Bug 1461324 - oadm verify-image-signature will remove all the signatures's subitems when use wrong 'expected-identity' [NEEDINFO]
oadm verify-image-signature will remove all the signatures's subitems when us...
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry (Show other bugs)
Unspecified Unspecified
low Severity low
: ---
: 3.7.0
Assigned To: Jan Wozniak
ge liu
Depends On:
  Show dependency treegraph
Reported: 2017-06-14 04:38 EDT by zhou ying
Modified: 2018-06-29 10:56 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2018-06-29 10:56:28 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
jwozniak: needinfo? (mfojtik)

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Github https://github.com/openshift/origin/pull/19976 None None None 2018-06-12 09:49 EDT

  None (edit)
Description zhou ying 2017-06-14 04:38:29 EDT
Description of problem:
Sign the image use the route of registry, when use command 'oadm verify-image-signature sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b  --expected-identity=docker-registry-default.0613-6kz.qe.rhcloud.com/m9cv8/signed:latest --public-key=/tmp/pubring.gpg --token=fRUruzrDyl4GnwuYXjoILveCnREmNf3ZcL-dn6_xqEk' with the service of registry, will remove all the signatures's subitems.  

Version-Release number of selected component (if applicable):
openshift v3.6.105
kubernetes v1.6.1+5115d708d7
etcd 3.2.0-rc.1

How reproducible:

Steps to Reproduce:
1. Login OpenShift and create project;
2. Use command to sign and push image to project:
  `skopeo copy  --sign-by 215FF0D3C5B13412  --dest-creds zhouy:fRUruzrDyl4GnwuYXjoILveCnREmNf3ZcL-dn6_xqEk --dest-tls-verify=false docker://docker.io/openshift/origin-pod:latest atomic:docker-registry-default.0613-6kz.qe.rhcloud.com/m9cv8/signed:latest`
3. Use command to verify the image :
  `oadm verify-image-signature sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b  --expected-identity= --public-key=/tmp/pubring.gpg --token=fRUruzrDyl4GnwuYXjoILveCnREmNf3ZcL-dn6_xqEk`

4. Try to sign and push the image again.

Actual results:
3. Will remove all the signatures's subitems when use wrong 'expected-identity' with 'oadm verify-image-signature' command:
oadm verify-image-signature sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b  --expected-identity= --public-key=/tmp/pubring.gpg --token=fRUruzrDyl4GnwuYXjoILveCnREmNf3ZcL-dn6_xqEk --save
error verifying signature sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b@357bd8ae5b86f0d46ea2bae6cc6a573f for image sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b (verification status will be removed): signature rejected: Signature for identity docker-registry-default.0613-6kz.qe.rhcloud.com/m9cv8/signed:latest is not accepted

4. Sign the image failed:
FATA[0025] Error writing signatures: Image "sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b" is invalid: [signatures[0].metadata.name: Required value: name or generateName is required, signatures[0].metadata.name: Invalid value: "": name must be of format <imageName>@<signatureName>, signatures[0].type: Required value, signatures[0].content: Required value, signatures[1].metadata.name: Required value: name or generateName is required, signatures[1].metadata.name: Invalid value: "": name must be of format <imageName>@<signatureName>, signatures[1].type: Required value, signatures[1].content: Required value, signatures[2].metadata.name: Required value: name or generateName is required, signatures[2].metadata.name: Invalid value: "": name must be of format <imageName>@<signatureName>, signatures[2].type: Required value, signatures[2].content: Required value]

Expected results:
3. Shouldn't remove the signatures's subitems.

Additional info:
oc get istag signed:latest -o yaml 
apiVersion: v1
generation: 1
  - content: ""
      creationTimestamp: null
    type: ""
kind: ImageStreamTag
  local: false
  creationTimestamp: 2017-06-14T06:03:39Z
  name: signed:latest
  namespace: m9cv8
  resourceVersion: "20706"
  selfLink: /oapi/v1/namespaces/m9cv8/imagestreamtags/signed%3Alatest
  uid: 507f893b-50c5-11e7-af77-fa163e9aa841
tag: null
Comment 2 Michal Fojtik 2017-06-23 10:21:18 EDT
Moving this to 3.7 where we should get the public urls and I will update the verify code to support it.
Comment 3 Michal Fojtik 2017-10-04 04:27:20 EDT
The verify-image-signature should now support --public-registry flag that can be used to specify the external registry endpoint.
Comment 4 zhou ying 2017-10-09 05:13:01 EDT
@Michal Fojtik:
   We can use the --registry-url flag now, but if we use the wrong 'expected-identity' by mistake, still can reproduce the issue. 

oadm verify-image-signature sha256:030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af --expected-identity='docker-registry-default.apps.1009-632.qe.rhcloud.com/zhouy/hellot:latest' --public-key='/tmp/pubring.gpg' --registry-url='docker-registry-default.apps.1009-632.qe.rhcloud.com'  --token='zBsP6tTU5FyjxCTn7INR6uJCwtCUJr-UG6FHXUgXLfQ' --save
error verifying signature sha256:030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af@e5910c7d3364e7e621c96129a6e2ae10 for image sha256:030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af (verification status will be removed): signature rejected: Signature for identity docker-registry-default.apps.1009-632.qe.rhcloud.com/zhouy/busybox:latest is not accepted
Comment 5 Ben Parees 2018-06-11 11:59:11 EDT
Jan, see if you can get Michal Fojtik to give you some pointers on starting this.
Comment 6 Jan Wozniak 2018-06-12 05:39:03 EDT
I would like to think the removal of signatures is by design[1]. There is currently an option to prevent the accidental removal by first trying to 'dry-run' the command without the '--save' option. Code will still print all the logs and you can inspect them for unexpected behavior[2], and it shouldn't override any data[3].

@mfojtik what would you say to an 'else' branch when neither '--save' nor '--remove-all' are passed here[3] that would only log the 'img' object? This could help the user understand clearly what will happen when the command is run with '--save'.

[1] https://github.com/openshift/origin/blob/5e0bfba0f09666c414d952d084a709f021c90c23/pkg/oc/admin/image/verify-signature.go#L41-L43

[2] https://github.com/openshift/origin/blob/5e0bfba0f09666c414d952d084a709f021c90c23/pkg/oc/admin/image/verify-signature.go#L213-L218

[3] https://github.com/openshift/origin/blob/5e0bfba0f09666c414d952d084a709f021c90c23/pkg/oc/admin/image/verify-signature.go#L245-L248
Comment 7 openshift-github-bot 2018-06-19 20:34:21 EDT
Commit pushed to master at https://github.com/openshift/origin

Merge pull request #19976 from wozniakjan/bz1461324/verify-signature

Bug 1461324 - Log image changes on verify-image-signature without --save

Note You need to log in before you can comment on or make changes to this bug.