Bug 1836442 - CRI-O: Signature verification incorrectly uses mirror’s references
Summary: CRI-O: Signature verification incorrectly uses mirror’s references
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Containers
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.5.0
Assignee: Peter Hunt
QA Contact: weiwei jiang
URL:
Whiteboard:
Depends On:
Blocks: 1186913
TreeView+ depends on / blocked
 
Reported: 2020-05-15 21:58 UTC by Miloslav Trmač
Modified: 2023-10-06 20:05 UTC (History)
9 users (show)

Fixed In Version: cri-o-1.18.1-10.dev.rhaos4.5.git179ebfc.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-13 17:39:31 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github cri-o cri-o pull 3797 0 None closed [1.18] bump containers image to 5.4.4 2021-01-13 20:42:30 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:39:51 UTC

Description Miloslav Trmač 2020-05-15 21:58:11 UTC 
This bug was initially created as a copy of Bug #1829061

c/image/docker.newImageSource, when using mirrors, creates an ImageReference with a types.ImageReference pointing at the mirror, with no record of the primary location. This breaks signature verification, which ultimately uses ImageSource.Reference() to decide what to verify the signature against.
Comment 2 Tom Sweeney 2020-05-18 18:31:57 UTC 
Assigning to Lokesh as I think he has everything he needs for packaging purposes.
Comment 9 Peter Hunt 2020-05-22 19:10:51 UTC 
pr for 4.5 attached
Comment 11 Peter Hunt 2020-05-28 21:23:11 UTC 
infra issues have caused CI to not cooperating, causing the merging of this PR to delay. I will address in the next sprint
Comment 16 Peter Hunt 2020-06-16 17:29:23 UTC 
attached PR is merged
Comment 23 errata-xmlrpc 2020-07-13 17:39:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409
Note You need to log in before you can comment on or make changes to this bug.