github.com/containers/podman/v5@v5.1.0-rc1/docs/source/markdown/podman-image-trust.1.md.in (about) 1 % podman-image-trust 1 2 3 ## NAME 4 podman\-image\-trust - Manage container registry image trust policy 5 6 7 ## SYNOPSIS 8 **podman image trust** set|show [*options*] *registry[/repository]* 9 10 ## DESCRIPTION 11 Manages which registries to trust as a source of container images based on its location. (This option is not available with the remote Podman client, including Mac and Windows (excluding WSL2) machines) 12 13 The location is determined 14 by the transport and the registry host of the image. Using this container image `docker://docker.io/library/busybox` 15 as an example, `docker` is the transport and `docker.io` is the registry host. 16 17 Trust is defined in **/etc/containers/policy.json** and is enforced when a user attempts to pull 18 a remote image from a registry. The trust policy in policy.json describes a registry scope (registry and/or repository) for the trust. This trust can use public keys for signed images. 19 20 The scope of the trust is evaluated from most specific to the least specific. In other words, a policy may be: 21 22 * Defined to an entire registry. 23 * Defined to a particular repository in that registry. 24 * Defined to a specific signed image inside of the registry. 25 26 The following list are examples of valid scope values used in policy.json from most specific to the least specific: 27 28 docker.io/library/busybox:notlatest 29 30 docker.io/library/busybox 31 32 docker.io/library 33 34 docker.io 35 36 If no configuration is found for any of these scopes, the default value (specified by using "default" instead of REGISTRY[/REPOSITORY]) is used. 37 38 Trust **type** provides a way to: 39 40 Allowlist ("accept") or 41 Denylist ("reject") registries or 42 Require a simple signing signature (“signedBy”), 43 Require a sigstore signature ("sigstoreSigned"). 44 45 Trust may be updated using the command **podman image trust set** for an existing trust scope. 46 47 ## OPTIONS 48 #### **--help**, **-h** 49 Print usage statement. 50 51 ### set OPTIONS 52 53 #### **--pubkeysfile**, **-f**=*KEY1* 54 A path to an exported public key on the local system. Key paths 55 are referenced in policy.json. Any path to a file may be used but locating the file in **/etc/pki/containers** is recommended. Options may be used multiple times to 56 require an image be signed by multiple keys. The **--pubkeysfile** option is required for the **signedBy** and **sigstoreSigned** types. 57 58 #### **--type**, **-t**=*value* 59 The trust type for this policy entry. 60 Accepted values: 61 **signedBy** (default): Require simple signing signatures with corresponding list of 62 public keys 63 **sigstoreSigned**: Require sigstore signatures with corresponding list of 64 public keys 65 **accept**: do not require any signatures for this 66 registry scope 67 **reject**: do not accept images for this registry scope 68 69 ### show OPTIONS 70 71 #### **--json**, **-j** 72 Output trust as JSON for machine parsing 73 74 @@option noheading 75 76 #### **--raw** 77 Output trust policy file as raw JSON 78 79 ## EXAMPLES 80 81 Accept all unsigned images from a registry: 82 ``` 83 sudo podman image trust set --type accept docker.io 84 ``` 85 86 Modify default trust policy: 87 ``` 88 sudo podman image trust set -t reject default 89 ``` 90 91 Display system trust policy: 92 ``` 93 podman image trust show 94 TRANSPORT NAME TYPE ID STORE 95 all default reject 96 repository docker.io/library accept 97 repository registry.access.redhat.com signed security@redhat.com https://access.redhat.com/webassets/docker/content/sigstore 98 repository registry.redhat.io signed security@redhat.com https://registry.redhat.io/containers/sigstore 99 repository docker.io reject 100 docker-daemon accept 101 ``` 102 103 Display trust policy file: 104 ``` 105 podman image trust show --raw 106 { 107 "default": [ 108 { 109 "type": "reject" 110 } 111 ], 112 "transports": { 113 "docker": { 114 "docker.io": [ 115 { 116 "type": "reject" 117 } 118 ], 119 "docker.io/library": [ 120 { 121 "type": "insecureAcceptAnything" 122 } 123 ], 124 "registry.access.redhat.com": [ 125 { 126 "type": "signedBy", 127 "keyType": "GPGKeys", 128 "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" 129 } 130 ], 131 "registry.redhat.io": [ 132 { 133 "type": "signedBy", 134 "keyType": "GPGKeys", 135 "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" 136 } 137 ] 138 }, 139 "docker-daemon": { 140 "": [ 141 { 142 "type": "insecureAcceptAnything" 143 } 144 ] 145 } 146 } 147 } 148 ``` 149 150 Display trust as JSON: 151 ``` 152 podman image trust show --json 153 [ 154 { 155 "transport": "all", 156 "name": "* (default)", 157 "repo_name": "default", 158 "type": "reject" 159 }, 160 { 161 "transport": "repository", 162 "name": "docker.io", 163 "repo_name": "docker.io", 164 "type": "reject" 165 }, 166 { 167 "transport": "repository", 168 "name": "docker.io/library", 169 "repo_name": "docker.io/library", 170 "type": "accept" 171 }, 172 { 173 "transport": "repository", 174 "name": "registry.access.redhat.com", 175 "repo_name": "registry.access.redhat.com", 176 "sigstore": "https://access.redhat.com/webassets/docker/content/sigstore", 177 "type": "signed", 178 "gpg_id": "security@redhat.com" 179 }, 180 { 181 "transport": "repository", 182 "name": "registry.redhat.io", 183 "repo_name": "registry.redhat.io", 184 "sigstore": "https://registry.redhat.io/containers/sigstore", 185 "type": "signed", 186 "gpg_id": "security@redhat.com" 187 }, 188 { 189 "transport": "docker-daemon", 190 "type": "accept" 191 } 192 ] 193 ``` 194 195 ## SEE ALSO 196 **[containers-policy.json(5)](https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md)** 197 198 ## HISTORY 199 January 2019, updated by Tom Sweeney (tsweeney at redhat dot com) 200 December 2018, originally compiled by Qi Wang (qiwan at redhat dot com)