Bug 1829061

Summary: Signature verification incorrectly uses mirror’s references
Product: Red Hat Enterprise Linux 8 Reporter: Miloslav Trmač <mitr>
Component: podmanAssignee: Jindrich Novy <jnovy>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.2CC: bbaude, dkaylor, dornelas, dwalsh, jligon, jnovy, kanderso, lsm5, mheon, mitr, rspazzol, tsweeney, ypu
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: podman-1.9.3-2.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-21 15:32:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1186913, 1793607    

Description Miloslav Trmač 2020-04-28 19:40:56 UTC 
c/image/docker.newImageSource, when using mirrors, creates an ImageReference with a types.ImageReference pointing at the mirror, with no record of the primary location. This breaks signature verification, which ultimately uses ImageSource.Reference() to decide what to verify the signature against.

(Affects all other c/image users in addition to Podman, notably including CRI-O.)
Comment 6 Tom Sweeney 2020-05-18 18:02:42 UTC 
Assigning to Jindrich to verify per https://bugzilla.redhat.com/show_bug.cgi?id=1829061#c5

Matt, Miloslav and /or Jindrich, do you have an answer to Derrick's question about backporting to Podman v1.9?  I know it will bin in v2.0
Comment 7 Daniel Walsh 2020-05-18 18:54:56 UTC 
Derrick, do you need it three months earlier?
Comment 17 Daniel Walsh 2020-05-28 19:09:24 UTC 
Miloslav lets get a patch for this in podman-1.9.4 Then they can get it in July.
Comment 34 Joy Pu 2020-07-02 15:47:04 UTC 
Test with podman-1.9.3-2.module+el8.2.1+6867+366c07d6.x86_64. The location will not be replaced by mirror references for policy part from debug log. So set this to verified.

Here is my registries.conf:

unqualified-search-registries = ['registry.access.redhat.com', 'registry.redhat.io', 'docker.io']

[[registry]]
prefix = "registry.access.redhat.com/ubi8"
insecure = true
blocked = false
location = "quay.io/ypu/test"

And here is the details:
# podman --log-level debug  pull registry.access.redhat.com/ubi8
......

DEBU[0003]  Using transport "docker" specific policy section registry.access.redhat.com 
DEBU[0003] Requirement 0: denied, done                  
DEBU[0003] Error pulling image ref //registry.access.redhat.com/ubi8:latest: Source image rejected: A signature was required, but no signature exists 
  A signature was required, but no signature exists
ERRO[0003] error pulling image "registry.access.redhat.com/ubi8": unable to pull registry.access.redhat.com/ubi8: unable to pull image: Source image rejected: A signature was required, but no signature exists
Comment 36 errata-xmlrpc 2020-07-21 15:32:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:3053