Bug 1461324
Summary: | oadm verify-image-signature will remove all the signatures's subitems when use wrong 'expected-identity' | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | zhou ying <yinzhou> |
Component: | Image Registry | Assignee: | Jan Wozniak <jwozniak> |
Status: | CLOSED NOTABUG | QA Contact: | ge liu <geliu> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 3.6.0 | CC: | aos-bugs, bparees, dyan, mfojtik |
Target Milestone: | --- | ||
Target Release: | 3.7.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-06-29 14:56:28 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
zhou ying
2017-06-14 08:38:29 UTC
Moving this to 3.7 where we should get the public urls and I will update the verify code to support it. The verify-image-signature should now support --public-registry flag that can be used to specify the external registry endpoint. @Michal Fojtik: We can use the --registry-url flag now, but if we use the wrong 'expected-identity' by mistake, still can reproduce the issue. oadm verify-image-signature sha256:030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af --expected-identity='docker-registry-default.apps.1009-632.qe.rhcloud.com/zhouy/hellot:latest' --public-key='/tmp/pubring.gpg' --registry-url='docker-registry-default.apps.1009-632.qe.rhcloud.com' --token='zBsP6tTU5FyjxCTn7INR6uJCwtCUJr-UG6FHXUgXLfQ' --save error verifying signature sha256:030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af@e5910c7d3364e7e621c96129a6e2ae10 for image sha256:030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af (verification status will be removed): signature rejected: Signature for identity docker-registry-default.apps.1009-632.qe.rhcloud.com/zhouy/busybox:latest is not accepted Jan, see if you can get Michal Fojtik to give you some pointers on starting this. I would like to think the removal of signatures is by design[1]. There is currently an option to prevent the accidental removal by first trying to 'dry-run' the command without the '--save' option. Code will still print all the logs and you can inspect them for unexpected behavior[2], and it shouldn't override any data[3]. @mfojtik what would you say to an 'else' branch when neither '--save' nor '--remove-all' are passed here[3] that would only log the 'img' object? This could help the user understand clearly what will happen when the command is run with '--save'. [1] https://github.com/openshift/origin/blob/5e0bfba0f09666c414d952d084a709f021c90c23/pkg/oc/admin/image/verify-signature.go#L41-L43 [2] https://github.com/openshift/origin/blob/5e0bfba0f09666c414d952d084a709f021c90c23/pkg/oc/admin/image/verify-signature.go#L213-L218 [3] https://github.com/openshift/origin/blob/5e0bfba0f09666c414d952d084a709f021c90c23/pkg/oc/admin/image/verify-signature.go#L245-L248 Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/f5b16cbb2baf60890a7b0918071bfd68a7cf8fc0 Merge pull request #19976 from wozniakjan/bz1461324/verify-signature Bug 1461324 - Log image changes on verify-image-signature without --save The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days |