blob: b35e883d7715b80efe2b3684fd82773afac250f4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
% podman-image-trust(1)
## NAME
podman\-image\-trust - Manage container registry image trust policy
## SYNOPSIS
**podman image trust** set|show [*options*] *registry[/repository]*
## DESCRIPTION
Manages which registries you trust as a source of container images based on its location. The location is determined
by the transport and the registry host of the image. Using this container image `docker://docker.io/library/busybox`
as an example, `docker` is the transport and `docker.io` is the registry host.
Trust is defined in **/etc/containers/policy.json** and is enforced when a user attempts to pull
a remote image from a registry. The trust policy in policy.json describes a registry scope (registry and/or repository) for the trust. This trust can use public keys for signed images.
The scope of the trust is evaluated from most specific to the least specific. In other words, a policy may be defined for an entire registry. Or it could be defined for a particular repository in that registry. Or it could be defined down to a specific signed image inside of the registry.
For example, the following list includes valid scope values that could be used in policy.json from most specific to the least specific:
docker.io/library/busybox:notlatest
docker.io/library/busybox
docker.io/library
docker.io
If no configuration is found for any of these scopes, the default value (specified by using "default" instead of REGISTRY[/REPOSITORY]) is used.
Trust **type** provides a way to:
Whitelist ("accept") or
Blacklist ("reject") registries or
Require signature (“signedBy”).
Trust may be updated using the command **podman image trust set** for an existing trust scope.
## OPTIONS
**-h**, **--help**
Print usage statement.
**-f**, **--pubkeysfile**=*KEY1*
A path to an exported public key on the local system. Key paths
will be referenced in policy.json. Any path to a file may be used but locating the file in **/etc/pki/containers** is recommended. Options may be used multiple times to
require an image be signed by multiple keys. The **--pubkeysfile** option is required for the **signedBy** type.
**-t**, **--type**=*value*
The trust type for this policy entry.
Accepted values:
**signedBy** (default): Require signatures with corresponding list of
public keys
**accept**: do not require any signatures for this
registry scope
**reject**: do not accept images for this registry scope
## show OPTIONS
**--raw**
Output trust policy file as raw JSON
**-j**, **--json**
Output trust as JSON for machine parsing
## EXAMPLES
Accept all unsigned images from a registry
sudo podman image trust set --type accept docker.io
Modify default trust policy
sudo podman image trust set -t reject default
Display system trust policy
sudo podman image trust show
Display trust policy file
sudo podman image trust show --raw
Display trust as JSON
sudo podman image trust show --json
## SEE ALSO
policy-json(5)
## HISTORY
January 2019, updated by Tom Sweeney (tsweeney at redhat dot com)
December 2018, originally compiled by Qi Wang (qiwan at redhat dot com)
|