Verify signatures from a trust store

Add the ability to use an on-disk trust store to verify signatures. Also allow the user to trust any known fingerprint instead of having to specify one. Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
2025-10-21 19:03:44 +00:00 · 2023-03-24 15:19:15 +00:00
parent d08bf21367
commit 3097b7a4e9
5 changed files with 47 additions and 7 deletions
--- a/docs/skopeo-standalone-verify.1.md
+++ b/docs/skopeo-standalone-verify.1.md
@@ -16,7 +16,7 @@ as per containers-policy.json(5).

  _docker-reference_ A docker reference expected to identify the image in the signature

-  _key-fingerprint_ Expected identity of the signing key
+  _key-fingerprint_ Expected identity of the signing key, or "any" to trust any known key

  _signature_ Path to signature file

@@ -28,6 +28,10 @@ as per containers-policy.json(5).

 Print usage statement

+**--truststore** _truststore_
+
+Trust store of public keys to use when verifying signatures. If this is not specified, keys from gpg home are used.
+
 ## EXAMPLES

 ```console