Red Hat Bugzilla – Bug 1471218
Docker cannot discover remote signatures
Last modified: 2017-08-01 20:11:21 EDT
Description of problem: When signature verification is enabled remote signature blobs cannot be found due to a change in the path that was implemented. Version-Release number of selected component (if applicable): docker-1.12.6-32.git88a4867.el7.x86_64 How reproducible: always Steps to Reproduce: 1. edit /etc/sysconfig/docker, adding '--signature-verification=true' 2. systemctl restart docker 3. enable signed-by trust using atomic CLI: $ atomic trust add --sigstore https://access.redhat.com/webassets/docker/content/sigstore --pubkeys /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release registry.access.redhat.com 4. $ docker pull registry.access.redhat.com/rhel7/openscap:latest Actual results: registry.access.redhat.com/rhel7/openscap:latest isn't allowed: A signature was required, but no signature exists Expected results: Image pulled Additional info: Fixed in docker-latest-1.13.1-13.gitb303bf6.el7.x86_64 NOTE: this is due to a change in the signature path schema. Compare signature path from docker log: level=debug msg="GET https://access.redhat.com/webassets/docker/content/sigstore/registry.access.redhat.com/rhel7/openscap@sha256:461e150658a31b9858680c2a5867e91947755103daf2bf6589034cc3b6662a94/signature-1" ...with docker-latest log: level=debug msg="GET https://access.redhat.com/webassets/docker/content/sigstore/rhel7/openscap@sha256=461e150658a31b9858680c2a5867e91947755103daf2bf6589034cc3b6662a94/signature-1"
Alright, fixed that. All good to go here
The fix works for me /usr/bin/dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --default-runtime=docker-runc --authorization-plugin=rhel-push-plugin --exec-opt native.cgroupdriver=systemd --userland-proxy-path=/usr/libexec/docker/docker-proxy-current --selinux-enabled --log-driver=journald --add-registry registry.access.redhat.com /*** highlight here --signature-verification=true *****/ --add-registry registry.access.redhat.com # rpm -q docker atomic docker-1.12.6-48.git0fdc778.el7.x86_64 atomic-1.18.1-3.1.git0705b1b.el7.x86_64 # atomic trust add --sigstore https://access.redhat.com/webassets/docker/content/sigstore --pubkeys /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release registry.access.redhat.com # docker pull registry.access.redhat.com/rhel7/openscap:latest sha256:4a7df5dbc70e41d9a31701bb54a4b8fd063cbd217254c0e3c966f94594af1c31: Pulling from registry.access.redhat.com/rhel7/openscap d55ab3b04d8b: Pull complete b94f985aad49: Pull complete f027279f25ea: Pull complete 299b02042b45: Pull complete Digest: sha256:4a7df5dbc70e41d9a31701bb54a4b8fd063cbd217254c0e3c966f94594af1c31 Status: Downloaded newer image for registry.access.redhat.com/rhel7/openscap:latest
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2344