Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1748812

Summary: verify signatures creates invalid value
Product: OpenShift Container Platform Reporter: Ben Parees <bparees>
Component: ImageStreamsAssignee: Oleg Bulatov <obulatov>
Status: CLOSED WONTFIX QA Contact: XiuJuan Wang <xiuwang>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.11.0CC: adam.kaplan, aos-bugs, jokerman, jshepherd, obulatov, pamoedom, pweil, wzheng
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-15 21:54:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1705984    

Description Ben Parees 2019-09-04 08:42:07 UTC 
Breaking out part of https://bugzilla.redhat.com/show_bug.cgi?id=1705984


Thanks, this confirms my suspicion: https://github.com/openshift/origin/blob/882ed02142fbf7ba16da9f8efeb31dab8cfa8889/pkg/oc/cli/admin/verifyimagesignature/verify-signature.go#L217 is, when trying to “remove the verification status”, creating an invalid value. That’s a real bug, and it probably prevents using --save in most of the many-different-signatures setups.  (I don’t see that this can explain why signatures are not imported at all.)



Specifically comment https://bugzilla.redhat.com/show_bug.cgi?id=1705984#c24 and https://bugzilla.redhat.com/show_bug.cgi?id=1705984#c26
Comment 1 Ben Parees 2019-09-04 08:43:24 UTC 
targeting to 4.2 but should be discussed with jshepherd as to whether it needs to be backported to 4.1 and 3.11.
Comment 2 Jason Shepherd 2019-09-05 06:15:15 UTC 
Thanks Ben,

This issue needs to be backported to 4.1, and 3.11. We're requesting this so that registry double signing (which causes this issue) can be completed:

   https://projects.engineering.redhat.com/browse/DELIVERY-6699

Note that when trying to import signatures in OCP 4.x additional steps are required to configure the controller manager:

   https://bugzilla.redhat.com/show_bug.cgi?id=1722568#c10

As noted by the original reporter, Pedro, we should be able to run the 'oc adm verify-image-signature' command multiple times with have previous image signatures preserved, so that we could verify all the signatures on an image which is signed multiple times.

   https://bugzilla.redhat.com/show_bug.cgi?id=1705984#c63
Comment 6 Oleg Bulatov 2020-04-15 21:54:47 UTC 
Our existing tool verify-image-signature is supposed to set boolean the "Valid" boolean flag on image objects. It wasn't a good idea:

  * A signature may expire or be revoked, but existing API doesn't take this into account and images will stay "Valid". That may be misleading.
  * Mirroring policy affects how the signature should be verified and this policy may change over time, but verify-image-signature doesn't know about it.
  * Policies (registries.conf) exist on cluster nodes and they are not available to verify-image-signature that is supposed to be run on a client machine.
  * verify-image-signature expects a provided expected-identity that customers tend to misunderstand. Verifier should work with imagestreams, not images, to know real image references. So signatures are supposed to be linked to imagestreams, not image objects.

Overall, on image API side signatures are fairly broken, they work well on containers runtime side.

As Red Hat with other companies is working on the next generation signatures - Notary v2 - they are our main focus, for existing signatures only vulnerabilities will be fixed on image API side.

To avoid regressions after upgrades from 3.x to 4.x, we won't fix it in 3.x.