Bug 1563645 - Docker Notary signatures verification in OpenShift
Summary: Docker Notary signatures verification in OpenShift
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.6.1
Hardware: All
OS: All
medium
medium
Target Milestone: ---
: ---
Assignee: Vikram Goyal
QA Contact: Vikram Goyal
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-04 11:44 UTC by Andre Costa
Modified: 2018-06-18 04:54 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-18 04:54:35 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Andre Costa 2018-04-04 11:44:17 UTC
Description of problem:
Customer would like to know from the following questions what is supported from the Openshift side and depending on what is supported how can this be done or if it is possible to update our documentation regarding this issues:

### Transcript from case description ####

I would like to know whether its possible to use docker/Notary signatures for container images and use openshift verification methods to verify such images? If yes, what is the workflow and commands on:
- creating image stream/ISTAG (pointing to external registry)
- verification of such ISTAG signature (and what integrations is perhaps required, eg. notary API access)?
- is anything else required for enabling content trust (making sure containers have verified signatures) than defining the Image Signature Policy (ISP)?

We have OpenShift customers that would like to:
a) Use container signing for image trust verification (preferably Notary signatures rather than Atomic signatures)
b) Use external registry such as Artifactory for source image location
c) Have Image Streams within OpenShift to point to the external registry
d) Verify image signatures using OCP features, again with Notary signatures, if possible
  So something like:
- Use the OpenShift Image Signature Policy + the verification command to mark the Image Stream tags as verified (and run with trust).

I’ve written some generic details/questions also here
https://superuser.com/questions/1303434/image-signatures-content-trust-with-notary-openshift

It’s confusing that there are indications such as Notary integration is not a target for RH but still docker signature transports are advertised to work.
So looking for information how feasible it would be to perform the signature verification in OpenShift against Notary signatures and what would be the workflow/call sequence in that?

Links:
Signature format support (docker exists):
https://docs.openshift.com/container-platform/3.6/security/deployment.html#security-deployment-signature-transports
OCP ISP:
https://github.com/containers/image/blob/master/docs/policy.json.md#a-reasonably-locked-down-system
Image Stream tag verification command:
https://docs.openshift.com/container-platform/3.7/admin_guide/image_signatures.html#verifying-image-signatures-using-openshift-cli
Notary integration not a OCP goal:
https://trello.com/c/CNxOQ5Vs/1358-notary-integration

Document URL: 

Section Number and Name: 

Describe the issue: 

Suggestions for improvement: 

Additional information:

Comment 1 Eric Rich 2018-04-11 11:44:26 UTC
Possible Duplicate: https://bugzilla.redhat.com/show_bug.cgi?id=1282754

Comment 2 Vikram Goyal 2018-06-18 04:54:35 UTC
As per this https://bugzilla.redhat.com/show_bug.cgi?id=1282754#c3, notary is not supported.

I am going to close this bug as WONTFIX.


Note You need to log in before you can comment on or make changes to this bug.