diff options
Diffstat (limited to 'docs/podman-image-trust.1.md')
| -rw-r--r-- | docs/podman-image-trust.1.md | 93 |
1 files changed, 0 insertions, 93 deletions
diff --git a/docs/podman-image-trust.1.md b/docs/podman-image-trust.1.md deleted file mode 100644 index 3fe4f7f52..000000000 --- a/docs/podman-image-trust.1.md +++ /dev/null @@ -1,93 +0,0 @@ -% podman-image-trust(1) - -## NAME -podman\-image\-trust - Manage container registry image trust policy - - -## SYNOPSIS -**podman image trust** set|show [*options*] *registry[/repository]* - -## DESCRIPTION -Manages which registries you trust as a source of container images based on its location. (Not available for remote commands) - -The location is determined -by the transport and the registry host of the image. Using this container image `docker://docker.io/library/busybox` -as an example, `docker` is the transport and `docker.io` is the registry host. - -Trust is defined in **/etc/containers/policy.json** and is enforced when a user attempts to pull -a remote image from a registry. The trust policy in policy.json describes a registry scope (registry and/or repository) for the trust. This trust can use public keys for signed images. - -The scope of the trust is evaluated from most specific to the least specific. In other words, a policy may be defined for an entire registry. Or it could be defined for a particular repository in that registry. Or it could be defined down to a specific signed image inside of the registry. - -For example, the following list includes valid scope values that could be used in policy.json from most specific to the least specific: - -docker.io/library/busybox:notlatest -docker.io/library/busybox -docker.io/library -docker.io - -If no configuration is found for any of these scopes, the default value (specified by using "default" instead of REGISTRY[/REPOSITORY]) is used. - -Trust **type** provides a way to: - -Whitelist ("accept") or -Blacklist ("reject") registries or -Require signature (“signedBy”). - -Trust may be updated using the command **podman image trust set** for an existing trust scope. - -## OPTIONS -**-h**, **--help** - Print usage statement. - -**-f**, **--pubkeysfile**=*KEY1* - A path to an exported public key on the local system. Key paths - will be referenced in policy.json. Any path to a file may be used but locating the file in **/etc/pki/containers** is recommended. Options may be used multiple times to - require an image be signed by multiple keys. The **--pubkeysfile** option is required for the **signedBy** type. - -**-t**, **--type**=*value* - The trust type for this policy entry. - Accepted values: - **signedBy** (default): Require signatures with corresponding list of - public keys - **accept**: do not require any signatures for this - registry scope - **reject**: do not accept images for this registry scope - -## show OPTIONS - -**--raw** - Output trust policy file as raw JSON - -**-j**, **--json** - Output trust as JSON for machine parsing - -## EXAMPLES - -Accept all unsigned images from a registry - - sudo podman image trust set --type accept docker.io - -Modify default trust policy - - sudo podman image trust set -t reject default - -Display system trust policy - - sudo podman image trust show - -Display trust policy file - - sudo podman image trust show --raw - -Display trust as JSON - - sudo podman image trust show --json - -## SEE ALSO - -policy-json(5) - -## HISTORY -January 2019, updated by Tom Sweeney (tsweeney at redhat dot com) -December 2018, originally compiled by Qi Wang (qiwan at redhat dot com) |