bafb64
% CONTAINERS-POLICY.JSON 5 policy.json Man Page
a415a1
% Miloslav Trmač
a415a1
% September 2016
a415a1
a415a1
# NAME
a415a1
containers-policy.json - syntax for the signature verification policy file
a415a1
a415a1
## DESCRIPTION
a415a1
a415a1
Signature verification policy files are used to specify policy, e.g. trusted keys,
a415a1
applicable when deciding whether to accept an image, or individual signatures of that image, as valid.
a415a1
a415a1
By default, the policy is read from `$HOME/.config/containers/policy.json`, if it exists, otherwise from `/etc/containers/policy.json`;  applications performing verification may allow using a different policy instead.
a415a1
a415a1
## FORMAT
a415a1
a415a1
The signature verification policy file, usually called `policy.json`,
a415a1
uses a JSON format.  Unlike some other JSON files, its parsing is fairly strict:
a415a1
unrecognized, duplicated or otherwise invalid fields cause the entire file,
a415a1
and usually the entire operation, to be rejected.
a415a1
a415a1
The purpose of the policy file is to define a set of *policy requirements* for a container image,
a415a1
usually depending on its location (where it is being pulled from) or otherwise defined identity.
a415a1
a415a1
Policy requirements can be defined for:
a415a1
a415a1
- An individual *scope* in a *transport*.
a415a1
  The *transport* values are the same as the transport prefixes when pushing/pulling images (e.g. `docker:`, `atomic:`),
a415a1
  and *scope* values are defined by each transport; see below for more details.
a415a1
a415a1
  Usually, a scope can be defined to match a single image, and various prefixes of
a415a1
  such a most specific scope define namespaces of matching images.
5f1c70
a415a1
- A default policy for a single transport, expressed using an empty string as a scope
5f1c70
a415a1
- A global default policy.
a415a1
a415a1
If multiple policy requirements match a given image, only the requirements from the most specific match apply,
a415a1
the more general policy requirements definitions are ignored.
a415a1
a415a1
This is expressed in JSON using the top-level syntax
a415a1
```js
a415a1
{
a415a1
    "default": [/* policy requirements: global default */]
a415a1
    "transports": {
a415a1
        transport_name: {
a415a1
            "": [/* policy requirements: default for transport $transport_name */],
a415a1
            scope_1: [/* policy requirements: default for $scope_1 in $transport_name */],
a415a1
            scope_2: [/*…*/]
a415a1
            /*…*/
a415a1
        },
a415a1
        transport_name_2: {/*…*/}
a415a1
        /*…*/
a415a1
    }
a415a1
}
a415a1
```
a415a1
a415a1
The global `default` set of policy requirements is mandatory; all of the other fields
a415a1
(`transports` itself, any specific transport, the transport-specific default, etc.) are optional.
a415a1
a415a1
a415a1
## Supported transports and their scopes
a415a1
a415a1
### `atomic:`
a415a1
a415a1
The `atomic:` transport refers to images in an Atomic Registry.
a415a1
a415a1
Supported scopes use the form _hostname_[`:`_port_][`/`_namespace_[`/`_imagestream_ [`:`_tag_]]],
a415a1
i.e. either specifying a complete name of a tagged image, or prefix denoting
a415a1
a host/namespace/image stream or a wildcarded expression for matching all
a415a1
subdomains. For wildcarded subdomain matching, `*.example.com` is a valid case, but `example*.*.com` is not.
a415a1
a415a1
*Note:* The _hostname_ and _port_ refer to the container registry host and port (the one used
a415a1
e.g. for `docker pull`), _not_ to the OpenShift API host and port.
a415a1
a415a1
### `dir:`
a415a1
a415a1
The `dir:` transport refers to images stored in local directories.
a415a1
a415a1
Supported scopes are paths of directories (either containing a single image or
a415a1
subdirectories possibly containing images).
a415a1
a415a1
*Note:* The paths must be absolute and contain no symlinks. Paths violating these requirements may be silently ignored.
a415a1
a415a1
The top-level scope `"/"` is forbidden; use the transport default scope `""`,
a415a1
for consistency with other transports.
a415a1
a415a1
### `docker:`
a415a1
a415a1
The `docker:` transport refers to images in a registry implementing the "Docker Registry HTTP API V2".
a415a1
a415a1
Scopes matching individual images are named Docker references *in the fully expanded form*, either
a415a1
using a tag or digest. For example, `docker.io/library/busybox:latest` (*not* `busybox:latest`).
a415a1
a415a1
More general scopes are prefixes of individual-image scopes, and specify a repository (by omitting the tag or digest),
a415a1
a repository namespace, or a registry host (by only specifying the host name)
a415a1
or a wildcarded expression for matching all subdomains. For wildcarded subdomain
a415a1
matching, `*.example.com` is a valid case, but `example*.*.com` is not.
a415a1
a415a1
### `oci:`
a415a1
a415a1
The `oci:` transport refers to images in directories compliant with "Open Container Image Layout Specification".
a415a1
a415a1
Supported scopes use the form _directory_`:`_tag_, and _directory_ referring to
a415a1
a directory containing one or more tags, or any of the parent directories.
a415a1
a415a1
*Note:* See `dir:` above for semantics and restrictions on the directory paths, they apply to `oci:` equivalently.
a415a1
a415a1
### `tarball:`
a415a1
a415a1
The `tarball:` transport refers to tarred up container root filesystems.
a415a1
a415a1
Scopes are ignored.
a415a1
a415a1
## Policy Requirements
a415a1
a415a1
Using the mechanisms above, a set of policy requirements is looked up.  The policy requirements
a415a1
are represented as a JSON array of individual requirement objects.  For an image to be accepted,
a415a1
*all* of the requirements must be satisfied simultaneously.
a415a1
a415a1
The policy requirements can also be used to decide whether an individual signature is accepted (= is signed by a recognized key of a known author);
a415a1
in that case some requirements may apply only to some signatures, but each signature must be accepted by *at least one* requirement object.
a415a1
a415a1
The following requirement objects are supported:
a415a1
a415a1
### `insecureAcceptAnything`
a415a1
a415a1
A simple requirement with the following syntax
a415a1
a415a1
```json
a415a1
{"type":"insecureAcceptAnything"}
a415a1
```
a415a1
a415a1
This requirement accepts any image (but note that other requirements in the array still apply).
a415a1
a415a1
When deciding to accept an individual signature, this requirement does not have any effect; it does *not* cause the signature to be accepted, though.
a415a1
a415a1
This is useful primarily for policy scopes where no signature verification is required;
a415a1
because the array of policy requirements must not be empty, this requirement is used
a415a1
to represent the lack of requirements explicitly.
a415a1
a415a1
### `reject`
a415a1
a415a1
A simple requirement with the following syntax:
a415a1
a415a1
```json
a415a1
{"type":"reject"}
a415a1
```
a415a1
a415a1
This requirement rejects every image, and every signature.
a415a1
a415a1
### `signedBy`
a415a1
893b01
This requirement requires an image to be signed using “simple signing” with an expected identity, or accepts a signature if it is using an expected identity and key.
a415a1
a415a1
```js
a415a1
{
a415a1
    "type":    "signedBy",
a415a1
    "keyType": "GPGKeys", /* The only currently supported value */
a415a1
    "keyPath": "/path/to/local/keyring/file",
893b01
    "keyPaths": ["/path/to/local/keyring/file1","/path/to/local/keyring/file2"…],
a415a1
    "keyData": "base64-encoded-keyring-data",
a415a1
    "signedIdentity": identity_requirement
a415a1
}
a415a1
```
a415a1
a415a1
893b01
Exactly one of `keyPath`, `keyPaths` and `keyData` must be present, containing a GPG keyring of one or more public keys.  Only signatures made by these keys are accepted.
a415a1
a415a1
The `signedIdentity` field, a JSON object, specifies what image identity the signature claims about the image.
a415a1
One of the following alternatives are supported:
a415a1
a415a1
- The identity in the signature must exactly match the image identity.  Note that with this, referencing an image by digest (with a signature claiming a _repository_`:`_tag_ identity) will fail.
a415a1
a415a1
  ```json
a415a1
  {"type":"matchExact"}
a415a1
  ```
a415a1
- If the image identity carries a tag, the identity in the signature must exactly match;
a415a1
  if the image identity uses a digest reference, the identity in the signature must be in the same repository as the image identity (using any tag).
a415a1
a415a1
  (Note that with images identified using digest references, the digest from the reference is validated even before signature verification starts.)
a415a1
a415a1
  ```json
a415a1
  {"type":"matchRepoDigestOrExact"}
a415a1
  ```
a415a1
- The identity in the signature must be in the same repository as the image identity.  This is useful e.g. to pull an image using the `:latest` tag when the image is signed with a tag specifying an exact image version.
a415a1
a415a1
  ```json
a415a1
  {"type":"matchRepository"}
a415a1
  ```
a415a1
- The identity in the signature must exactly match a specified identity.
a415a1
  This is useful e.g. when locally mirroring images signed using their public identity.
a415a1
a415a1
  ```js
a415a1
  {
a415a1
      "type": "exactReference",
a415a1
      "dockerReference": docker_reference_value
a415a1
  }
a415a1
  ```
a415a1
- The identity in the signature must be in the same repository as a specified identity.
a415a1
  This combines the properties of `matchRepository` and `exactReference`.
a415a1
a415a1
  ```js
a415a1
  {
a415a1
      "type": "exactRepository",
a415a1
      "dockerRepository": docker_repository_value
a415a1
  }
a415a1
  ```
a415a1
- Prefix remapping:
a415a1
a415a1
  If the image identity matches the specified prefix, that prefix is replaced by the specified “signed prefix”
a415a1
  (otherwise it is used as unchanged and no remapping takes place);
a415a1
  matching then follows the `matchRepoDigestOrExact` semantics documented above
a415a1
  (i.e. if the image identity carries a tag, the identity in the signature must exactly match,
a415a1
  if it uses a digest reference, the repository must match).
a415a1
a415a1
  The `prefix` and `signedPrefix` values can be either host[:port] values
a415a1
  (matching exactly the same host[:port], string),
a415a1
  repository namespaces, or repositories (i.e. they must not contain tags/digests),
a415a1
  and match as prefixes *of the fully expanded form*.
a415a1
  For example, `docker.io/library/busybox` (*not* `busybox`) to specify that single repository,
a415a1
  or `docker.io/library` (not an empty string) to specify the parent namespace of `docker.io/library/busybox`==`busybox`).
a415a1
a415a1
  The `prefix` value is usually the same as the scope containing the parent `signedBy` requirement.
a415a1
a415a1
  ```js
a415a1
  {
a415a1
      "type": "remapIdentity",
a415a1
      "prefix": prefix,
a415a1
      "signedPrefix": prefix,
a415a1
  }
a415a1
  ```
a415a1
a415a1
If the `signedIdentity` field is missing, it is treated as `matchRepoDigestOrExact`.
a415a1
a415a1
*Note*: `matchExact`, `matchRepoDigestOrExact` and `matchRepository` can be only used if a Docker-like image identity is
a415a1
provided by the transport.  In particular, the `dir:` and `oci:` transports can be only
a415a1
used with `exactReference` or `exactRepository`.
a415a1
a415a1
a415a1
893b01
893b01
### `sigstoreSigned`
893b01
893b01
This requirement requires an image to be signed using a sigstore signature with an expected identity and key.
893b01
893b01
```js
893b01
{
893b01
    "type":    "sigstoreSigned",
5f1c70
    "keyPath": "/path/to/local/public/key/file",
5f1c70
    "keyData": "base64-encoded-public-key-data",
5f1c70
    "fulcio": {
5f1c70
        "caPath": "/path/to/local/CA/file",
5f1c70
        "caData": "base64-encoded-CA-data",
5f1c70
        "oidcIssuer": "https://expected.OIDC.issuer/",
5f1c70
        "subjectEmail", "expected-signing-user@example.com",
5f1c70
    },
5f1c70
    "rekorPublicKeyPath": "/path/to/local/public/key/file",
5f1c70
    "rekorPublicKeyData": "base64-encoded-public-key-data",
893b01
    "signedIdentity": identity_requirement
893b01
}
893b01
```
5f1c70
Exactly one of `keyPath`, `keyData` and `fulcio` must be present.
5f1c70
5f1c70
If `keyPath` or `keyData` is present, it contains a sigstore public key.
5f1c70
Only signatures made by this key are accepted.
5f1c70
5f1c70
If `fulcio` is present, the signature must be based on a Fulcio-issued certificate.
5f1c70
One of `caPath` and `caData` must be specified, containing the public key of the Fulcio instance.
5f1c70
Both `oidcIssuer` and `subjectEmail` are mandatory,
5f1c70
exactly specifying the expected identity provider,
5f1c70
and the identity of the user obtaining the Fulcio certificate.
5f1c70
5f1c70
At most one of `rekorPublicKeyPath` and `rekorPublicKeyData` can be present;
5f1c70
it is mandatory if `fulcio` is specified.
5f1c70
If a Rekor public key is specified,
5f1c70
the signature must have been uploaded to a Rekor server
5f1c70
and the signature must contain an (offline-verifiable) “signed entry timestamp”
5f1c70
proving the existence of the Rekor log record,
5f1c70
signed by the provided public key.
893b01
893b01
The `signedIdentity` field has the same semantics as in the `signedBy` requirement described above.
893b01
Note that `cosign`-created signatures only contain a repository, so only `matchRepository` and `exactRepository` can be used to accept them (and that does not protect against substitution of a signed image with an unexpected tag).
893b01
893b01
To use this with images hosted on image registries, the relevant registry or repository must have the `use-sigstore-attachments` option enabled in containers-registries.d(5).
893b01
a415a1
## Examples
a415a1
a415a1
It is *strongly* recommended to set the `default` policy to `reject`, and then
a415a1
selectively allow individual transports and scopes as desired.
a415a1
a415a1
### A reasonably locked-down system
a415a1
a415a1
(Note that the `/*`…`*/` comments are not valid in JSON, and must not be used in real policies.)
a415a1
a415a1
```js
a415a1
{
a415a1
    "default": [{"type": "reject"}], /* Reject anything not explicitly allowed */
a415a1
    "transports": {
a415a1
        "docker": {
a415a1
            /* Allow installing images from a specific repository namespace, without cryptographic verification.
a415a1
               This namespace includes images like openshift/hello-openshift and openshift/origin. */
a415a1
            "docker.io/openshift": [{"type": "insecureAcceptAnything"}],
a415a1
            /* Similarly, allow installing the “official” busybox images.  Note how the fully expanded
a415a1
               form, with the explicit /library/, must be used. */
893b01
            "docker.io/library/busybox": [{"type": "insecureAcceptAnything"}],
a415a1
            /* Allow installing images from all subdomains */
893b01
            "*.temporary-project.example.com": [{"type": "insecureAcceptAnything"}],
893b01
            /* A sigstore-signed repository */
893b01
            "hostname:5000/myns/sigstore-signed-with-full-references": [
893b01
                {
893b01
                    "type": "sigstoreSigned",
893b01
                    "keyPath": "/path/to/sigstore-pubkey.pub"
893b01
                }
893b01
            ],
5f1c70
            /* A sigstore-signed repository using the community Fulcio+Rekor servers.
5f1c70
5f1c70
               The community servers’ public keys can be obtained from
5f1c70
               https://github.com/sigstore/sigstore/tree/main/pkg/tuf/repository/targets .  */
5f1c70
            "hostname:5000/myns/sigstore-signed-fulcio-rekor": [
5f1c70
                {
5f1c70
                    "type": "sigstoreSigned",
5f1c70
                    "fulcio": {
5f1c70
                        "caPath": "/path/to/fulcio_v1.crt.pem",
5f1c70
                        "oidcIssuer": "https://github.com/login/oauth",
5f1c70
                        "subjectEmail": "test-user@example.com"
5f1c70
                    },
5f1c70
                    "rekorPublicKeyPath": "/path/to/rekor.pub",
5f1c70
                }
5f1c70
            ],
893b01
            /* A sigstore-signed repository, accepts signatures by /usr/bin/cosign */
893b01
            "hostname:5000/myns/sigstore-signed-allows-malicious-tag-substitution": [
893b01
                {
893b01
                    "type": "sigstoreSigned",
893b01
                    "keyPath": "/path/to/sigstore-pubkey.pub",
893b01
                    "signedIdentity": {"type": "matchRepository"}
893b01
                }
5f1c70
            ],
5f1c70
            /* A sigstore-signed repository using the community Fulcio+Rekor servers,
5f1c70
               accepts signatures by /usr/bin/cosign.
5f1c70
5f1c70
               The community servers’ public keys can be obtained from
5f1c70
               https://github.com/sigstore/sigstore/tree/main/pkg/tuf/repository/targets .  */
5f1c70
            "hostname:5000/myns/sigstore-signed-fulcio-rekor- allows-malicious-tag-substitution": [
5f1c70
                {
5f1c70
                    "type": "sigstoreSigned",
5f1c70
                    "fulcio": {
5f1c70
                        "caPath": "/path/to/fulcio_v1.crt.pem",
5f1c70
                        "oidcIssuer": "https://github.com/login/oauth",
5f1c70
                        "subjectEmail": "test-user@example.com"
5f1c70
                    },
5f1c70
                    "rekorPublicKeyPath": "/path/to/rekor.pub",
5f1c70
                    "signedIdentity": { "type": "matchRepository" }
5f1c70
                }
893b01
            ]
5f1c70
              /* Other docker: images use the global default policy and are rejected */
a415a1
        },
a415a1
        "dir": {
a415a1
            "": [{"type": "insecureAcceptAnything"}] /* Allow any images originating in local directories */
a415a1
        },
a415a1
        "atomic": {
a415a1
            /* The common case: using a known key for a repository or set of repositories */
a415a1
            "hostname:5000/myns/official": [
a415a1
                {
a415a1
                    "type": "signedBy",
a415a1
                    "keyType": "GPGKeys",
a415a1
                    "keyPath": "/path/to/official-pubkey.gpg"
a415a1
                }
a415a1
            ],
a415a1
            /* A more complex example, for a repository which contains a mirror of a third-party product,
a415a1
               which must be signed-off by local IT */
a415a1
            "hostname:5000/vendor/product": [
a415a1
                { /* Require the image to be signed by the original vendor, using the vendor's repository location. */
a415a1
                    "type": "signedBy",
a415a1
                    "keyType": "GPGKeys",
a415a1
                    "keyPath": "/path/to/vendor-pubkey.gpg",
a415a1
                    "signedIdentity": {
a415a1
                        "type": "exactRepository",
a415a1
                        "dockerRepository": "vendor-hostname/product/repository"
a415a1
                    }
a415a1
                },
a415a1
                { /* Require the image to _also_ be signed by a local reviewer. */
a415a1
                    "type": "signedBy",
a415a1
                    "keyType": "GPGKeys",
a415a1
                    "keyPath": "/path/to/reviewer-pubkey.gpg"
a415a1
                }
a415a1
            ],
a415a1
            /* A way to mirror many repositories from a single vendor */
a415a1
            "private-mirror:5000/vendor-mirror": [
a415a1
                { /* Require the image to be signed by the original vendor, using the vendor's repository location.
a415a1
                     For example, private-mirror:5000/vendor-mirror/productA/image1:latest needs to be signed as
a415a1
                     vendor.example/productA/image1:latest . */
a415a1
                    "type": "signedBy",
a415a1
                    "keyType": "GPGKeys",
a415a1
                    "keyPath": "/path/to/vendor-pubkey.gpg",
a415a1
                    "signedIdentity": {
a415a1
                        "type": "remapIdentity",
a415a1
                        "prefix": "private-mirror:5000/vendor-mirror",
893b01
                        "signedPrefix": "vendor.example.com"
a415a1
                    }
a415a1
                }
a415a1
            ]
a415a1
        }
a415a1
    }
a415a1
}
a415a1
```
a415a1
a415a1
### Completely disable security, allow all images, do not trust any signatures
a415a1
a415a1
```json
a415a1
{
a415a1
    "default": [{"type": "insecureAcceptAnything"}]
a415a1
}
a415a1
```
a415a1
## SEE ALSO
a415a1
  atomic(1)
a415a1
a415a1
## HISTORY
a415a1
August 2018, Rename to containers-policy.json(5) by Valentin Rothberg <vrothberg@suse.com>
a415a1
a415a1
September 2016, Originally compiled by Miloslav Trmač <mitr@redhat.com>