Description of problem: Sign the image use the route of registry, when use command 'oadm verify-image-signature sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b --expected-identity=docker-registry-default.0613-6kz.qe.rhcloud.com/m9cv8/signed:latest --public-key=/tmp/pubring.gpg --token=fRUruzrDyl4GnwuYXjoILveCnREmNf3ZcL-dn6_xqEk' with the service of registry, will remove all the signatures's subitems. Version-Release number of selected component (if applicable): openshift v3.6.105 kubernetes v1.6.1+5115d708d7 etcd 3.2.0-rc.1 How reproducible: always Steps to Reproduce: 1. Login OpenShift and create project; 2. Use command to sign and push image to project: `skopeo copy --sign-by 215FF0D3C5B13412 --dest-creds zhouy:fRUruzrDyl4GnwuYXjoILveCnREmNf3ZcL-dn6_xqEk --dest-tls-verify=false docker://docker.io/openshift/origin-pod:latest atomic:docker-registry-default.0613-6kz.qe.rhcloud.com/m9cv8/signed:latest` 3. Use command to verify the image : `oadm verify-image-signature sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b --expected-identity=172.30.157.120:5000/m9cv8/signed:latest --public-key=/tmp/pubring.gpg --token=fRUruzrDyl4GnwuYXjoILveCnREmNf3ZcL-dn6_xqEk` 4. Try to sign and push the image again. Actual results: 3. Will remove all the signatures's subitems when use wrong 'expected-identity' with 'oadm verify-image-signature' command: oadm verify-image-signature sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b --expected-identity=172.30.157.120:5000/m9cv8/signed:latest --public-key=/tmp/pubring.gpg --token=fRUruzrDyl4GnwuYXjoILveCnREmNf3ZcL-dn6_xqEk --save error verifying signature sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b@357bd8ae5b86f0d46ea2bae6cc6a573f for image sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b (verification status will be removed): signature rejected: Signature for identity docker-registry-default.0613-6kz.qe.rhcloud.com/m9cv8/signed:latest is not accepted 4. Sign the image failed: FATA[0025] Error writing signatures: Image "sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b" is invalid: [signatures[0].metadata.name: Required value: name or generateName is required, signatures[0].metadata.name: Invalid value: "": name must be of format <imageName>@<signatureName>, signatures[0].type: Required value, signatures[0].content: Required value, signatures[1].metadata.name: Required value: name or generateName is required, signatures[1].metadata.name: Invalid value: "": name must be of format <imageName>@<signatureName>, signatures[1].type: Required value, signatures[1].content: Required value, signatures[2].metadata.name: Required value: name or generateName is required, signatures[2].metadata.name: Invalid value: "": name must be of format <imageName>@<signatureName>, signatures[2].type: Required value, signatures[2].content: Required value] Expected results: 3. Shouldn't remove the signatures's subitems. Additional info: oc get istag signed:latest -o yaml apiVersion: v1 generation: 1 image: dockerImageLayers: .......... signatures: - content: "" metadata: creationTimestamp: null type: "" kind: ImageStreamTag lookupPolicy: local: false metadata: creationTimestamp: 2017-06-14T06:03:39Z name: signed:latest namespace: m9cv8 resourceVersion: "20706" selfLink: /oapi/v1/namespaces/m9cv8/imagestreamtags/signed%3Alatest uid: 507f893b-50c5-11e7-af77-fa163e9aa841 tag: null
Moving this to 3.7 where we should get the public urls and I will update the verify code to support it.
The verify-image-signature should now support --public-registry flag that can be used to specify the external registry endpoint.
@Michal Fojtik: We can use the --registry-url flag now, but if we use the wrong 'expected-identity' by mistake, still can reproduce the issue. oadm verify-image-signature sha256:030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af --expected-identity='docker-registry-default.apps.1009-632.qe.rhcloud.com/zhouy/hellot:latest' --public-key='/tmp/pubring.gpg' --registry-url='docker-registry-default.apps.1009-632.qe.rhcloud.com' --token='zBsP6tTU5FyjxCTn7INR6uJCwtCUJr-UG6FHXUgXLfQ' --save error verifying signature sha256:030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af@e5910c7d3364e7e621c96129a6e2ae10 for image sha256:030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af (verification status will be removed): signature rejected: Signature for identity docker-registry-default.apps.1009-632.qe.rhcloud.com/zhouy/busybox:latest is not accepted
Jan, see if you can get Michal Fojtik to give you some pointers on starting this.
I would like to think the removal of signatures is by design[1]. There is currently an option to prevent the accidental removal by first trying to 'dry-run' the command without the '--save' option. Code will still print all the logs and you can inspect them for unexpected behavior[2], and it shouldn't override any data[3]. @mfojtik what would you say to an 'else' branch when neither '--save' nor '--remove-all' are passed here[3] that would only log the 'img' object? This could help the user understand clearly what will happen when the command is run with '--save'. [1] https://github.com/openshift/origin/blob/5e0bfba0f09666c414d952d084a709f021c90c23/pkg/oc/admin/image/verify-signature.go#L41-L43 [2] https://github.com/openshift/origin/blob/5e0bfba0f09666c414d952d084a709f021c90c23/pkg/oc/admin/image/verify-signature.go#L213-L218 [3] https://github.com/openshift/origin/blob/5e0bfba0f09666c414d952d084a709f021c90c23/pkg/oc/admin/image/verify-signature.go#L245-L248
Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/f5b16cbb2baf60890a7b0918071bfd68a7cf8fc0 Merge pull request #19976 from wozniakjan/bz1461324/verify-signature Bug 1461324 - Log image changes on verify-image-signature without --save
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days