Bug 1471218
| Summary: | Docker cannot discover remote signatures | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Aaron Weitekamp <aweiteka> | |
| Component: | docker | Assignee: | Frantisek Kluknavsky <fkluknav> | |
| Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.4 | CC: | amurdaca, bbreard, ddarrah, imcleod, lsm5, lsu, mitr | |
| Target Milestone: | rc | Keywords: | Extras | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | docker-latest-1.13.1-13.gitb303bf6.el7, docker-1.12.6-47.git0fdc778.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1472974 (view as bug list) | Environment: | ||
| Last Closed: | 2017-08-02 00:11:21 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1472974 | |||
Alright, fixed that. All good to go here The fix works for me /usr/bin/dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --default-runtime=docker-runc --authorization-plugin=rhel-push-plugin --exec-opt native.cgroupdriver=systemd --userland-proxy-path=/usr/libexec/docker/docker-proxy-current --selinux-enabled --log-driver=journald --add-registry registry.access.redhat.com /*** highlight here --signature-verification=true *****/ --add-registry registry.access.redhat.com # rpm -q docker atomic docker-1.12.6-48.git0fdc778.el7.x86_64 atomic-1.18.1-3.1.git0705b1b.el7.x86_64 # atomic trust add --sigstore https://access.redhat.com/webassets/docker/content/sigstore --pubkeys /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release registry.access.redhat.com # docker pull registry.access.redhat.com/rhel7/openscap:latest sha256:4a7df5dbc70e41d9a31701bb54a4b8fd063cbd217254c0e3c966f94594af1c31: Pulling from registry.access.redhat.com/rhel7/openscap d55ab3b04d8b: Pull complete b94f985aad49: Pull complete f027279f25ea: Pull complete 299b02042b45: Pull complete Digest: sha256:4a7df5dbc70e41d9a31701bb54a4b8fd063cbd217254c0e3c966f94594af1c31 Status: Downloaded newer image for registry.access.redhat.com/rhel7/openscap:latest Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2344 |
Description of problem: When signature verification is enabled remote signature blobs cannot be found due to a change in the path that was implemented. Version-Release number of selected component (if applicable): docker-1.12.6-32.git88a4867.el7.x86_64 How reproducible: always Steps to Reproduce: 1. edit /etc/sysconfig/docker, adding '--signature-verification=true' 2. systemctl restart docker 3. enable signed-by trust using atomic CLI: $ atomic trust add --sigstore https://access.redhat.com/webassets/docker/content/sigstore --pubkeys /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release registry.access.redhat.com 4. $ docker pull registry.access.redhat.com/rhel7/openscap:latest Actual results: registry.access.redhat.com/rhel7/openscap:latest isn't allowed: A signature was required, but no signature exists Expected results: Image pulled Additional info: Fixed in docker-latest-1.13.1-13.gitb303bf6.el7.x86_64 NOTE: this is due to a change in the signature path schema. Compare signature path from docker log: level=debug msg="GET https://access.redhat.com/webassets/docker/content/sigstore/registry.access.redhat.com/rhel7/openscap@sha256:461e150658a31b9858680c2a5867e91947755103daf2bf6589034cc3b6662a94/signature-1" ...with docker-latest log: level=debug msg="GET https://access.redhat.com/webassets/docker/content/sigstore/rhel7/openscap@sha256=461e150658a31b9858680c2a5867e91947755103daf2bf6589034cc3b6662a94/signature-1"