Bug 1844199

Summary: [RFE] Add remapIdentity suggestion to simplify policy configuration
Product: Red Hat Enterprise Linux 8 Reporter: David Kaylor <dkaylor>
Component: podmanAssignee: Jindrich Novy <jnovy>
Status: CLOSED ERRATA QA Contact: Yuhui Jiang <yujiang>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.3CC: bbaude, dornelas, dwalsh, jligon, jnovy, lsm5, marrober, mheon, pehunt, pthomas, tsweeney, ypu
Target Milestone: rcKeywords: FutureFeature
Target Release: 8.4   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: podman-2.2.1-3.el8 or newer Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 15:32:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1186913, 1726784, 1823899    

Description David Kaylor 2020-06-04 19:03:27 UTC 
- Proposed title of this feature request

remapIdentity configuration option

- What is the nature and description of the request?

Mirroring image signatures can require a significant amount of configuration. The feature proposed here would simplify things:

https://github.com/containers/image/issues/884

- How would the customer like to achieve this? (List the functional requirements here)

Add the remapIdentity feature as described in the above link.

- For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented.

Mirror image signatures from a Red Hat repository. Configure the policy using remapIdentity. Validate the signatures in the mirrored registry.

- Is there already an existing RFE upstream or in Red Hat Bugzilla?

Upstream: https://github.com/containers/image/issues/884

- List any affected packages or components.

podman, skopeo, cri-o, buildah
Comment 3 Daniel Walsh 2020-09-11 20:02:51 UTC 
Miloslav any update on this?
Comment 9 Mark Roberts 2021-01-27 17:59:03 UTC 
Hi - Any news on when this might be implemented on OpenShift ?
Comment 12 Tom Sweeney 2021-01-27 18:53:40 UTC 
This was fixed in this PR: https://github.com/containers/image/pull/1075 (Add a signedIdentity choice "type": "remapIdentity") which was merged on December 4, 2020.  This was then included with the containers/image v5.9.0 release on Dec 7, 2020 which will be part of RHEL 8.3.1 and and RHEL 8.4.  As far as Podman is concerned, this fix is in Podman v2.2.1 and Podman v3.0.0

Unfortunately I don't know how/when this change will make it's way into OCP.  Peter Hunt or Derrick Ornelas any insight on that piece of it?

As this BZ is against Podman, I'm going to set this to POST and assign it to Jindrich for any further packaging needs.
Comment 21 errata-xmlrpc 2021-05-18 15:32:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1796