1450337 – [platformmanagement_public_788]Can't remove any signature from the image

Bug 1450337 - [platformmanagement_public_788]Can't remove any signature from the image

Summary: [platformmanagement_public_788]Can't remove any signature from the image

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Image Registry
Sub Component:
Version:	3.6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	3.7.0
Assignee:	Michal Fojtik
QA Contact:	ge liu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-05-12 09:47 UTC by zhou ying
Modified:	2017-11-28 21:54 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-11-28 21:54:33 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3188	0	normal	SHIPPED_LIVE	Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update	2017-11-29 02:34:54 UTC

Description zhou ying 2017-05-12 09:47:47 UTC

Description of problem:
When use command `oadm verify-image-signature sha256:67326d0fcdc02a022a7b507b832b76a8609b8246de926ee0fa12f64886da1803 --expected-identity=172.30.205.231:5000/zhouy/hello-openshift:latest --remove-all`, the signature was not moved from the image object.

Version-Release number of selected component (if applicable):
openshift v3.6.74
kubernetes v1.6.1+5115d708d7
etcd 3.1.0

How reproducible:
always

Steps to Reproduce:
1. Login in Openshift and create project;
2. Create a GPG Key Pair;
3. Use the user token to login the integrated docker-registry;
4. Tag a image to integrated docker-registry:
`docker tag openshift/hello-openshift docker-registry:5000/project/imagestream:latest`
5. Use the atomic command to sign and push the image to integrated docker-registry:
`atomic push --type atomic --sign-by yinzhou 172.30.205.231:5000/zhouy/deployment-example:latest`
6. Check the image with signature;
7. Use command to remove the signature:
`oadm verify-image-signature sha256:3f71e6dd452146b942f064d3aa4a8f33e7993aaae4e9edc691a638089944093f --expected-identity=172.30.205.231:5000/zhouy/deployment-example:latest --remove-all`
8. Use command to remove the signature:
`oadm verify-image-signature sha256:3f71e6dd452146b942f064d3aa4a8f33e7993aaae4e9edc691a638089944093f --expected-identity=172.30.205.231:5000/zhouy/deployment-example:latest --remove-all --public-key=/root/.gnupg/pubring.gpg`

Actual results:
7. The command will failed with error: unable to read --public-key: open pubring.gpg: no such file or directory
8. No error , but the '--remove-all' option does not work.

Expected results:
7. When use '--remove-all' option should not work with '-public-key' option;
8. Should remove the signature succeed.

Additional info:

Comment 1 Michal Fojtik 2017-05-12 10:43:44 UTC

Fixed in https://github.com/openshift/origin/pull/14125

Comment 3 zhou ying 2017-05-31 03:39:15 UTC

Confirmed with latest ocp3.6 , the issue has fixed:
openshift v3.6.86
kubernetes v1.6.1+5115d708d7
etcd 3.1.0


oadm verify-image-signature  sha256:1c44eeb0bcebff03b34d43851a651c721e7ae97f8a062aafc5492b1d3bd02571  --remove-all --public-key=/home/pubring.gpg  --token=JplrvKS4dHtsEMCWqKRuSffl3AJ2NmoaR3ARS1OjAJs

Comment 7 errata-xmlrpc 2017-11-28 21:54:33 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188

Note You need to log in before you can comment on or make changes to this bug.