Bug 1471218 - Docker cannot discover remote signatures
Docker cannot discover remote signatures
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker (Show other bugs)
7.4
Unspecified Unspecified
high Severity high
: rc
: ---
Assigned To: Frantisek Kluknavsky
atomic-bugs@redhat.com
: Extras
Depends On:
Blocks: 1472974
  Show dependency treegraph
 
Reported: 2017-07-14 13:37 EDT by Aaron Weitekamp
Modified: 2017-08-01 20:11 EDT (History)
7 users (show)

See Also:
Fixed In Version: docker-latest-1.13.1-13.gitb303bf6.el7, docker-1.12.6-47.git0fdc778.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1472974 (view as bug list)
Environment:
Last Closed: 2017-08-01 20:11:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Aaron Weitekamp 2017-07-14 13:37:31 EDT
Description of problem:
When signature verification is enabled remote signature blobs cannot be found due to a change in the path that was implemented.

Version-Release number of selected component (if applicable):
docker-1.12.6-32.git88a4867.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. edit /etc/sysconfig/docker, adding '--signature-verification=true'
2. systemctl restart docker
3. enable signed-by trust using atomic CLI:
    $ atomic trust add --sigstore https://access.redhat.com/webassets/docker/content/sigstore --pubkeys /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release registry.access.redhat.com
4. $ docker pull registry.access.redhat.com/rhel7/openscap:latest

Actual results:
registry.access.redhat.com/rhel7/openscap:latest isn't allowed: A signature was required, but no signature exists

Expected results:
Image pulled

Additional info:

Fixed in docker-latest-1.13.1-13.gitb303bf6.el7.x86_64

NOTE: this is due to a change in the signature path schema. Compare signature path from docker log:
level=debug msg="GET https://access.redhat.com/webassets/docker/content/sigstore/registry.access.redhat.com/rhel7/openscap@sha256:461e150658a31b9858680c2a5867e91947755103daf2bf6589034cc3b6662a94/signature-1"

...with docker-latest log:
level=debug msg="GET https://access.redhat.com/webassets/docker/content/sigstore/rhel7/openscap@sha256=461e150658a31b9858680c2a5867e91947755103daf2bf6589034cc3b6662a94/signature-1"
Comment 9 Antonio Murdaca 2017-07-18 12:16:56 EDT
Alright, fixed that. All good to go here
Comment 18 Luwen Su 2017-07-22 11:29:29 EDT
The fix works for me

/usr/bin/dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --default-runtime=docker-runc --authorization-plugin=rhel-push-plugin --exec-opt native.cgroupdriver=systemd --userland-proxy-path=/usr/libexec/docker/docker-proxy-current --selinux-enabled --log-driver=journald --add-registry registry.access.redhat.com 

/***
highlight here 
 --signature-verification=true 
*****/ 

--add-registry registry.access.redhat.com


# rpm -q docker atomic
docker-1.12.6-48.git0fdc778.el7.x86_64
atomic-1.18.1-3.1.git0705b1b.el7.x86_64

# atomic trust add --sigstore https://access.redhat.com/webassets/docker/content/sigstore --pubkeys /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release registry.access.redhat.com
# docker pull registry.access.redhat.com/rhel7/openscap:latest
sha256:4a7df5dbc70e41d9a31701bb54a4b8fd063cbd217254c0e3c966f94594af1c31: Pulling from registry.access.redhat.com/rhel7/openscap
d55ab3b04d8b: Pull complete 
b94f985aad49: Pull complete 
f027279f25ea: Pull complete 
299b02042b45: Pull complete 
Digest: sha256:4a7df5dbc70e41d9a31701bb54a4b8fd063cbd217254c0e3c966f94594af1c31
Status: Downloaded newer image for registry.access.redhat.com/rhel7/openscap:latest
Comment 20 errata-xmlrpc 2017-08-01 20:11:21 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2344

Note You need to log in before you can comment on or make changes to this bug.