Bug 1461324 - oadm verify-image-signature will remove all the signatures's subitems when use wrong 'expected-identity'
Summary: oadm verify-image-signature will remove all the signatures's subitems when us...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry
Version: 3.6.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 3.7.0
Assignee: Jan Wozniak
QA Contact: ge liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-14 08:38 UTC by zhou ying
Modified: 2023-09-14 03:59 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-29 14:56:28 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github https://github.com/openshift origin pull 19976 0 None None None 2020-02-07 20:27:42 UTC

Description zhou ying 2017-06-14 08:38:29 UTC
Description of problem:
Sign the image use the route of registry, when use command 'oadm verify-image-signature sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b  --expected-identity=docker-registry-default.0613-6kz.qe.rhcloud.com/m9cv8/signed:latest --public-key=/tmp/pubring.gpg --token=fRUruzrDyl4GnwuYXjoILveCnREmNf3ZcL-dn6_xqEk' with the service of registry, will remove all the signatures's subitems.  

Version-Release number of selected component (if applicable):
openshift v3.6.105
kubernetes v1.6.1+5115d708d7
etcd 3.2.0-rc.1

How reproducible:
always

Steps to Reproduce:
1. Login OpenShift and create project;
2. Use command to sign and push image to project:
  `skopeo copy  --sign-by 215FF0D3C5B13412  --dest-creds zhouy:fRUruzrDyl4GnwuYXjoILveCnREmNf3ZcL-dn6_xqEk --dest-tls-verify=false docker://docker.io/openshift/origin-pod:latest atomic:docker-registry-default.0613-6kz.qe.rhcloud.com/m9cv8/signed:latest`
3. Use command to verify the image :
  `oadm verify-image-signature sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b  --expected-identity=172.30.157.120:5000/m9cv8/signed:latest --public-key=/tmp/pubring.gpg --token=fRUruzrDyl4GnwuYXjoILveCnREmNf3ZcL-dn6_xqEk`

4. Try to sign and push the image again.

Actual results:
3. Will remove all the signatures's subitems when use wrong 'expected-identity' with 'oadm verify-image-signature' command:
oadm verify-image-signature sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b  --expected-identity=172.30.157.120:5000/m9cv8/signed:latest --public-key=/tmp/pubring.gpg --token=fRUruzrDyl4GnwuYXjoILveCnREmNf3ZcL-dn6_xqEk --save
error verifying signature sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b@357bd8ae5b86f0d46ea2bae6cc6a573f for image sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b (verification status will be removed): signature rejected: Signature for identity docker-registry-default.0613-6kz.qe.rhcloud.com/m9cv8/signed:latest is not accepted

4. Sign the image failed:
FATA[0025] Error writing signatures: Image "sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b" is invalid: [signatures[0].metadata.name: Required value: name or generateName is required, signatures[0].metadata.name: Invalid value: "": name must be of format <imageName>@<signatureName>, signatures[0].type: Required value, signatures[0].content: Required value, signatures[1].metadata.name: Required value: name or generateName is required, signatures[1].metadata.name: Invalid value: "": name must be of format <imageName>@<signatureName>, signatures[1].type: Required value, signatures[1].content: Required value, signatures[2].metadata.name: Required value: name or generateName is required, signatures[2].metadata.name: Invalid value: "": name must be of format <imageName>@<signatureName>, signatures[2].type: Required value, signatures[2].content: Required value]

Expected results:
3. Shouldn't remove the signatures's subitems.


Additional info:
oc get istag signed:latest -o yaml 
apiVersion: v1
generation: 1
image:
  dockerImageLayers:
..........
  signatures:
  - content: ""
    metadata:
      creationTimestamp: null
    type: ""
kind: ImageStreamTag
lookupPolicy:
  local: false
metadata:
  creationTimestamp: 2017-06-14T06:03:39Z
  name: signed:latest
  namespace: m9cv8
  resourceVersion: "20706"
  selfLink: /oapi/v1/namespaces/m9cv8/imagestreamtags/signed%3Alatest
  uid: 507f893b-50c5-11e7-af77-fa163e9aa841
tag: null

Comment 2 Michal Fojtik 2017-06-23 14:21:18 UTC
Moving this to 3.7 where we should get the public urls and I will update the verify code to support it.

Comment 3 Michal Fojtik 2017-10-04 08:27:20 UTC
The verify-image-signature should now support --public-registry flag that can be used to specify the external registry endpoint.

Comment 4 zhou ying 2017-10-09 09:13:01 UTC
@Michal Fojtik:
   We can use the --registry-url flag now, but if we use the wrong 'expected-identity' by mistake, still can reproduce the issue. 

oadm verify-image-signature sha256:030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af --expected-identity='docker-registry-default.apps.1009-632.qe.rhcloud.com/zhouy/hellot:latest' --public-key='/tmp/pubring.gpg' --registry-url='docker-registry-default.apps.1009-632.qe.rhcloud.com'  --token='zBsP6tTU5FyjxCTn7INR6uJCwtCUJr-UG6FHXUgXLfQ' --save
error verifying signature sha256:030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af@e5910c7d3364e7e621c96129a6e2ae10 for image sha256:030fcb92e1487b18c974784dcc110a93147c9fc402188370fbfd17efabffc6af (verification status will be removed): signature rejected: Signature for identity docker-registry-default.apps.1009-632.qe.rhcloud.com/zhouy/busybox:latest is not accepted

Comment 5 Ben Parees 2018-06-11 15:59:11 UTC
Jan, see if you can get Michal Fojtik to give you some pointers on starting this.

Comment 6 Jan Wozniak 2018-06-12 09:39:03 UTC
I would like to think the removal of signatures is by design[1]. There is currently an option to prevent the accidental removal by first trying to 'dry-run' the command without the '--save' option. Code will still print all the logs and you can inspect them for unexpected behavior[2], and it shouldn't override any data[3].

@mfojtik what would you say to an 'else' branch when neither '--save' nor '--remove-all' are passed here[3] that would only log the 'img' object? This could help the user understand clearly what will happen when the command is run with '--save'.



[1] https://github.com/openshift/origin/blob/5e0bfba0f09666c414d952d084a709f021c90c23/pkg/oc/admin/image/verify-signature.go#L41-L43

[2] https://github.com/openshift/origin/blob/5e0bfba0f09666c414d952d084a709f021c90c23/pkg/oc/admin/image/verify-signature.go#L213-L218

[3] https://github.com/openshift/origin/blob/5e0bfba0f09666c414d952d084a709f021c90c23/pkg/oc/admin/image/verify-signature.go#L245-L248

Comment 7 openshift-github-bot 2018-06-20 00:34:21 UTC
Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/f5b16cbb2baf60890a7b0918071bfd68a7cf8fc0
Merge pull request #19976 from wozniakjan/bz1461324/verify-signature

Bug 1461324 - Log image changes on verify-image-signature without --save

Comment 8 Red Hat Bugzilla 2023-09-14 03:59:07 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days


Note You need to log in before you can comment on or make changes to this bug.