Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
I think there are actually two problems. Firstly, atomic is generating the wrong digest for the manifest and skopeo omits the tag from the the location it looks for. My understanding was the tag is required. If not, then they are both in atomic.
The fix for the incorrect digest is -> https://github.com/projectatomic/atomic/pull/737
Comment 3David Darrah/Red Hat QE
2016-10-27 22:29:33 UTC
With the changes from comment2, I am still seeing a different digest from atomic than skopeo
atomic sign produces
Created: /var/lib/atomic/sigstore/docker.io/library/busybox:latest@sha256:1166b2969d8c3916f290c82773934337bbac373866c177a2a0bd3e2b313b1501/signature-1
skopeo inspect produces
"Digest": "sha256:29f5d56d12684887bdfa50dcd29fc31eea4aaf4ad3bec43daf19026a7ce69912",
Description of problem: When signing a remote image with atomic (e.g. on docker.io), a different sha256 hash is generated than when pulling and verifying, Version-Release number of selected component (if applicable): atomic 1.13.1 skopeo 0.1.17 How reproducible: 100% Steps to Reproduce: Setup: local http server running in a container mounting /var/lib/atomic/sigstore into htdocs [root@rhel-73 registries.d]# atomic --debug sign --sign-by ddarrah docker.io/library/busybox:latest Namespace(_class=<class 'Atomic.sign.Sign'>, assumeyes=False, debug=True, func='sign', gnupghome='/root/.gnupg', images=['docker.io/library/busybox:latest'], sign_by='ddarrah', signature_path=None) [ { "search": true, "hostname": "registry-1.docker.io", "name": "docker.io", "secure": true }, { "search": true, "hostname": "localhost:5000", "name": "localhost:5000", "secure": false }, { "search": true, "hostname": "registry.access.stage.redhat.com", "name": "registry.access.stage.redhat.com", "secure": false }, { "search": true, "hostname": "registry.access.redhat.com", "name": "registry.access.redhat.com", "secure": true }, { "search": true, "hostname": "192.168.124.215:5000", "name": "192.168.124.215:5000", "secure": false }, { "search": true, "hostname": "atomic-registry.usersys.redhat.com:5000", "name": "atomic-registry.usersys.redhat.com:5000", "secure": false } ] Created: /var/lib/atomic/sigstore/docker.io/library/busybox:latest@sha256:74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b/signature-6 [root@rhel-73 registries.d]# curl http://192.168.124.215/sigstore/docker.io/library/busybox:latest@sha256:74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b/ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <html> <head> <title>Index of /sigstore/docker.io/library/busybox:latest@sha256:74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b</title> </head> <body> <h1>Index of /sigstore/docker.io/library/busybox:latest@sha256:74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b</h1> <ul><li><a href="/sigstore/docker.io/library/"> Parent Directory</a></li> <li><a href="signature-1"> signature-1</a></li> <li><a href="signature-2"> signature-2</a></li> <li><a href="signature-3"> signature-3</a></li> <li><a href="signature-4"> signature-4</a></li> <li><a href="signature-5"> signature-5</a></li> <li><a href="signature-6"> signature-6</a></li> </ul> </body></html> [root@rhel-73 registries.d]# cat docker.io.yaml docker: docker.io: sigstore: http://192.168.124.215/sigstore/ sigstore-staging: file:///var/lib/atomic/sigstore [root@rhel-73 registries.d]# cd .. [root@rhel-73 containers]# cat policy.json { "default": [ { "type": "insecureAcceptAnything" } ], "transports": { "docker": { "docker.io": [ { "keyType": "GPGKeys", "type": "signedBy", "keyPath": "/etc/containers/ddarrah.key" } ] }, "atomic": { "192.168.124.215:5000": [ { "keyType": "GPGKeys", "type": "signedBy", "keyPath": "/etc/containers/ddarrah.key" } ] }, "dir": {} } }[root@rhel-73 containers]#atomic --debug pull docker.io/library/busybox Image docker.io/library/busybox is being pulled to docker ... +++++++++++++++++++++++++++++++++++++++++++docker.io +++++++++++++++++++++++++++++docker.io +++++++++++++++++++++++++++++localhost +++++++++++++++++++++++++++++registry.access.stage.redhat.com +++++++++++++++++++++++++++++atomic-registry.usersys.redhat.com Pulling docker.io/library/busybox:latest ... Executing: /usr/bin/skopeo --debug copy --remove-signatures docker://docker.io/library/busybox:latest docker-daemon:docker.io/library/busybox:latest DEBU[0000] Using registries.d directory /etc/containers/registries.d for sigstore configuration DEBU[0000] Using "docker" namespace docker.io DEBU[0000] Using http://192.168.124.215/sigstore/ DEBU[0000] IsRunningImageAllowed for image docker:docker.io/library/busybox:latest DEBU[0000] Using transport "docker" specific policy section docker.io DEBU[0000] GET https://registry-1.docker.io/v2/ DEBU[0000] Ping https://registry-1.docker.io/v2/ err <nil> DEBU[0000] Ping https://registry-1.docker.io/v2/ status 401 DEBU[0000] GET https://registry-1.docker.io/v2/library/busybox/manifests/latest DEBU[0000] GET http://192.168.124.215/sigstore//docker.io/library/busybox@sha256:29f5d56d12684887bdfa50dcd29fc31eea4aaf4ad3bec43daf19026a7ce69912/signature-1 DEBU[0000] Requirement 0: denied, done DEBU[0000] docker-daemon: Closing tar stream to abort loading FATA[0000] Source image rejected: A signature was required, but no signature exists Traceback (most recent call last): File "/bin/atomic", line 186, in <module> sys.exit(_func()) File "/usr/lib/python2.7/site-packages/Atomic/pull.py", line 65, in pull_image handler() File "/usr/lib/python2.7/site-packages/Atomic/pull.py", line 53, in pull_docker_image policy_filename=self.policy_filename) File "/usr/lib/python2.7/site-packages/Atomic/util.py", line 405, in skopeo_copy return check_call(cmd) File "/usr/lib/python2.7/site-packages/Atomic/util.py", line 170, in check_call return subprocess.check_call(cmd, env=env, stdin=stdin, stderr=stderr, stdout=stdout, close_fds=True) File "/usr/lib64/python2.7/subprocess.py", line 542, in check_call raise CalledProcessError(retcode, cmd) CalledProcessError: Command '['/usr/bin/skopeo', '--debug', 'copy', '--remove-signatures', 'docker://docker.io/library/busybox:latest', 'docker-daemon:docker.io/library/busybox:latest']' returned non-zero exit status 1 [root@rhel-73 containers]# Actual results: Pull fails signature check. Expected results: Signed image should pull successfully Additional info: