Bug 1471218

Summary: Docker cannot discover remote signatures
Product: Red Hat Enterprise Linux 7 Reporter: Aaron Weitekamp <aweiteka>
Component: dockerAssignee: Frantisek Kluknavsky <fkluknav>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: high Docs Contact:
Priority: high    
Version: 7.4CC: amurdaca, bbreard, ddarrah, imcleod, lsm5, lsu, mitr
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: docker-latest-1.13.1-13.gitb303bf6.el7, docker-1.12.6-47.git0fdc778.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1472974 (view as bug list) Environment:
Last Closed: 2017-08-02 00:11:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1472974    

Description Aaron Weitekamp 2017-07-14 17:37:31 UTC
Description of problem:
When signature verification is enabled remote signature blobs cannot be found due to a change in the path that was implemented.

Version-Release number of selected component (if applicable):
docker-1.12.6-32.git88a4867.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. edit /etc/sysconfig/docker, adding '--signature-verification=true'
2. systemctl restart docker
3. enable signed-by trust using atomic CLI:
    $ atomic trust add --sigstore https://access.redhat.com/webassets/docker/content/sigstore --pubkeys /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release registry.access.redhat.com
4. $ docker pull registry.access.redhat.com/rhel7/openscap:latest

Actual results:
registry.access.redhat.com/rhel7/openscap:latest isn't allowed: A signature was required, but no signature exists

Expected results:
Image pulled

Additional info:

Fixed in docker-latest-1.13.1-13.gitb303bf6.el7.x86_64

NOTE: this is due to a change in the signature path schema. Compare signature path from docker log:
level=debug msg="GET https://access.redhat.com/webassets/docker/content/sigstore/registry.access.redhat.com/rhel7/openscap@sha256:461e150658a31b9858680c2a5867e91947755103daf2bf6589034cc3b6662a94/signature-1"

...with docker-latest log:
level=debug msg="GET https://access.redhat.com/webassets/docker/content/sigstore/rhel7/openscap@sha256=461e150658a31b9858680c2a5867e91947755103daf2bf6589034cc3b6662a94/signature-1"

Comment 9 Antonio Murdaca 2017-07-18 16:16:56 UTC
Alright, fixed that. All good to go here

Comment 18 Luwen Su 2017-07-22 15:29:29 UTC
The fix works for me

/usr/bin/dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --default-runtime=docker-runc --authorization-plugin=rhel-push-plugin --exec-opt native.cgroupdriver=systemd --userland-proxy-path=/usr/libexec/docker/docker-proxy-current --selinux-enabled --log-driver=journald --add-registry registry.access.redhat.com 

/***
highlight here 
 --signature-verification=true 
*****/ 

--add-registry registry.access.redhat.com


# rpm -q docker atomic
docker-1.12.6-48.git0fdc778.el7.x86_64
atomic-1.18.1-3.1.git0705b1b.el7.x86_64

# atomic trust add --sigstore https://access.redhat.com/webassets/docker/content/sigstore --pubkeys /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release registry.access.redhat.com
# docker pull registry.access.redhat.com/rhel7/openscap:latest
sha256:4a7df5dbc70e41d9a31701bb54a4b8fd063cbd217254c0e3c966f94594af1c31: Pulling from registry.access.redhat.com/rhel7/openscap
d55ab3b04d8b: Pull complete 
b94f985aad49: Pull complete 
f027279f25ea: Pull complete 
299b02042b45: Pull complete 
Digest: sha256:4a7df5dbc70e41d9a31701bb54a4b8fd063cbd217254c0e3c966f94594af1c31
Status: Downloaded newer image for registry.access.redhat.com/rhel7/openscap:latest

Comment 20 errata-xmlrpc 2017-08-02 00:11:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2344