Bug 1461324 - oadm verify-image-signature will remove all the signatures's subitems when use wrong 'expected-identity'
oadm verify-image-signature will remove all the signatures's subitems when us...
Status: NEW
Product: OpenShift Container Platform
Classification: Red Hat
Component: Image Registry (Show other bugs)
3.6.0
Unspecified Unspecified
medium Severity medium
: ---
: 3.7.0
Assigned To: Michal Fojtik
ge liu
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-14 04:38 EDT by zhou ying
Modified: 2017-06-23 10:21 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description zhou ying 2017-06-14 04:38:29 EDT
Description of problem:
Sign the image use the route of registry, when use command 'oadm verify-image-signature sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b  --expected-identity=docker-registry-default.0613-6kz.qe.rhcloud.com/m9cv8/signed:latest --public-key=/tmp/pubring.gpg --token=fRUruzrDyl4GnwuYXjoILveCnREmNf3ZcL-dn6_xqEk' with the service of registry, will remove all the signatures's subitems.  

Version-Release number of selected component (if applicable):
openshift v3.6.105
kubernetes v1.6.1+5115d708d7
etcd 3.2.0-rc.1

How reproducible:
always

Steps to Reproduce:
1. Login OpenShift and create project;
2. Use command to sign and push image to project:
  `skopeo copy  --sign-by 215FF0D3C5B13412  --dest-creds zhouy:fRUruzrDyl4GnwuYXjoILveCnREmNf3ZcL-dn6_xqEk --dest-tls-verify=false docker://docker.io/openshift/origin-pod:latest atomic:docker-registry-default.0613-6kz.qe.rhcloud.com/m9cv8/signed:latest`
3. Use command to verify the image :
  `oadm verify-image-signature sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b  --expected-identity=172.30.157.120:5000/m9cv8/signed:latest --public-key=/tmp/pubring.gpg --token=fRUruzrDyl4GnwuYXjoILveCnREmNf3ZcL-dn6_xqEk`

4. Try to sign and push the image again.

Actual results:
3. Will remove all the signatures's subitems when use wrong 'expected-identity' with 'oadm verify-image-signature' command:
oadm verify-image-signature sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b  --expected-identity=172.30.157.120:5000/m9cv8/signed:latest --public-key=/tmp/pubring.gpg --token=fRUruzrDyl4GnwuYXjoILveCnREmNf3ZcL-dn6_xqEk --save
error verifying signature sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b@357bd8ae5b86f0d46ea2bae6cc6a573f for image sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b (verification status will be removed): signature rejected: Signature for identity docker-registry-default.0613-6kz.qe.rhcloud.com/m9cv8/signed:latest is not accepted

4. Sign the image failed:
FATA[0025] Error writing signatures: Image "sha256:f4de5f3e1b5d30140b5710bc7092604fe2565ac07c20229e18dc5121970b575b" is invalid: [signatures[0].metadata.name: Required value: name or generateName is required, signatures[0].metadata.name: Invalid value: "": name must be of format <imageName>@<signatureName>, signatures[0].type: Required value, signatures[0].content: Required value, signatures[1].metadata.name: Required value: name or generateName is required, signatures[1].metadata.name: Invalid value: "": name must be of format <imageName>@<signatureName>, signatures[1].type: Required value, signatures[1].content: Required value, signatures[2].metadata.name: Required value: name or generateName is required, signatures[2].metadata.name: Invalid value: "": name must be of format <imageName>@<signatureName>, signatures[2].type: Required value, signatures[2].content: Required value]

Expected results:
3. Shouldn't remove the signatures's subitems.


Additional info:
oc get istag signed:latest -o yaml 
apiVersion: v1
generation: 1
image:
  dockerImageLayers:
..........
  signatures:
  - content: ""
    metadata:
      creationTimestamp: null
    type: ""
kind: ImageStreamTag
lookupPolicy:
  local: false
metadata:
  creationTimestamp: 2017-06-14T06:03:39Z
  name: signed:latest
  namespace: m9cv8
  resourceVersion: "20706"
  selfLink: /oapi/v1/namespaces/m9cv8/imagestreamtags/signed%3Alatest
  uid: 507f893b-50c5-11e7-af77-fa163e9aa841
tag: null
Comment 2 Michal Fojtik 2017-06-23 10:21:18 EDT
Moving this to 3.7 where we should get the public urls and I will update the verify code to support it.

Note You need to log in before you can comment on or make changes to this bug.