summaryrefslogtreecommitdiff
path: root/docs/source/man/podman-image-trust.1.md
diff options
context:
space:
mode:
Diffstat (limited to 'docs/source/man/podman-image-trust.1.md')
-rw-r--r--docs/source/man/podman-image-trust.1.md93
1 files changed, 93 insertions, 0 deletions
diff --git a/docs/source/man/podman-image-trust.1.md b/docs/source/man/podman-image-trust.1.md
new file mode 100644
index 000000000..3fe4f7f52
--- /dev/null
+++ b/docs/source/man/podman-image-trust.1.md
@@ -0,0 +1,93 @@
+% podman-image-trust(1)
+
+## NAME
+podman\-image\-trust - Manage container registry image trust policy
+
+
+## SYNOPSIS
+**podman image trust** set|show [*options*] *registry[/repository]*
+
+## DESCRIPTION
+Manages which registries you trust as a source of container images based on its location. (Not available for remote commands)
+
+The location is determined
+by the transport and the registry host of the image. Using this container image `docker://docker.io/library/busybox`
+as an example, `docker` is the transport and `docker.io` is the registry host.
+
+Trust is defined in **/etc/containers/policy.json** and is enforced when a user attempts to pull
+a remote image from a registry. The trust policy in policy.json describes a registry scope (registry and/or repository) for the trust. This trust can use public keys for signed images.
+
+The scope of the trust is evaluated from most specific to the least specific. In other words, a policy may be defined for an entire registry. Or it could be defined for a particular repository in that registry. Or it could be defined down to a specific signed image inside of the registry.
+
+For example, the following list includes valid scope values that could be used in policy.json from most specific to the least specific:
+
+docker.io/library/busybox:notlatest
+docker.io/library/busybox
+docker.io/library
+docker.io
+
+If no configuration is found for any of these scopes, the default value (specified by using "default" instead of REGISTRY[/REPOSITORY]) is used.
+
+Trust **type** provides a way to:
+
+Whitelist ("accept") or
+Blacklist ("reject") registries or
+Require signature (“signedBy”).
+
+Trust may be updated using the command **podman image trust set** for an existing trust scope.
+
+## OPTIONS
+**-h**, **--help**
+ Print usage statement.
+
+**-f**, **--pubkeysfile**=*KEY1*
+ A path to an exported public key on the local system. Key paths
+ will be referenced in policy.json. Any path to a file may be used but locating the file in **/etc/pki/containers** is recommended. Options may be used multiple times to
+ require an image be signed by multiple keys. The **--pubkeysfile** option is required for the **signedBy** type.
+
+**-t**, **--type**=*value*
+ The trust type for this policy entry.
+ Accepted values:
+ **signedBy** (default): Require signatures with corresponding list of
+ public keys
+ **accept**: do not require any signatures for this
+ registry scope
+ **reject**: do not accept images for this registry scope
+
+## show OPTIONS
+
+**--raw**
+ Output trust policy file as raw JSON
+
+**-j**, **--json**
+ Output trust as JSON for machine parsing
+
+## EXAMPLES
+
+Accept all unsigned images from a registry
+
+ sudo podman image trust set --type accept docker.io
+
+Modify default trust policy
+
+ sudo podman image trust set -t reject default
+
+Display system trust policy
+
+ sudo podman image trust show
+
+Display trust policy file
+
+ sudo podman image trust show --raw
+
+Display trust as JSON
+
+ sudo podman image trust show --json
+
+## SEE ALSO
+
+policy-json(5)
+
+## HISTORY
+January 2019, updated by Tom Sweeney (tsweeney at redhat dot com)
+December 2018, originally compiled by Qi Wang (qiwan at redhat dot com)