aboutsummaryrefslogtreecommitdiff
path: root/docs/source
diff options
context:
space:
mode:
authorMiloslav Trmač <mitr@redhat.com>2022-08-24 19:48:26 +0200
committerMiloslav Trmač <mitr@redhat.com>2022-08-25 01:50:43 +0200
commitff3f574fc0db5e442adfac54b86af7c462595ffc (patch)
tree4e9bafeb916dd200d1a120657e1e9e5afa558483 /docs/source
parent9828bc44534d6527d44351470d5f943281b7dfba (diff)
downloadpodman-ff3f574fc0db5e442adfac54b86af7c462595ffc.tar.gz
podman-ff3f574fc0db5e442adfac54b86af7c462595ffc.tar.bz2
podman-ff3f574fc0db5e442adfac54b86af7c462595ffc.zip
Add support for sigstoreSigned in (podman image trust set)
NOTE: This does not edit the use-sigstore-attachments value in registries.d, similarly to how (podman image trust set) didn't set the lookaside paths for simple signing. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Diffstat (limited to 'docs/source')
-rw-r--r--docs/source/markdown/podman-image-trust.1.md9
1 files changed, 6 insertions, 3 deletions
diff --git a/docs/source/markdown/podman-image-trust.1.md b/docs/source/markdown/podman-image-trust.1.md
index 4e80bdcf5..2a7da82cc 100644
--- a/docs/source/markdown/podman-image-trust.1.md
+++ b/docs/source/markdown/podman-image-trust.1.md
@@ -32,7 +32,8 @@ Trust **type** provides a way to:
Allowlist ("accept") or
Denylist ("reject") registries or
-Require signature (“signedBy”).
+Require a simple signing signature (“signedBy”),
+Require a sigstore signature ("sigstoreSigned").
Trust may be updated using the command **podman image trust set** for an existing trust scope.
@@ -45,12 +46,14 @@ Trust may be updated using the command **podman image trust set** for an existin
#### **--pubkeysfile**, **-f**=*KEY1*
A path to an exported public key on the local system. Key paths
will be referenced in policy.json. Any path to a file may be used but locating the file in **/etc/pki/containers** is recommended. Options may be used multiple times to
- require an image be signed by multiple keys. The **--pubkeysfile** option is required for the **signedBy** type.
+ require an image be signed by multiple keys. The **--pubkeysfile** option is required for the **signedBy** and **sigstoreSigned** types.
#### **--type**, **-t**=*value*
The trust type for this policy entry.
Accepted values:
- **signedBy** (default): Require signatures with corresponding list of
+ **signedBy** (default): Require simple signing signatures with corresponding list of
+ public keys
+ **sigstoreSigned**: Require sigstore signatures with corresponding list of
public keys
**accept**: do not require any signatures for this
registry scope