Thanks for the suggestion, this does make sense. (For the record, a theoretical downside is that if the sigstore is down, pulling images would fail as well. But at least for registry.redhat.io it’s literally the same host name, so that seems very unlikely.)
Jindřich, what’s the best way to do this? Just include the files in the RPM packaging, or is there an upstream repo where this would make sense to ship? (I’m a bit reluctant to maintain a “public registry” on GitHub, although it’s much less of a concern than a registry of trusted public keys.)
Yes, this makes sense to ship within containers-common package IMO.
With shortnames and now signature verification data in containers-common I think it makes sense to completely decouple containers-common from skopeo as it was never really related to skopeo only.
Mirek/Derrick - is this aimed at 8.3.1 or 8.4.0?
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2021:1796
Comment 14Red Hat Bugzilla
2023-09-15 00:52:18 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days