Bug 1890671 - [SA] verify-image-signature using service account does not work
Summary: [SA] verify-image-signature using service account does not work
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oc
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.7.0
Assignee: Maciej Szulik
QA Contact: Wenjing Zheng
Depends On:
Blocks: 1906796
TreeView+ depends on / blocked
Reported: 2020-10-22 17:01 UTC by Fatima
Modified: 2021-02-24 15:28 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Wrong user name used when verifying image signatures. Consequence: Image signature verification is not possible. Fix: User proper user name when verifying image signatures. Result: Image signature verification is working as expected.
Clone Of:
: 1906796 (view as bug list)
Last Closed: 2021-02-24 15:27:41 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift oc pull 637 0 None closed Bug 1890671: use proper username for image verification 2021-02-11 15:28:40 UTC
Red Hat Knowledge Base (Solution) 5507301 0 None None None 2020-10-22 17:02:21 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:28:13 UTC

Description Fatima 2020-10-22 17:01:02 UTC
Description of problem:

verify-image-signature using service account does not work. The SA is given cluster admin permissions  same as a normal user, but the user is able to verify the signed image but with the SA it shows authentication required.

Version-Release number of selected component (if applicable):

OCP v3.11.286 

How reproducible:


Steps to Reproduce:

Will add as a private comment as it contains sensitive data.

Actual results:
SA fails to verify the image with auth required error.

Expected results:
images should be verified by the SA.

Comment 2 Standa Laznicka 2020-10-23 07:43:31 UTC
You're not logged into the registry.

Comment 4 Standa Laznicka 2020-10-27 09:06:28 UTC
I did not notice the case. Moving to `oc`, not sure if `image registry` might be a better component.

Comment 5 Maciej Szulik 2020-10-27 09:30:03 UTC
Has the customer tried invoking oc registry login before verifying signature. This command ensures that the user is logging in into the registry and should be invoked before other registry related operations.

Comment 14 Maciej Szulik 2020-12-04 16:26:46 UTC
PR in the queue.

Comment 19 Wenjing Zheng 2020-12-29 09:17:22 UTC
Cannot reproduce the unauthorized error with below version:
$ oc version
Client Version: 4.7.0-0.nightly-2020-12-21-131655
Server Version: 4.7.0-0.nightly-2020-12-21-131655
Kubernetes Version: v1.20.0+87544c5

Comment 20 Fatima 2021-02-15 13:22:32 UTC
Dear team, 

Any updates on the bug?


Comment 21 Maciej Szulik 2021-02-15 13:38:33 UTC
(In reply to Fatima from comment #20)
> Dear team, 
> Any updates on the bug?
> Thanks.

This particular fix will be part of 4.7 release. For backports I'd suggest looking at 
dependent bugzillas:
4.6 - https://bugzilla.redhat.com/show_bug.cgi?id=1906796

Comment 23 errata-xmlrpc 2021-02-24 15:27:41 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.