RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1700140 - No verification of image signatures, "insecureAcceptAnything" in policy.json [NEEDINFO]
Summary: No verification of image signatures, "insecureAcceptAnything" in policy.json
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: skopeo
Version: 8.0
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Valentin Rothberg
QA Contact: atomic-bugs@redhat.com
URL:
Whiteboard:
Depends On: 1633482
Blocks: 1633455 1726784
TreeView+ depends on / blocked
 
Reported: 2019-04-16 00:19 UTC by Jason Shepherd
Modified: 2020-06-04 22:14 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1633482
Environment:
Last Closed: 2020-06-03 20:00:44 UTC
Type: Bug
Target Upstream Version:
Embargoed:
mitr: needinfo?

Attachments (Terms of Use)

Description Jason Shepherd 2019-04-16 00:19:54 UTC 
+++ This bug was initially created as a clone of Bug #1633482 +++

Description of problem:
The /etc/containers/policy.json file shipped with skopeo-containers does not enable image signature verification. E.g.

$ cat /etc/containers/policy.json 
{
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ],
    "transports":
        {
            "docker-daemon":
                {
                    "": [{"type":"insecureAcceptAnything"}]
                }
        }
}


Version-Release number of selected component (if applicable):
skopeo-1:0.1.31-1.dev.gitae64ff7.el7.src

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Once all Red Hat shipped images are signed, a per registry policy could be used to verify Red Hat-only images. E.g.

{
    "default": [{"type": "reject"}],
    "transports": {
        "docker": {
            "access.redhat.com": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
                }
            ]
        },
}


--- Additional comment from Jason Shepherd on 2019-04-16 00:12:43 UTC ---

To be more specific about what is required:

$ cat /etc/containers/policy.json
{
    "default": [
        {
            "type":    "signedBy",
            "keyType": "GPGKeys",
            "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release",
            "signedIdentity": {"type":"matchExact"}
        }
    ]
}

$ cat /etc/containers/registries.d/redhat.yaml
docker:
    registry.access.redhat.com:
        sigstore: https://access.redhat.com/webassets/docker/content/sigstore

With this configuration container image pulled from registry.access.redhat.com will be verified. For images mirrored on registry.redhat.io Red Hat only started generating valid signatures for them from April 1st, 2019. Until Red Hat publish signatures for images distributed on registry.redhat.io prior to April 1st, 2019 signature validation on images pulled from there won't work.

If you expect to only be pulling images distributed after that date, you can modify registries.d/redhat.yaml like so:

$ cat /etc/containers/registries.d/redhat.yaml
docker:
    registry.access.redhat.com:
        sigstore: https://access.redhat.com/webassets/docker/content/sigstore
    registry.redhat.io:
        sigstore: https://access.redhat.com/webassets/docker/content/sigstore
Comment 2 Miloslav Trmač 2019-04-16 18:19:51 UTC 
As discussed in https://bugzilla.redhat.com/show_bug.cgi?id=1633482#c18, the proposed policy which only ever accepts images singed by Red Hat is not a reasonable default.
Comment 3 Jason Shepherd 2019-05-08 05:20:19 UTC 
Updated this KB Article with details of configuration image signature verification on RHEL-8:

https://access.redhat.com/articles/3116561
Comment 12 Jason Shepherd 2019-11-21 00:40:30 UTC 
Hi Valentin:

Images uploaded to registry.access.redhat.com where already signed. DELIVERY-6699 added signing for registry.redhat.io as well. You can see an example of what I think the default config should look like here:

https://access.redhat.com/articles/3116561

Maybe it also needs to accept any other registry as unsigned, so you can still pull from quay.io, or any other repo without signatures being enforced.
Comment 20 Daniel Walsh 2020-06-03 13:47:40 UTC 
Shruti is this ready togo?
Comment 22 Tom Sweeney 2020-06-03 20:00:44 UTC 
Based on Shruti's comment https://bugzilla.redhat.com/show_bug.cgi?id=1700140#c21 and the fact that both Jira cards assigned to track this problem are closed, I'm closing this BZ.  Please reopen if I misunderstood or there is further work to be done here.
Comment 23 Miloslav Trmač 2020-06-04 22:14:40 UTC 
(In reply to Tom Sweeney from comment #22)
> Based on Shruti's comment
> https://bugzilla.redhat.com/show_bug.cgi?id=1700140#c21 and the fact that
> both Jira cards assigned to track this problem are closed, I'm closing this
> BZ.  Please reopen if I misunderstood or there is further work to be done
> here.

This was originally intended to track a change to the default policy.json configuration, but the original #1633482 has since been retargeted to RHEL 8, making it a duplicate of this one, so closing this one is fine.
Note You need to log in before you can comment on or make changes to this bug.