Bug 1633482

Summary:	No verification of image signatures, "insecureAcceptAnything" in policy.json
Product:	Red Hat Enterprise Linux 8	Reporter:	Sam Fowler <sfowler>
Component:	skopeo	Assignee:	Tom Sweeney <tsweeney>
Status:	CLOSED WONTFIX	QA Contact:	atomic-bugs <atomic-bugs>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	8.3	CC:	dornelas, dwalsh, jshepherd, jswensso, mitr, sgraf, vrothber
Target Milestone:	rc	Keywords:	Extras, Reopened
Target Release:	8.4
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1700140 (view as bug list)		Environment:
Last Closed:	2021-01-08 07:36:54 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1633455, 1700140, 1726784

Description Sam Fowler 2018-09-27 06:46:40 UTC

Description of problem:
The /etc/containers/policy.json file shipped with skopeo-containers does not enable image signature verification. E.g.

$ cat /etc/containers/policy.json 
{
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ],
    "transports":
        {
            "docker-daemon":
                {
                    "": [{"type":"insecureAcceptAnything"}]
                }
        }
}


Version-Release number of selected component (if applicable):
skopeo-1:0.1.31-1.dev.gitae64ff7.el7.src

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Once all Red Hat shipped images are signed, a per registry policy could be used to verify Red Hat-only images. E.g.

{
    "default": [{"type": "reject"}],
    "transports": {
        "docker": {
            "access.redhat.com": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
                }
            ]
        },
}

Comment 2 Johan Swensson 2018-09-27 07:35:44 UTC

This is not limited to image signatures, it also means that with the default config skopeo and podman does not verify the CA issuer of the remote registry.
This can easily be demonstrated by installing docker-distribution and configure it to use a self signed certificate.

Comment 3 Johan Swensson 2018-09-27 08:30:29 UTC

(In reply to Johan Swensson from comment #2)
> This is not limited to image signatures, it also means that with the default
> config skopeo and podman does not verify the CA issuer of the remote
> registry.
> This can easily be demonstrated by installing docker-distribution and
> configure it to use a self signed certificate.

This only seems to be the case if podman/skopeo is run on the same machine as docker-distribution. Which is strange since there are no configured insecure registries by default, but there are in docker.

# podman info
<...>
insecure registries:
  registries: []
<...>

# docker info
<...>
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false
Registries: registry.access.redhat.com (secure), docker.io (secure)

Comment 4 Daniel Walsh 2019-01-10 20:36:33 UTC

Lokesh, do you know if RHEL registries are signed now?

Comment 5 Valentin Rothberg 2019-01-11 15:22:39 UTC

(In reply to Johan Swensson from comment #3)
[...]
> This only seems to be the case if podman/skopeo is run on the same machine
> as docker-distribution. Which is strange since there are no configured
> insecure registries by default, but there are in docker.
> 
> # podman info
> <...>
> insecure registries:
>   registries: []
> <...>
> 
> # docker info
> <...>
> Insecure Registries:
>  127.0.0.0/8
> Live Restore Enabled: false
> Registries: registry.access.redhat.com (secure), docker.io (secure)

We are currently working on marking localhost to be insecure by default. In the meantime, we need to set this manually in the `/etc/containers/registries.conf` by adding the specific registry to the insecure list.

Comment 6 Miloslav Trmač 2019-01-22 16:17:29 UTC

(In reply to Johan Swensson from comment #2)
> This is not limited to image signatures, it also means that with the default
> config skopeo and podman does not verify the CA issuer of the remote
> registry.

I can quite authoritatively say that nothing in policy.json has any connection with TLS or CA verification at all.  That’s not to say that there can’t be a problem with CA verification, but…

> This can easily be demonstrated by installing docker-distribution and
> configure it to use a self signed certificate.

… please provide detailed and comprehensive steps to reproduce, how an untrusted CA is accepted (and how it is not accepted with different policy.json).

Comment 7 Johan Swensson 2019-01-22 21:52:39 UTC

(In reply to Miloslav Trmač from comment #6)
> … please provide detailed and comprehensive steps to reproduce, how an
> untrusted CA is accepted (and how it is not accepted with different
> policy.json).

I have not been able to reproduce it my self either, sorry about the noise.

Comment 15 Jason Shepherd 2019-04-16 00:12:43 UTC

To be more specific about what is required:

$ cat /etc/containers/policy.json
{
    "default": [
        {
            "type":    "signedBy",
            "keyType": "GPGKeys",
            "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release",
            "signedIdentity": {"type":"matchExact"}
        }
    ]
}

$ cat /etc/containers/registries.d/redhat.yaml
docker:
    registry.access.redhat.com:
        sigstore: https://access.redhat.com/webassets/docker/content/sigstore

With this configuration container image pulled from registry.access.redhat.com will be verified. For images mirrored on registry.redhat.io Red Hat only started generating valid signatures for them from April 1st, 2019. Until Red Hat publish signatures for images distributed on registry.redhat.io prior to April 1st, 2019 signature validation on images pulled from there won't work.

If you expect to only be pulling images distributed after that date, you can modify registries.d/redhat.yaml like so:

$ cat /etc/containers/registries.d/redhat.yaml
docker:
    registry.access.redhat.com:
        sigstore: https://access.redhat.com/webassets/docker/content/sigstore
    registry.redhat.io:
        sigstore: https://access.redhat.com/webassets/docker/content/sigstore

Comment 17 Jason Shepherd 2019-04-16 01:55:18 UTC

With this enabled trying to pull an unsigned image from another registry fails with an error such as:

podman pull docker.io/myrepo/depcheck:0.1
Trying to pull docker.io/myrepo/depcheck:0.1...Failed
error pulling image "docker.io/myrepo/depcheck:0.1": unable to pull docker.io/myrepo/depcheck:0.1: 2 errors occurred:

* Source image rejected: A signature was required, but no signature exists 

To workaround this issue, we can add an insecure policy for docker.io. That would cover everything in the default search path from registries.conf.

$ cat /etc/containers/policy.json 
{
    "default": [
        {
            "type":    "signedBy",
            "keyType": "GPGKeys",
            "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release",
            "signedIdentity": {"type":"matchExact"}
        }
    ],
    "transports": {
                      "docker": {
                          "docker.io": [{"type": "insecureAcceptAnything"}]
                      }
    }
}

Comment 18 Miloslav Trmač 2019-04-16 18:19:00 UTC

(In reply to Jason Shepherd from comment #17)
> With this enabled trying to pull an unsigned image from another registry
> fails with an error such as:
> 
> podman pull docker.io/myrepo/depcheck:0.1
> Trying to pull docker.io/myrepo/depcheck:0.1...Failed
> error pulling image "docker.io/myrepo/depcheck:0.1": unable to pull
> docker.io/myrepo/depcheck:0.1: 2 errors occurred:
> 
> * Source image rejected: A signature was required, but no signature exists 
> 
> To workaround this issue, we can add an insecure policy for docker.io. That
> would cover everything in the default search path from registries.conf.

No, it wouldn’t.  What about my-private-registry.my-company.example.com?  I can’t see why we would treat that registry and docker.io differently in the default configuration.

The RH keys just have no place being in the global default scope; define them specifically for "transports"."docker"."registry.access.redhat.com" (and "transports"."docker"."redhat.io", eventually); leave the insecure "transports"."docker-daemon" configuration as is.  And then, independently, decide what should be the global default. In order not to break customers’ systems, I think the shipped default almost certainly has to be insecureAcceptAnything as well, but we should prominently document how to set default: reject for customers who want that kind of lock down.

Comment 19 Jason Shepherd 2019-05-08 05:20:54 UTC

See this KB article for details on turning on image signature verification for Red Hat repositories in RHEL-7:

https://access.redhat.com/articles/3116561

Comment 20 Daniel Walsh 2020-06-03 13:55:55 UTC

Do we know if all images from Red Hat are signed?  Are we prepared to turn this on by default?

Comment 31 RHEL Program Management 2021-01-08 07:36:54 UTC

After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.