Bug 1399080 - Release openshift3/image-inspector 2.1
Summary: Release openshift3/image-inspector 2.1
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: ImageStreams
Version: 3.3.1
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 3.3.1
Assignee: Federico Simoncelli
QA Contact: Wang Haoran
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-28 09:10 UTC by Federico Simoncelli
Modified: 2016-12-01 19:28 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-12-01 19:28:26 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2016:2845 0 normal SHIPPED_LIVE Red Hat OpenShift Container Platform Image Inspector enhancement update 2016-12-02 00:28:11 UTC

Description Federico Simoncelli 2016-11-28 09:10:10 UTC
Description of problem:
Release openshift3/image-inspector 2.1.0

Comment 1 Wang Haoran 2016-11-30 05:40:13 UTC
Could you please rebuilt the image with the signed rpm package, the image failed the sanity test with error:
gpg-pubkey (none) gpg-pubkey (none) openscap-scanner RSA/SHA256, Thu Sep 8 07:41:43 2016, Key ID 938a80caf21541eb gpg-pubkey (none) gpg-pubkey (none) openscap RSA/SHA256, Thu Sep 8 07:41:04 2016, Key ID 938a80caf21541eb

Comment 2 Federico Simoncelli 2016-11-30 08:56:49 UTC
(In reply to Wang Haoran from comment #1)
> Could you please rebuilt the image with the signed rpm package, the image
> failed the sanity test with error:
> gpg-pubkey (none) gpg-pubkey (none) openscap-scanner RSA/SHA256, Thu Sep 8
> 07:41:43 2016, Key ID 938a80caf21541eb gpg-pubkey (none) gpg-pubkey (none)
> openscap RSA/SHA256, Thu Sep 8 07:41:04 2016, Key ID 938a80caf21541eb

Wang you're on an email thread where Troy reported that he already signed the rpms.

In 2.1-1 the rpm is not signed:

# docker run -ti --rm --entrypoint=/bin/bash {...}/openshift3/image-inspector:2.1-1
[root@dc0930aee2f6 /]# rpm -q --qf '%{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig}\n' image-inspector
image-inspector-2.1.0-1.el7 (none)


But in the new image 2.1-2 the rpm is signed:

$ docker run -ti --rm --entrypoint=/bin/bash {...}/image-inspector:2.1-2
[root@e619745d7f0f /]# rpm -q --qf '%{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig}\n' image-inspector
image-inspector-2.1.0-1.el7 RSA/SHA256, Tue Nov 29 14:34:59 2016, Key ID 199e2f91fd431d51


I am not sure if Troy forgot to update the errata with this information but anyway you should have noticed by the email thread that an image with signed rpms is available since yesterday.

For reference here's the images id:

{...}/openshift3/image-inspector   2.1-2  f964236eaa82
{...}/openshift3/image-inspector   2.1    44b09f38de87
{...}/openshift3/image-inspector   2.1-1  44b09f38de87

Comment 3 Wang Haoran 2016-11-30 09:55:10 UTC
I am testing the image-inspector:2.1-2 image, but failed the sign check,
docker run -ti --rm --entrypoint=/bin/bash {...}/image-inspector:2.1-2
root@92601abef649 /]#rpm -q 'gpg-pubkey'
gpg-pubkey-fd431d51-4ae0493b
gpg-pubkey-2fa658e0-45700c69
gpg-pubkey-f21541eb-4a5233e7
gpg-pubkey-897da07a-3c979a7f

the key contains others except fd431d51 and 2fa658e0

Comment 4 Troy Dawson 2016-11-30 16:36:01 UTC
Thank you for catching that.
There was an unexpected change in the image build environment, causing rpm's to be pulled from unexpected places.  That has been resolved and a new image was built.

  openshift3/image-inspector:2.1-3

Please try again.

Comment 5 Wang Haoran 2016-12-01 01:59:49 UTC
It passed this time.

Comment 7 errata-xmlrpc 2016-12-01 19:28:26 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2016:2845


Note You need to log in before you can comment on or make changes to this bug.