RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1707078 - Image signature only has one docker registry reference, would like the ability to have two hostnames sign them.
Summary: Image signature only has one docker registry reference, would like the abilit...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: skopeo
Version: 8.3
Hardware: Unspecified
OS: Unspecified
medium
urgent
Target Milestone: rc
: 8.4
Assignee: Jindrich Novy
QA Contact: Yuhui Jiang
URL:
Whiteboard:
Depends On:
Blocks: 1186913 1726784 1823899
TreeView+ depends on / blocked
 
Reported: 2019-05-06 18:10 UTC by Rose Colombo
Modified: 2021-05-18 15:32 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-18 15:32:02 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Rose Colombo 2019-05-06 18:10:18 UTC 
Description of problem:
Image signature only has one docker registry reference, but two references are needed.

Since docker is being phased out in favor of podman, perhaps this should be cloned to podman and closed under docker?

Version-Release number of selected component (if applicable):
docker 1.13.1-96

How reproducible:
100%

Steps to Reproduce:
# gpg --gen-key
# gpg --armor --export --output sample.gpg sample
# docker pull busybox
# docker tag <busybox_image_id> <registry-route>/sample/busy:latest
# atomic sign <registry-route>/sample/busy:latest --sign-by sample
# docker push <registry_route>/sample/busy:latest

Verifying image signature:
# # oc adm verify-image-signature sha256:fce9305a943acdc5539ea217c7fc6fa176af8fcc5efe16c5db82972326ddc7b6 --expected-identity <registry_route>/sample/busy:latest --public-key /etc/pki/containers/sample.gpg

The image signature verification is only working with the registry route not with the registry service hostname or registry service-ip
And not able to deploy the application as the image stream point to the registry service hostname.


~~~
# cat /etc/sysconfig/atomic-openshift-master-api 
CONFIG_FILE=/etc/origin/master/master-config.yaml
OPENSHIFT_DEFAULT_REGISTRY=docker-registry.default.svc:5000
~~~

If I am building an image outside the OCP cluster, signing with route and pushing to the registry. In this scenario not able to deploy the application.



Actual results:
 Failed to pull image "docker-registry.default.svc:5000/<project-name>/<image-name>@sha256:73ff953fe0b4f6e57cd2c525efc5746bb3d5185cf4de0899acdea218790a8711": rpc error: code = Unknown desc = docker-registry.default.svc:5000/<project-name>/<image-name>@sha256:73ff953fe0b4f6e57cd2c525efc5746bb3d5185cf4de0899acdea218790a8711 isn't allowed: Signature for identity docker-registry-default.example.com/<project-name>/<image-name>:1.0.0-SNAPSHOT.98 is not accepted-


Expected results:
The ability to sign with two registry hostnames

Additional info:
How can 2 references be used? 
  https://github.com/containers/image/blob/master/docs/atomic-signature-embedded-json.json#L41
  https://github.com/containers/image/blob/master/docs/containers-signature.5.md#criticalidentitydocker-reference

How does our registry do this for registry.access.redhat.com and registry.redhat.io?
Comment 3 Rose Colombo 2019-05-09 16:49:37 UTC 
Is there a preferred method to do this? My customer would like an example to follow.
Comment 4 Daniel Walsh 2019-05-10 22:44:14 UTC 
Podman now supports signing.
Comment 5 Miloslav Trmač 2019-05-11 02:46:59 UTC 
The primary answer is that you can create two or more signatures for a single image, for example
> skopeo copy --sign-by <key> docker://<original-image-source> docker://<name1>
> skopeo copy --sign-by <key> docker://<name1> docker://<name2>
> skopeo copy --sign-by <key> docker://<name1> docker://<name3>
> …
(where the <name1/2/3…> references may point to the same physical registry.)

I’m afraid right now there is a known problem in OpenShift, (oc adm verify-image-signature) won’t verify one of the signatures when there is another one with an unrecognized identity (part of bug#1705984 ); that problem should not prevent nodes from enforcing policy.json correctly.


Another option is to configure policy.json on all nodes to expect one of the names when accessing images designated by the other names; see exactReference / exactRepository in https://github.com/containers/image/blob/master/docs/containers-policy.json.5.md . That’s likely to be rather cumbersome right now.
(Note that (oc adm verify-image-signature) does not use policy.json, though.)


To an extent, though, I’d like to push against the idea that it’s a good practice to reference the registry by many different host names, especially the IP address.  It’s reasonable to have an internal and external host name for the same service, but the IP address suggestion baffles me (although I don’t know _that much_ about OpenShift internals); you wouldn’t expect contacting www.google.com via the IP address of one of the servers directly as https://<ip> to work…  Simplifying the set of used names might well be a part of the solution.
Comment 11 Daniel Walsh 2020-06-03 13:52:01 UTC 
Switched this to RHEL8.3 release or later.  Miloslav asked a question that has not been answered?
Comment 13 Tom Sweeney 2020-06-08 20:04:22 UTC 
Assigning to Miloslav as he's been leading the discussions and is all in on c/image.
Comment 15 Daniel Walsh 2021-01-28 11:59:07 UTC 
Miloslav can we get an update on this bugzilla?
Comment 24 errata-xmlrpc 2021-05-18 15:32:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1796
Note You need to log in before you can comment on or make changes to this bug.