Bug 1563645

Summary: Docker Notary signatures verification in OpenShift
Product: OpenShift Container Platform Reporter: Andre Costa <andcosta>
Component: DocumentationAssignee: Vikram Goyal <vigoyal>
Status: CLOSED WONTFIX QA Contact: Vikram Goyal <vigoyal>
Severity: medium Docs Contact: Vikram Goyal <vigoyal>
Priority: medium    
Version: 3.6.1CC: aos-bugs, erich, jokerman, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-18 04:54:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andre Costa 2018-04-04 11:44:17 UTC 
Description of problem:
Customer would like to know from the following questions what is supported from the Openshift side and depending on what is supported how can this be done or if it is possible to update our documentation regarding this issues:

### Transcript from case description ####

I would like to know whether its possible to use docker/Notary signatures for container images and use openshift verification methods to verify such images? If yes, what is the workflow and commands on:
- creating image stream/ISTAG (pointing to external registry)
- verification of such ISTAG signature (and what integrations is perhaps required, eg. notary API access)?
- is anything else required for enabling content trust (making sure containers have verified signatures) than defining the Image Signature Policy (ISP)?

We have OpenShift customers that would like to:
a) Use container signing for image trust verification (preferably Notary signatures rather than Atomic signatures)
b) Use external registry such as Artifactory for source image location
c) Have Image Streams within OpenShift to point to the external registry
d) Verify image signatures using OCP features, again with Notary signatures, if possible
  So something like:
- Use the OpenShift Image Signature Policy + the verification command to mark the Image Stream tags as verified (and run with trust).

I’ve written some generic details/questions also here
https://superuser.com/questions/1303434/image-signatures-content-trust-with-notary-openshift

It’s confusing that there are indications such as Notary integration is not a target for RH but still docker signature transports are advertised to work.
So looking for information how feasible it would be to perform the signature verification in OpenShift against Notary signatures and what would be the workflow/call sequence in that?

Links:
Signature format support (docker exists):
https://docs.openshift.com/container-platform/3.6/security/deployment.html#security-deployment-signature-transports
OCP ISP:
https://github.com/containers/image/blob/master/docs/policy.json.md#a-reasonably-locked-down-system
Image Stream tag verification command:
https://docs.openshift.com/container-platform/3.7/admin_guide/image_signatures.html#verifying-image-signatures-using-openshift-cli
Notary integration not a OCP goal:
https://trello.com/c/CNxOQ5Vs/1358-notary-integration

Document URL: 

Section Number and Name: 

Describe the issue: 

Suggestions for improvement: 

Additional information:
Comment 1 Eric Rich 2018-04-11 11:44:26 UTC 
Possible Duplicate: https://bugzilla.redhat.com/show_bug.cgi?id=1282754
Comment 2 Vikram Goyal 2018-06-18 04:54:35 UTC 
As per this https://bugzilla.redhat.com/show_bug.cgi?id=1282754#c3, notary is not supported.

I am going to close this bug as WONTFIX.