Bug 1461324

Summary: oadm verify-image-signature will remove all the signatures's subitems when use wrong 'expected-identity'
Product: OpenShift Container Platform Reporter: zhou ying <yinzhou>
Component: Image RegistryAssignee: Jan Wozniak <jwozniak>
Status: CLOSED NOTABUG QA Contact: ge liu <geliu>
Severity: low Docs Contact:
Priority: low    
Version: 3.6.0CC: aos-bugs, bparees, dyan, mfojtik
Target Milestone: ---   
Target Release: 3.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-29 14:56:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description zhou ying 2017-06-14 08:38:29 UTC 
Description of problem:
Sign the image use the route of registry, when use command 'oadm verify-image-signature sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b  --expected-identity=docker-registry-default.0613-6kz.qe.rhcloud.com/m9cv8/signed:latest --public-key=/tmp/pubring.gpg --token=fRUruzrDyl4GnwuYXjoILveCnREmNf3ZcL-dn6_xqEk' with the service of registry, will remove all the signatures's subitems.  

Version-Release number of selected component (if applicable):
openshift v3.6.105
kubernetes v1.6.1+5115d708d7
etcd 3.2.0-rc.1

How reproducible:
always

Steps to Reproduce:
1. Login OpenShift and create project;
2. Use command to sign and push image to project:
  `skopeo copy  --sign-by 215FF0D3C5B13412  --dest-creds zhouy:fRUruzrDyl4GnwuYXjoILveCnREmNf3ZcL-dn6_xqEk --dest-tls-verify=false docker://docker.io/openshift/origin-pod:latest atomic:docker-registry-default.0613-6kz.qe.rhcloud.com/m9cv8/signed:latest`
3. Use command to verify the image :
  `oadm verify-image-signature sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b  --expected-identity=172.30.157.120:5000/m9cv8/signed:latest --public-key=/tmp/pubring.gpg --token=fRUruzrDyl4GnwuYXjoILveCnREmNf3ZcL-dn6_xqEk`

4. Try to sign and push the image again.

Actual results:
3. Will remove all the signatures's subitems when use wrong 'expected-identity' with 'oadm verify-image-signature' command:
oadm verify-image-signature sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b  --expected-identity=172.30.157.120:5000/m9cv8/signed:latest --public-key=/tmp/pubring.gpg --token=fRUruzrDyl4GnwuYXjoILveCnREmNf3ZcL-dn6_xqEk --save
error verifying signature sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b@357bd8ae5b86f0d46ea2bae6cc6a573f for image sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b (verification status will be removed): signature rejected: Signature for identity docker-registry-default.0613-6kz.qe.rhcloud.com/m9cv8/signed:latest is not accepted

4. Sign the image failed:
FATA[0025] Error writing signatures: Image "sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b" is invalid: [signatures[0].metadata.name: Required value: name or generateName is required, signatures[0].metadata.name: Invalid value: "": name must be of format <imageName>@<signatureName>, signatures[0].type: Required value, signatures[0].content: Required value, signatures[1].metadata.name: Required value: name or generateName is required, signatures[1].metadata.name: Invalid value: "": name must be of format <imageName>@<signatureName>, signatures[1].type: Required value, signatures[1].content: Required value, signatures[2].metadata.name: Required value: name or generateName is required, signatures[2].metadata.name: Invalid value: "": name must be of format <imageName>@<signatureName>, signatures[2].type: Required value, signatures[2].content: Required value]

Expected results:
3. Shouldn't remove the signatures's subitems.


Additional info:
oc get istag signed:latest -o yaml 
apiVersion: v1
generation: 1
image:
  dockerImageLayers:
..........
  signatures:
  - content: ""
    metadata:
      creationTimestamp: null
    type: ""
kind: ImageStreamTag
lookupPolicy:
  local: false
metadata:
  creationTimestamp: 2017-06-14T06:03:39Z
  name: signed:latest
  namespace: m9cv8
  resourceVersion: "20706"
  selfLink: /oapi/v1/namespaces/m9cv8/imagestreamtags/signed%3Alatest
  uid: 507f893b-50c5-11e7-af77-fa163e9aa841
tag: null
Comment 2 Michal Fojtik 2017-06-23 14:21:18 UTC 
Moving this to 3.7 where we should get the public urls and I will update the verify code to support it.
Comment 3 Michal Fojtik 2017-10-04 08:27:20 UTC 
The verify-image-signature should now support --public-registry flag that can be used to specify the external registry endpoint.
Comment 4 zhou ying 2017-10-09 09:13:01 UTC 
@Michal Fojtik:
   We can use the --registry-url flag now, but if we use the wrong 'expected-identity' by mistake, still can reproduce the issue. 

oadm verify-image-signature sha256:030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af --expected-identity='docker-registry-default.apps.1009-632.qe.rhcloud.com/zhouy/hellot:latest' --public-key='/tmp/pubring.gpg' --registry-url='docker-registry-default.apps.1009-632.qe.rhcloud.com'  --token='zBsP6tTU5FyjxCTn7INR6uJCwtCUJr-UG6FHXUgXLfQ' --save
error verifying signature sha256:030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af@e5910c7d3364e7e621c96129a6e2ae10 for image sha256:030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af (verification status will be removed): signature rejected: Signature for identity docker-registry-default.apps.1009-632.qe.rhcloud.com/zhouy/busybox:latest is not accepted
Comment 5 Ben Parees 2018-06-11 15:59:11 UTC 
Jan, see if you can get Michal Fojtik to give you some pointers on starting this.
Comment 6 Jan Wozniak 2018-06-12 09:39:03 UTC 
I would like to think the removal of signatures is by design[1]. There is currently an option to prevent the accidental removal by first trying to 'dry-run' the command without the '--save' option. Code will still print all the logs and you can inspect them for unexpected behavior[2], and it shouldn't override any data[3].

@mfojtik what would you say to an 'else' branch when neither '--save' nor '--remove-all' are passed here[3] that would only log the 'img' object? This could help the user understand clearly what will happen when the command is run with '--save'.



[1] https://github.com/openshift/origin/blob/5e0bfba0f09666c414d952d084a709f021c90c23/pkg/oc/admin/image/verify-signature.go#L41-L43

[2] https://github.com/openshift/origin/blob/5e0bfba0f09666c414d952d084a709f021c90c23/pkg/oc/admin/image/verify-signature.go#L213-L218

[3] https://github.com/openshift/origin/blob/5e0bfba0f09666c414d952d084a709f021c90c23/pkg/oc/admin/image/verify-signature.go#L245-L248
Comment 7 openshift-github-bot 2018-06-20 00:34:21 UTC 
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/f5b16cbb2baf60890a7b0918071bfd68a7cf8fc0
Merge pull request #19976 from wozniakjan/bz1461324/verify-signature

Bug 1461324 - Log image changes on verify-image-signature without --save
Comment 8 Red Hat Bugzilla 2023-09-14 03:59:07 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days