accept"
214                },
215                {
216                  "transport": "repository",
217                  "name": "registry.access.redhat.com",
218                  "repo_name": "registry.access.redhat.com",
219                  "sigstore": "https://access.redhat.com/webassets/docker/content/sigstore",
220                  "type": "signed",
221                  "gpg_id": "security@redhat.com"
222                },
223                {
224                  "transport": "repository",
225                  "name": "registry.redhat.io",
226                  "repo_name": "registry.redhat.io",
227                  "sigstore": "https://registry.redhat.io/containers/sigstore",
228                  "type": "signed",
229                  "gpg_id": "security@redhat.com"
230                },
231                {
232                  "transport": "docker-daemon",
233                  "type": "accept"
234                }
235              ]
236
237
238

SEE ALSO

240       containers-policy.json(5)
241
242

HISTORY

244       January  2019,  updated by Tom Sweeney (tsweeney at redhat dot com) De‐
245       cember 2018, originally compiled by Qi Wang (qiwan at redhat dot com)
246
247
248
249                                                         podman-image-trust(1)
Impressum