1podman-image-trust(1) General Commands Manual podman-image-trust(1)
2
3
4
6 podman-image-trust - Manage container registry image trust policy
7
8
10 podman image trust set|show [options] registry[/repository]
11
12
14 Manages which registries to trust as a source of container images
15 based on its location. (This option is not available with the remote
16 Podman client, including Mac and Windows (excluding WSL2) machines)
17
18
19 The location is determined by the transport and the registry host of
20 the image. Using this container image docker://docker.io/library/busy‐
21 box as an example, docker is the transport and docker.io is the reg‐
22 istry host.
23
24
25 Trust is defined in /etc/containers/policy.json and is enforced when a
26 user attempts to pull a remote image from a registry. The trust policy
27 in policy.json describes a registry scope (registry and/or repository)
28 for the trust. This trust can use public keys for signed images.
29
30
31 The scope of the trust is evaluated from most specific to the least
32 specific. In other words, a policy may be:
33
34
35 • Defined to an entire registry.
36
37 • Defined to a particular repository in that registry.
38
39 • Defined to a specific signed image inside of the registry.
40
41
42
43 The following list are examples of valid scope values used in pol‐
44 icy.json from most specific to the least specific:
45
46
47 docker.io/library/busybox:notlatest
48
49
50 docker.io/library/busybox
51
52
53 docker.io/library
54
55
56 docker.io
57
58
59 If no configuration is found for any of these scopes, the default value
60 (specified by using "default" instead of REGISTRY[/REPOSITORY]) is
61 used.
62
63
64 Trust type provides a way to:
65
66
67 Allowlist ("accept") or Denylist ("reject") registries or Require a
68 simple signing signature (“signedBy”), Require a sigstore signature
69 ("sigstoreSigned").
70
71
72 Trust may be updated using the command podman image trust set for an
73 existing trust scope.
74
75
77 --help, -h
78 Print usage statement.
79
80
81 set OPTIONS
82 --pubkeysfile, -f=KEY1
83 A path to an exported public key on the local system. Key paths
84 are referenced in policy.json. Any path to a file may be used but lo‐
85 cating the file in /etc/pki/containers is recommended. Options may be
86 used multiple times to
87 require an image be signed by multiple keys. The --pubkeysfile op‐
88 tion is required for the signedBy and sigstoreSigned types.
89
90
91 --type, -t=value
92 The trust type for this policy entry.
93 Accepted values:
94 signedBy (default): Require simple signing signatures with corre‐
95 sponding list of
96 public keys
97 sigstoreSigned: Require sigstore signatures with corresponding list
98 of
99 public keys
100 accept: do not require any signatures for this
101 registry scope
102 reject: do not accept images for this registry scope
103
104
105 show OPTIONS
106 --json, -j
107 Output trust as JSON for machine parsing
108
109
110 --noheading, -n
111 Omit the table headings from the listing.
112
113
114 --raw
115 Output trust policy file as raw JSON
116
117
119 Accept all unsigned images from a registry
120
121
122 sudo podman image trust set --type accept docker.io
123
124
125
126 Modify default trust policy
127
128
129 sudo podman image trust set -t reject default
130
131
132
133 Display system trust policy
134
135
136 podman image trust show
137
138
139
140 TRANSPORT NAME TYPE ID STORE
141 all default reject
142 repository docker.io/library accept
143 repository registry.access.redhat.com signed security@redhat.com https://access.redhat.com/webassets/docker/content/sigstore
144 repository registry.redhat.io signed security@redhat.com https://registry.redhat.io/containers/sigstore
145 repository docker.io reject
146 docker-daemon accept
147
148
149
150 Display trust policy file
151
152
153 podman image trust show --raw
154
155
156
157 {
158 "default": [
159 {
160 "type": "reject"
161 }
162 ],
163 "transports": {
164 "docker": {
165 "docker.io": [
166 {
167 "type": "reject"
168 }
169 ],
170 "docker.io/library": [
171 {
172 "type": "insecureAcceptAnything"
173 }
174 ],
175 "registry.access.redhat.com": [
176 {
177 "type": "signedBy",
178 "keyType": "GPGKeys",
179 "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
180 }
181 ],
182 "registry.redhat.io": [
183 {
184 "type": "signedBy",
185 "keyType": "GPGKeys",
186 "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
187 }
188 ]
189 },
190 "docker-daemon": {
191 "": [
192 {
193 "type": "insecureAcceptAnything"
194 }
195 ]
196 }
197 }
198 }
199
200
201
202 Display trust as JSON
203
204
205 podman image trust show --json
206
207
208
209 [
210 {
211 "transport": "all",
212 "name": "* (default)",
213 "repo_name": "default",
214 "type": "reject"
215 },
216 {
217 "transport": "repository",
218 "name": "docker.io",
219 "repo_name": "docker.io",
220 "type": "reject"
221 },
222 {
223 "transport": "repository",
224 "name": "docker.io/library",
225 "repo_name": "docker.io/library",
226 "type": "accept"
227 },
228 {
229 "transport": "repository",
230 "name": "registry.access.redhat.com",
231 "repo_name": "registry.access.redhat.com",
232 "sigstore": "https://access.redhat.com/webassets/docker/content/sigstore",
233 "type": "signed",
234 "gpg_id": "security@redhat.com"
235 },
236 {
237 "transport": "repository",
238 "name": "registry.redhat.io",
239 "repo_name": "registry.redhat.io",
240 "sigstore": "https://registry.redhat.io/containers/sigstore",
241 "type": "signed",
242 "gpg_id": "security@redhat.com"
243 },
244 {
245 "transport": "docker-daemon",
246 "type": "accept"
247 }
248 ]
249
250
251
253 containers-policy.json(5)
254
255
257 January 2019, updated by Tom Sweeney (tsweeney at redhat dot com) De‐
258 cember 2018, originally compiled by Qi Wang (qiwan at redhat dot com)
259
260
261
262 podman-image-trust(1)