Skip to content
This repository has been archived by the owner on Jan 15, 2025. It is now read-only.

test that we support image signatures #163

Closed
cgwalters opened this issue Nov 18, 2021 · 3 comments · Fixed by #500
Closed

test that we support image signatures #163

cgwalters opened this issue Nov 18, 2021 · 3 comments · Fixed by #500
Assignees
@RishabhSaini

Comments

@cgwalters
Copy link
Member

xref containers/skopeo#1482

We should validate that we're doing image signatures via the proxy correctly.
@cgwalters cgwalters mentioned this issue Nov 18, 2021
Closed
@cgwalters
Copy link
Member Author

In this issue, the great thing about the new ostree-native-container flow is that if you have a setup to sign container images, that exact same setup can be used to sign OS updates.

See https://docs.podman.io/en/latest/markdown/podman-image-sign.1.html and https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/managing_containers/signing_container_images for some old-style GPG signatures. As of recently the containers/image stack gained support for "cosign", see containers/skopeo#1701

@RishabhSaini
Copy link
Collaborator

RishabhSaini commented Jul 12, 2023
edited
Loading

To test the recent changes for policy verification:

  1. Modify /etc/containers/policy.json to limit pulling only signed (sigstore/gpg) images from the remote-registry
  2. Sign an existing fcos image and push to the remore-registry
  3. Try doing an rpm-ostree rebase ${signed-image}
  4. Ensure it fails for a wrong key and passes for the right one

Since we do not currently sign fcos or any ostree-based-images, we need to have signed images available.

Initially it was thought this can be done locally by doing skopeo copy docker://quay.io/fedora/fedora-coreos:testing-devel oci:/var/lib/containers/signed-local-registry/sigstore/test.oci --sign-by-sigstore-private-key fcos.key .
But this fails unfortunately, since how sigstore signs images is by pushing the artifacts generated to the remote-registry. Hence, signing an local oci or dir does not work. It instead gives the following error: Cannot determine canonical Docker reference for destination oci:/var/lib/containers/signed-local-registry/sigstore/test.oci.

Instead we need to be able to push this to some ephemeral testing Docker image registry. The perfect candidate was ttl.sh as mentioned in sigstore doumentation, but unfortunately fcos image exceeds the maxiumum image size limit there. Is there any other registry we could push to and verify instead?

@cgwalters
Copy link
Member Author

So CI on this repository mainly uses GHA, for which there is https://docs.github.com/en/actions/using-containerized-services/about-service-containers

But that's just sugar for running a container...we can run any registry (quay.io, docker/distribution or whatever) inside a GHA job right?

@RishabhSaini RishabhSaini self-assigned this Jul 17, 2023
@RishabhSaini RishabhSaini mentioned this issue Jul 17, 2023
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@RishabhSaini RishabhSaini

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add test to ensure policy verification occurs when pulling image RishabhSaini/ostree-rs-ext
2 participants
@cgwalters @RishabhSaini