% podman-image-trust(1)
podman-image-trust - Manage container registry image trust policy
podman image trust set|show [options] REGISTRY[/REPOSITORY]
Manages which registries you trust as a source of container images based on its location. The location is determined
by the transport and the registry host of the image. Using this container image docker://docker.io/library/busybox
as an example, docker
is the transport and docker.io
is the registry host.
Trust is defined in /etc/containers/policy.json and is enforced when a user attempts to pull a remote image from a registry. The trust policy in policy.json describes a registry scope (registry and/or repository) for the trust. This trust can use public keys for signed images.
The scope of the trust is evaluated from most specific to the least specific. In other words, a policy may be defined for an entire registry. Or it could be defined for a particular repository in that registry. Or it could be defined down to a specific signed image inside of the registry.
For example, the following list includes valid scope values that could be used in policy.json from most specific to the least specific:
docker.io/library/busybox:notlatest docker.io/library/busybox docker.io/library docker.io
If no configuration is found for any of these scopes, the default value (specified by using "default" instead of REGISTRY[/REPOSITORY]) is used.
Trust type provides a way to:
Whitelist ("accept") or Blacklist ("reject") registries or Require signature (“signedBy”).
Trust may be updated using the command podman image trust set for an existing trust scope.
-h, --help Print usage statement.
-f, --pubkeysfile=KEY1 A path to an exported public key on the local system. Key paths will be referenced in policy.json. Any path to a file may be used but locating the file in /etc/pki/containers is recommended. Options may be used multiple times to require an image be signed by multiple keys. The --pubkeysfile option is required for the signedBy type.
-t, --type=value The trust type for this policy entry. Accepted values: signedBy (default): Require signatures with corresponding list of public keys accept: do not require any signatures for this registry scope reject: do not accept images for this registry scope
--raw Output trust policy file as raw JSON
-j, --json Output trust as JSON for machine parsing
Accept all unsigned images from a registry
sudo podman image trust set --type accept docker.io
Modify default trust policy
sudo podman image trust set -t reject default
Display system trust policy
sudo podman image trust show
Display trust policy file
sudo podman image trust show --raw
Display trust as JSON
sudo podman image trust show --json
policy-json(5)
January 2019, updated by Tom Sweeney (tsweeney at redhat dot com) December 2018, originally compiled by Qi Wang (qiwan at redhat dot com)