1podman-image-trust(1)       General Commands Manual      podman-image-trust(1)
2
3
4

NAME

6       podman-image-trust - Manage container registry image trust policy
7
8

SYNOPSIS

10       podman image trust set|show [options] registry[/repository]
11
12

DESCRIPTION

14       Manages  which  registries  to  trust  as  a source of container images
15       based on its location. (This option is not available  with  the  remote
16       Podman client, including Mac and Windows (excluding WSL2) machines)
17
18
19       The  location  is  determined by the transport and the registry host of
20       the image.  Using this container image docker://docker.io/library/busy‐
21       box  as  an  example, docker is the transport and docker.io is the reg‐
22       istry host.
23
24
25       Trust is defined in /etc/containers/policy.json and is enforced when  a
26       user attempts to pull a remote image from a registry.  The trust policy
27       in policy.json describes a registry scope (registry and/or  repository)
28       for the trust.  This trust can use public keys for signed images.
29
30
31       The  scope  of  the  trust is evaluated from most specific to the least
32       specific. In other words, a policy may be:
33
34
35              • Defined to an entire registry.
36
37              • Defined to a particular repository in that registry.
38
39              • Defined to a specific signed image inside of the registry.
40
41
42
43       The following list are examples of valid  scope  values  used  in  pol‐
44       icy.json from most specific to the least specific:
45
46
47       docker.io/library/busybox:notlatest
48
49
50       docker.io/library/busybox
51
52
53       docker.io/library
54
55
56       docker.io
57
58
59       If no configuration is found for any of these scopes, the default value
60       (specified by using  "default"  instead  of  REGISTRY[/REPOSITORY])  is
61       used.
62
63
64       Trust type provides a way to:
65
66
67       Allowlist  ("accept")  or  Denylist  ("reject") registries or Require a
68       simple signing signature (“signedBy”),  Require  a  sigstore  signature
69       ("sigstoreSigned").
70
71
72       Trust  may  be  updated using the command podman image trust set for an
73       existing trust scope.
74
75

OPTIONS

77   --help, -h
78       Print usage statement.
79
80
81   set OPTIONS
82   --pubkeysfile, -f=KEY1
83       A path to an exported public key on the local system. Key paths
84         are referenced in policy.json. Any path to a file may be used but lo‐
85       cating  the  file in /etc/pki/containers is recommended. Options may be
86       used multiple times to
87         require an image be signed by multiple keys.  The  --pubkeysfile  op‐
88       tion is required for the signedBy and sigstoreSigned types.
89
90
91   --type, -t=value
92       The trust type for this policy entry.
93         Accepted values:
94           signedBy  (default):  Require simple signing signatures with corre‐
95       sponding list of
96                               public keys
97           sigstoreSigned: Require sigstore signatures with corresponding list
98       of
99                               public keys
100           accept: do not require any signatures for this
101                   registry scope
102           reject: do not accept images for this registry scope
103
104
105   show OPTIONS
106   --json, -j
107       Output trust as JSON for machine parsing
108
109
110   --noheading, -n
111       Omit the table headings from the listing.
112
113
114   --raw
115       Output trust policy file as raw JSON
116
117

EXAMPLES

119       Accept all unsigned images from a registry
120
121
122              sudo podman image trust set --type accept docker.io
123
124
125
126       Modify default trust policy
127
128
129              sudo podman image trust set -t reject default
130
131
132
133       Display system trust policy
134
135
136              podman image trust show
137
138
139
140              TRANSPORT      NAME                        TYPE        ID                   STORE
141              all            default                     reject
142              repository     docker.io/library           accept
143              repository     registry.access.redhat.com  signed      security@redhat.com  https://access.redhat.com/webassets/docker/content/sigstore
144              repository     registry.redhat.io          signed      security@redhat.com  https://registry.redhat.io/containers/sigstore
145              repository     docker.io                   reject
146              docker-daemon                              accept
147
148
149
150       Display trust policy file
151
152
153              podman image trust show --raw
154
155
156
157              {
158                  "default": [
159                      {
160                          "type": "reject"
161                      }
162                  ],
163                  "transports": {
164                      "docker": {
165                          "docker.io": [
166                              {
167                                  "type": "reject"
168                              }
169                          ],
170                          "docker.io/library": [
171                              {
172                                  "type": "insecureAcceptAnything"
173                              }
174                          ],
175                          "registry.access.redhat.com": [
176                              {
177                                  "type": "signedBy",
178                                  "keyType": "GPGKeys",
179                                  "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
180                              }
181                          ],
182                          "registry.redhat.io": [
183                              {
184                                  "type": "signedBy",
185                                  "keyType": "GPGKeys",
186                                  "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
187                              }
188                          ]
189                      },
190                      "docker-daemon": {
191                          "": [
192                              {
193                                  "type": "insecureAcceptAnything"
194                              }
195                          ]
196                      }
197                  }
198              }
199
200
201
202       Display trust as JSON
203
204
205              podman image trust show --json
206
207
208
209              [
210                {
211                  "transport": "all",
212                  "name": "* (default)",
213                  "repo_name": "default",
214                  "type": "reject"
215                },
216                {
217                  "transport": "repository",
218                  "name": "docker.io",
219                  "repo_name": "docker.io",
220                  "type": "reject"
221                },
222                {
223                  "transport": "repository",
224                  "name": "docker.io/library",
225                  "repo_name": "docker.io/library",
226                  "type": "accept"
227                },
228                {
229                  "transport": "repository",
230                  "name": "registry.access.redhat.com",
231                  "repo_name": "registry.access.redhat.com",
232                  "sigstore": "https://access.redhat.com/webassets/docker/content/sigstore",
233                  "type": "signed",
234                  "gpg_id": "security@redhat.com"
235                },
236                {
237                  "transport": "repository",
238                  "name": "registry.redhat.io",
239                  "repo_name": "registry.redhat.io",
240                  "sigstore": "https://registry.redhat.io/containers/sigstore",
241                  "type": "signed",
242                  "gpg_id": "security@redhat.com"
243                },
244                {
245                  "transport": "docker-daemon",
246                  "type": "accept"
247                }
248              ]
249
250
251

SEE ALSO

253       containers-policy.json(5)
254
255

HISTORY

257       January  2019,  updated by Tom Sweeney (tsweeney at redhat dot com) De‐
258       cember 2018, originally compiled by Qi Wang (qiwan at redhat dot com)
259
260
261
262                                                         podman-image-trust(1)
Impressum