1podman-image-trust(1) General Commands Manual podman-image-trust(1)
2
6 podman-image-trust - Manage container registry image trust policy
7
10 podman image trust set|show [options] registry[/repository]
11
14 Manages which registries to trust as a source of container images
15 based on its location. (This option is not available with the remote
16 Podman client, including Mac and Windows (excluding WSL2) machines)
17 The location is determined by the transport and the registry host of
20 the image. Using this container image docker://docker.io/library/busy‐
21 box as an example, docker is the transport and docker.io is the reg‐
22 istry host.
23 Trust is defined in /etc/containers/policy.json and is enforced when a
26 user attempts to pull a remote image from a registry. The trust policy
27 in policy.json describes a registry scope (registry and/or repository)
28 for the trust. This trust can use public keys for signed images.
29 The scope of the trust is evaluated from most specific to the least
32 specific. In other words, a policy may be:
33 • Defined to an entire registry.
36 • Defined to a particular repository in that registry.
38 • Defined to a specific signed image inside of the registry.
40 The following list are examples of valid scope values used in pol‐
44 icy.json from most specific to the least specific:
45 docker.io/library/busybox:notlatest
48 docker.io/library/busybox
51 docker.io/library
54 docker.io
57 If no configuration is found for any of these scopes, the default value
60 (specified by using "default" instead of REGISTRY[/REPOSITORY]) is
61 used.
62 Trust type provides a way to:
65 Allowlist ("accept") or Denylist ("reject") registries or Require a
68 simple signing signature (“signedBy”), Require a sigstore signature
69 ("sigstoreSigned").
70 Trust may be updated using the command podman image trust set for an
73 existing trust scope.
74
77 --help, -h
78 Print usage statement.
79 set OPTIONS
82 --pubkeysfile, -f=KEY1
83 A path to an exported public key on the local system. Key paths
84 are referenced in policy.json. Any path to a file may be used but lo‐
85 cating the file in /etc/pki/containers is recommended. Options may be
86 used multiple times to
87 require an image be signed by multiple keys. The --pubkeysfile op‐
88 tion is required for the signedBy and sigstoreSigned types.
89 --type, -t=value
92 The trust type for this policy entry.
93 Accepted values:
94 signedBy (default): Require simple signing signatures with corre‐
95 sponding list of
96 public keys
97 sigstoreSigned: Require sigstore signatures with corresponding list
98 of
99 public keys
100 accept: do not require any signatures for this
101 registry scope
102 reject: do not accept images for this registry scope
103 show OPTIONS
106 --json, -j
107 Output trust as JSON for machine parsing
108 --noheading, -n
111 Omit the table headings from the listing.
112 --raw
115 Output trust policy file as raw JSON
116
119 Accept all unsigned images from a registry
120 sudo podman image trust set --type accept docker.io
122 Modify default trust policy
126 sudo podman image trust set -t reject default
128 Display system trust policy
132 podman image trust show
134 TRANSPORT NAME TYPE ID STORE
137 all default reject
138 repository docker.io/library accept
139 repository registry.access.redhat.com signed security@redhat.com https://access.redhat.com/webassets/docker/content/sigstore
140 repository registry.redhat.io signed security@redhat.com https://registry.redhat.io/containers/sigstore
141 repository docker.io reject
142 docker-daemon accept
143 Display trust policy file
147 podman image trust show --raw
149 {
152 "default": [
153 {
154 "type": "reject"
155 }
156 ],
157 "transports": {
158 "docker": {
159 "docker.io": [
160 {
161 "type": "reject"
162 }
163 ],
164 "docker.io/library": [
165 {
166 "type": "insecureAcceptAnything"
167 }
168 ],
169 "registry.access.redhat.com": [
170 {
171 "type": "signedBy",
172 "keyType": "GPGKeys",
173 "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
174 }
175 ],
176 "registry.redhat.io": [
177 {
178 "type": "signedBy",
179 "keyType": "GPGKeys",
180 "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
181 }
182 ]
183 },
184 "docker-daemon": {
185 "": [
186 {
187 "type": "insecureAcceptAnything"
188 }
189 ]
190 }
191 }
192 }
193 Display trust as JSON
197 podman image trust show --json
199 [
202 {
203 "transport": "all",
204 "name": "* (default)",
205 "repo_name": "default",
206 "type": "reject"
207 },
208 {
209 "transport": "repository",
210 "name": "docker.io",
211 "repo_name": "docker.io",
212 "type": "reject"
213 },
214 {
215 "transport": "repository",
216 "name": "docker.io/library",
217 "repo_name": "docker.io/library",
218 "type": "accept"
219 },
220 {
221 "transport": "repository",
222 "name": "registry.access.redhat.com",
223 "repo_name": "registry.access.redhat.com",
224 "sigstore": "https://access.redhat.com/webassets/docker/content/sigstore",
225 "type": "signed",
226 "gpg_id": "security@redhat.com"
227 },
228 {
229 "transport": "repository",
230 "name": "registry.redhat.io",
231 "repo_name": "registry.redhat.io",
232 "sigstore": "https://registry.redhat.io/containers/sigstore",
233 "type": "signed",
234 "gpg_id": "security@redhat.com"
235 },
236 {
237 "transport": "docker-daemon",
238 "type": "accept"
239 }
240 ]
241
245 containers-policy.json(5)
246
249 January 2019, updated by Tom Sweeney (tsweeney at redhat dot com) De‐
250 cember 2018, originally compiled by Qi Wang (qiwan at redhat dot com)
251 podman-image-trust(1)