CFE-965: [V2] Enable signature verification #709

lmzuccarelli · 2023-10-12T13:24:55Z

Description

This change enables secure policy for signature verification on release and additionalImages (in V2) for all RedHat based images

Refer to v2/README.md for more details

Type of change

Please delete options that are not relevant.

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to not work as expected)
This change requires a documentation update

How Has This Been Tested?

Testing

Checking additional images first - imagesetconfig

kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
storageConfig:
  local:
    path: /tmp/storageBackend

mirror:
  additionalImages:
  - name: registry.access.redhat.com/ubi8/ubi:latest

Ensure the additionalImages signature verification fails

Set a bad entry in /etc/container/policy.json (for registry.access.redhat.com)

{
  "default": [
      {
          "type": "insecureAcceptAnything"
      }
  ],
  "transports":
    {
      "docker-daemon":
          {
              "": [{"type":"insecureAcceptAnything"}]
          },
      "docker":
        {
          "registry.redhat.io/redhat/certified-operator-index": [
            {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
            }
          ],
          "registry.redhat.io/redhat/community-operator-index": [
            {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
            }
          ],
          "registry.redhat.io/redhat/redhat-marketplace-index": [
            {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
            }
          ],
          "registry.redhat.io": [
            {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-9-primary"
            }
          ],
	        "registry.access.redhat.com": [
            {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-9-primary"
            }
          ],
	        "quay.io/openshift-release-dev/openshift-release-dev" :[
 	          {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
            }
	        ]
        }
    }
}

Execute oc-binary with --secure-policy flag

oc-mirror --v2 --config imstcfg.yaml file://cfe-965 --secure-policy

Console output

2023/10/12 13:53:38  [INFO]   : mode mirrorToDisk 
2023/10/12 13:53:38  [INFO]   : local storage registry will log to /home/lzuccarelli/go/src/github.com/openshift/oc-mirror/logs/registry.log
2023/10/12 13:53:38  [INFO]   : starting local storage on :5000
2023/10/12 13:53:38  [INFO]   : total release images to copy 0 
2023/10/12 13:53:38  [INFO]   : related images length 0 
2023/10/12 13:53:38  [INFO]   : images to copy (before duplicates) 0 
2023/10/12 13:53:38  [INFO]   : total operator images to copy 0 
2023/10/12 13:53:38  [INFO]   : total additional images to copy 1 
2023/10/12 13:53:38  [INFO]   : images to mirror 1 
2023/10/12 13:53:38  [INFO]   : batch count 1 
2023/10/12 13:53:38  [INFO]   : batch index 0 
2023/10/12 13:53:38  [INFO]   : batch size 1 
2023/10/12 13:53:38  [INFO]   : remainder size 0 
2023/10/12 13:53:38  [INFO]   : starting batch 0 
2023/10/12 13:53:41  [INFO]   : completed batch 0
2023/10/12 13:53:41  [ERROR]  : [Worker] errArray copying image 1/4 from manifest list: Source image rejected: None of the signatures were accepted, reasons: Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.October, 9, 11, 31, 34, 0, time.Local), ExpTimestamp:time.Date(1970, time.January, 1, 1, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.October, 9, 11, 31, 34, 0, time.Local), ExpTimestamp:time.Date(1970, time.January, 1, 1, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.October, 9, 11, 31, 34, 0, time.Local), ExpTimestamp:time.Date(1970, time.January, 1, 1, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.October, 9, 11, 31, 34, 0, time.Local), ExpTimestamp:time.Date(1970, time.January, 1, 1, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.October, 9, 11, 31, 34, 0, time.Local), ExpTimestamp:time.Date(1970, time.January, 1, 1, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.October, 9, 11, 31, 34, 0, time.Local), ExpTimestamp:time.Date(1970, time.January, 1, 1, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}
2023/10/12 13:53:41  [INFO]   : start time: 2023-10-12 13:53:38.936597935 +0200 CEST m=+0.068315660
collection time: 2023-10-12 13:53:38.936887769 +0200 CEST m=+0.068605489
mirror time: 2023-10-12 13:53:41.276122489 +0200 CEST m=+2.407840215
2023/10/12 13:53:41  [ERROR]  : [Worker] error in batch - refer to console logs

Update /etc/containers/policy.json to correct value

{
  "default": [
      {
          "type": "insecureAcceptAnything"
      }
  ],
  "transports":
    {
      "docker-daemon":
          {
              "": [{"type":"insecureAcceptAnything"}]
          },
      "docker":
        {
          "registry.redhat.io/redhat/certified-operator-index": [
            {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
            }
          ],
          "registry.redhat.io/redhat/community-operator-index": [
            {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
            }
          ],
          "registry.redhat.io/redhat/redhat-marketplace-index": [
            {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
            }
          ],
          "registry.redhat.io": [
            {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
            }
          ],
	        "registry.access.redhat.com": [
            {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
            }
          ],
	        "quay.io/openshift-release-dev/openshift-release-dev" :[
 	          {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
            }
	        ]
        }
    }
}

Re-run oc-mirror

oc-mirror --v2 --config imstcfg.yaml file://cfe-965 --secure-policy

Console output

2023/10/12 14:04:51  [INFO]   : mode mirrorToDisk
2023/10/12 14:04:51  [INFO]   : local storage registry will log to /home/lzuccarelli/go/src/github.com/openshift/oc-mirror/logs/registry.log
2023/10/12 14:04:51  [INFO]   : starting local storage on :5000
2023/10/12 14:04:51  [INFO]   : total release images to copy 0
2023/10/12 14:04:51  [INFO]   : related images length 0
2023/10/12 14:04:51  [INFO]   : images to copy (before duplicates) 0
2023/10/12 14:04:51  [INFO]   : total operator images to copy 0
2023/10/12 14:04:51  [INFO]   : total additional images to copy 1
2023/10/12 14:04:51  [INFO]   : images to mirror 1
2023/10/12 14:04:51  [INFO]   : batch count 1
2023/10/12 14:04:51  [INFO]   : batch index 0
2023/10/12 14:04:51  [INFO]   : batch size 1
2023/10/12 14:04:51  [INFO]   : remainder size 0
2023/10/12 14:04:51  [INFO]   : starting batch 0
2023/10/12 14:07:44  [INFO]   : completed batch 0
2023/10/12 14:07:44  [INFO]   : start time: 2023-10-12 14:04:51.824126921 +0200 CEST m=+0.056019003
collection time: 2023-10-12 14:04:51.824638937 +0200 CEST m=+0.056531021
mirror time: 2023-10-12 14:07:44.201467392 +0200 CEST m=+172.433359478

Update imagesetconfig to include a release

kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
storageConfig:
  local:
    path: /tmp/storageBackend

mirror:
  platform:
    channels:
    - name: stable-4.13
      type: ocp
      minVersion: 4.13.1
      maxVersion: 4.1i3.1

Ensure the release signature fails

Update /etc/containers/policy.json with a bad entry

{
  "default": [
      {
          "type": "insecureAcceptAnything"
      }
  ],
  "transports":
    {
      "docker-daemon":
          {
              "": [{"type":"insecureAcceptAnything"}]
          },
      "docker":
        {
          "registry.redhat.io/redhat/certified-operator-index": [
            {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
            }
          ],
          "registry.redhat.io/redhat/community-operator-index": [
            {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
            }
          ],
          "registry.redhat.io/redhat/redhat-marketplace-index": [
            {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
            }
          ],
          "registry.redhat.io": [
            {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
            }
          ],
	  "registry.access.redhat.com": [
            {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
            }
          ],
	  "quay.io/openshift-release-dev/openshift-release-dev" :[
 	    {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-39-primary"
            }
	  ]
        }
    }
}

Execute oc-mirror

oc-mirror --v2 --config imstcfg.yaml file://cfe-965 --secure-policy

Console output

2023/10/12 14:18:44  [INFO]   : mode mirrorToDisk 
2023/10/12 14:18:44  [INFO]   : local storage registry will log to /home/lzuccarelli/go/src/github.com/openshift/oc-mirror/logs/registry.log
2023/10/12 14:18:44  [INFO]   : starting local storage on :5000
2023/10/12 14:18:44  [INFO]   : processing minimum version 4.13.1 and maximum version 4.13.1
2023/10/12 14:18:45  [INFO]   : Found update 4.13.1
2023/10/12 14:18:45  [WARN]   : signature for 9c92b5ec203ee7f81626cc4e9f02086484056a76548961e5895916f136302b1f not in cache
2023/10/12 14:18:45  [INFO]   : signature 9c92b5ec203ee7f81626cc4e9f02086484056a76548961e5895916f136302b1f
2023/10/12 14:18:46  [INFO]   : content {"critical": {"image": {"docker-manifest-digest": "sha256:9c92b5ec203ee7f81626cc4e9f02086484056a76548961e5895916f136302b1f"}, "type": "atomic container signature", "identity": {"docker-reference": "quay.io/openshift-release-dev/ocp-release:4.13.1-x86_64"}}, "optional": {"creator": "Red Hat OpenShift Signing Authority 0.0.1"}}
2023/10/12 14:18:46  [INFO]   : image found : quay.io/openshift-release-dev/ocp-release:4.13.1-x86_64
2023/10/12 14:18:46  [INFO]   : public Key : 567E347AD0044ADE55BA8A5F199E2F91FD431D51
2023/10/12 14:18:46  [INFO]   : copying  quay.io/openshift-release-dev/ocp-release:4.13.1-x86_64 
2023/10/12 14:19:45  [INFO]   : total release images to copy 184 
2023/10/12 14:19:45  [INFO]   : related images length 0 
2023/10/12 14:19:45  [INFO]   : images to copy (before duplicates) 0 
2023/10/12 14:19:45  [INFO]   : total operator images to copy 0 
2023/10/12 14:19:45  [INFO]   : total additional images to copy 0 
2023/10/12 14:19:45  [INFO]   : images to mirror 184 
2023/10/12 14:19:45  [INFO]   : batch count 23 
2023/10/12 14:19:45  [INFO]   : batch index 0 
2023/10/12 14:19:45  [INFO]   : batch size 8 
2023/10/12 14:19:45  [INFO]   : remainder size 0 
2023/10/12 14:19:45  [INFO]   : starting batch 0 
2023/10/12 14:19:47  [INFO]   : completed batch 0
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1dac5e9e31c011322d414a74f1aeb1ab2b4d766679b2ea7df359fa3456a7b83d: reading manifest sha256:1dac5e9e31c011322d414a74f1aeb1ab2b4d766679b2ea7df359fa3456a7b83d in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3a8b33263729ab42c0ff29b9d5e8b767b7b1a9b31240c592fa8d173463fb04d1: reading manifest sha256:3a8b33263729ab42c0ff29b9d5e8b767b7b1a9b31240c592fa8d173463fb04d1 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2e1b327b96ce3b897f25133b0d119fbe671e499dee2483e72f5953cc85947a06: reading manifest sha256:2e1b327b96ce3b897f25133b0d119fbe671e499dee2483e72f5953cc85947a06 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ce3e2e4aac617077ac98b82d9849659595d85cd31f17b3213da37bc5802b78e1: reading manifest sha256:ce3e2e4aac617077ac98b82d9849659595d85cd31f17b3213da37bc5802b78e1 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c9836bc7472215104f20ba7f0656ad69061681cc626165cee18470645c880d33: reading manifest sha256:c9836bc7472215104f20ba7f0656ad69061681cc626165cee18470645c880d33 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ee080b37108cc5bee6b0e0d1e55148f4aa67e3d236d53fb7d9aee4a83d187603: reading manifest sha256:ee080b37108cc5bee6b0e0d1e55148f4aa67e3d236d53fb7d9aee4a83d187603 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:29ef5c21337a918bb51939045206386790d22dec33cc705f668bdd0c7c9d5b51: reading manifest sha256:29ef5c21337a918bb51939045206386790d22dec33cc705f668bdd0c7c9d5b51 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6a6bb6f9a57bc5484a3c3e3223606719c963b9939b07d40c2c7eaccf97ce6a20: reading manifest sha256:6a6bb6f9a57bc5484a3c3e3223606719c963b9939b07d40c2c7eaccf97ce6a20 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [INFO]   : start time: 2023-10-12 14:18:44.486017397 +0200 CEST m=+0.063208194
collection time: 2023-10-12 14:19:45.331170391 +0200 CEST m=+60.908361187
mirror time: 2023-10-12 14:19:47.390820731 +0200 CEST m=+62.968011585
2023/10/12 14:19:47  [ERROR]  : [Worker] error in batch - refer to console logs

Update the /etc/containers/policy.json to the correct value for quay.io/openshift-release-dev/openshift-release-dev

{
  "default": [
      {
          "type": "insecureAcceptAnything"
      }
  ],
  "transports":
    {
      "docker-daemon":
          {
              "": [{"type":"insecureAcceptAnything"}]
          },
      "docker":
        {
          "registry.redhat.io/redhat/certified-operator-index": [
            {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
            }
          ],
          "registry.redhat.io/redhat/community-operator-index": [
            {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
            }
          ],
          "registry.redhat.io/redhat/redhat-marketplace-index": [
            {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
            }
          ],
          "registry.redhat.io": [
            {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
            }
          ],
	        "registry.access.redhat.com": [
            {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
            }
          ],
	        "quay.io/openshift-release-dev/openshift-release-dev" :[
 	          {
              "type": "signedBy",
              "keyType": "GPGKeys",
              "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
            }
	        ]
        }
    }
}

This should now execute without any problems

Checklist:

My code follows the style guidelines of this project
I have performed a self-review of my own code
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
My changes generate no new warnings
I have added tests that prove my fix is effective or that my feature works
New and existing unit tests pass locally with my changes
Any dependent changes have been merged and published in downstream modules

openshift-ci-robot · 2023-10-12T13:25:00Z

@lmzuccarelli: This pull request references CFE-965 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the spike to target the "4.15.0" version, but no target version was set.

In response to this:

Description

This change enable secure policy for signature verification on release and additionalImages (in V2) for all RedHat based images

Refer to v2/README.md for more details

Type of change

Please delete options that are not relevant.

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to not work as expected)
This change requires a documentation update

How Has This Been Tested?

Testing

Checking additional images first - imagesetconfig

kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
storageConfig:
 local:
   path: /tmp/storageBackend

mirror:
 additionalImages:
 - name: registry.access.redhat.com/ubi8/ubi:latest

Ensure the additionalImages signature verification fails

Set a bad entry in /etc/container/policy.json (for registry.access.redhat.com)

{
 "default": [
     {
         "type": "insecureAcceptAnything"
     }
 ],
 "transports":
   {
     "docker-daemon":
         {
             "": [{"type":"insecureAcceptAnything"}]
         },
     "docker":
       {
         "registry.redhat.io/redhat/certified-operator-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io/redhat/community-operator-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io/redhat/redhat-marketplace-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-9-primary"
           }
         ],
          "registry.access.redhat.com": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-9-primary"
           }
         ],
          "quay.io/openshift-release-dev/openshift-release-dev" :[
	          {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
           }
          ]
       }
   }
}

Execute oc-binary with --secure-policy flag

oc-mirror --v2 --config imstcfg.yaml file://cfe-965 --secure-policy

Console output

2023/10/12 13:53:38  [INFO]   : mode mirrorToDisk 
2023/10/12 13:53:38  [INFO]   : local storage registry will log to /home/lzuccarelli/go/src/github.com/openshift/oc-mirror/logs/registry.log
2023/10/12 13:53:38  [INFO]   : starting local storage on :5000
2023/10/12 13:53:38  [INFO]   : total release images to copy 0 
2023/10/12 13:53:38  [INFO]   : related images length 0 
2023/10/12 13:53:38  [INFO]   : images to copy (before duplicates) 0 
2023/10/12 13:53:38  [INFO]   : total operator images to copy 0 
2023/10/12 13:53:38  [INFO]   : total additional images to copy 1 
2023/10/12 13:53:38  [INFO]   : images to mirror 1 
2023/10/12 13:53:38  [INFO]   : batch count 1 
2023/10/12 13:53:38  [INFO]   : batch index 0 
2023/10/12 13:53:38  [INFO]   : batch size 1 
2023/10/12 13:53:38  [INFO]   : remainder size 0 
2023/10/12 13:53:38  [INFO]   : starting batch 0 
2023/10/12 13:53:41  [INFO]   : completed batch 0
2023/10/12 13:53:41  [ERROR]  : [Worker] errArray copying image 1/4 from manifest list: Source image rejected: None of the signatures were accepted, reasons: Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.October, 9, 11, 31, 34, 0, time.Local), ExpTimestamp:time.Date(1970, time.January, 1, 1, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.October, 9, 11, 31, 34, 0, time.Local), ExpTimestamp:time.Date(1970, time.January, 1, 1, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.October, 9, 11, 31, 34, 0, time.Local), ExpTimestamp:time.Date(1970, time.January, 1, 1, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.October, 9, 11, 31, 34, 0, time.Local), ExpTimestamp:time.Date(1970, time.January, 1, 1, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.October, 9, 11, 31, 34, 0, time.Local), ExpTimestamp:time.Date(1970, time.January, 1, 1, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.October, 9, 11, 31, 34, 0, time.Local), ExpTimestamp:time.Date(1970, time.January, 1, 1, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}
2023/10/12 13:53:41  [INFO]   : start time: 2023-10-12 13:53:38.936597935 +0200 CEST m=+0.068315660
collection time: 2023-10-12 13:53:38.936887769 +0200 CEST m=+0.068605489
mirror time: 2023-10-12 13:53:41.276122489 +0200 CEST m=+2.407840215
2023/10/12 13:53:41  [ERROR]  : [Worker] error in batch - refer to console logs

Update /etc/containers/policy.json to correct value

{
 "default": [
     {
         "type": "insecureAcceptAnything"
     }
 ],
 "transports":
   {
     "docker-daemon":
         {
             "": [{"type":"insecureAcceptAnything"}]
         },
     "docker":
       {
         "registry.redhat.io/redhat/certified-operator-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io/redhat/community-operator-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io/redhat/redhat-marketplace-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
           }
         ],
          "registry.access.redhat.com": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
           }
         ],
          "quay.io/openshift-release-dev/openshift-release-dev" :[
	          {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
           }
          ]
       }
   }
}

Re-run oc-mirror

oc-mirror --v2 --config imstcfg.yaml file://cfe-965 --secure-policy

Console output

2023/10/12 14:04:51  [INFO]   : mode mirrorToDisk
2023/10/12 14:04:51  [INFO]   : local storage registry will log to /home/lzuccarelli/go/src/github.com/openshift/oc-mirror/logs/registry.log
2023/10/12 14:04:51  [INFO]   : starting local storage on :5000
2023/10/12 14:04:51  [INFO]   : total release images to copy 0
2023/10/12 14:04:51  [INFO]   : related images length 0
2023/10/12 14:04:51  [INFO]   : images to copy (before duplicates) 0
2023/10/12 14:04:51  [INFO]   : total operator images to copy 0
2023/10/12 14:04:51  [INFO]   : total additional images to copy 1
2023/10/12 14:04:51  [INFO]   : images to mirror 1
2023/10/12 14:04:51  [INFO]   : batch count 1
2023/10/12 14:04:51  [INFO]   : batch index 0
2023/10/12 14:04:51  [INFO]   : batch size 1
2023/10/12 14:04:51  [INFO]   : remainder size 0
2023/10/12 14:04:51  [INFO]   : starting batch 0
2023/10/12 14:07:44  [INFO]   : completed batch 0
2023/10/12 14:07:44  [INFO]   : start time: 2023-10-12 14:04:51.824126921 +0200 CEST m=+0.056019003
collection time: 2023-10-12 14:04:51.824638937 +0200 CEST m=+0.056531021
mirror time: 2023-10-12 14:07:44.201467392 +0200 CEST m=+172.433359478

Update imagesetconfig to include a release

kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
storageConfig:
 local:
   path: /tmp/storageBackend

mirror:
 platform:
   channels:
   - name: stable-4.13
     type: ocp
     minVersion: 4.13.1
     maxVersion: 4.1i3.1

Ensure the release signature fails

Update /etc/containers/policy.json with a bad entry

{
 "default": [
     {
         "type": "insecureAcceptAnything"
     }
 ],
 "transports":
   {
     "docker-daemon":
         {
             "": [{"type":"insecureAcceptAnything"}]
         },
     "docker":
       {
         "registry.redhat.io/redhat/certified-operator-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io/redhat/community-operator-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io/redhat/redhat-marketplace-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
           }
         ],
    "registry.access.redhat.com": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
           }
         ],
    "quay.io/openshift-release-dev/openshift-release-dev" :[
	    {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-39-primary"
           }
    ]
       }
   }
}

Execute oc-mirror

oc-mirror --v2 --config imstcfg.yaml file://cfe-965 --secure-policy

Console output

2023/10/12 14:18:44  [INFO]   : mode mirrorToDisk 
2023/10/12 14:18:44  [INFO]   : local storage registry will log to /home/lzuccarelli/go/src/github.com/openshift/oc-mirror/logs/registry.log
2023/10/12 14:18:44  [INFO]   : starting local storage on :5000
2023/10/12 14:18:44  [INFO]   : processing minimum version 4.13.1 and maximum version 4.13.1
2023/10/12 14:18:45  [INFO]   : Found update 4.13.1
2023/10/12 14:18:45  [WARN]   : signature for 9c92b5ec203ee7f81626cc4e9f02086484056a76548961e5895916f136302b1f not in cache
2023/10/12 14:18:45  [INFO]   : signature 9c92b5ec203ee7f81626cc4e9f02086484056a76548961e5895916f136302b1f
2023/10/12 14:18:46  [INFO]   : content {"critical": {"image": {"docker-manifest-digest": "sha256:9c92b5ec203ee7f81626cc4e9f02086484056a76548961e5895916f136302b1f"}, "type": "atomic container signature", "identity": {"docker-reference": "quay.io/openshift-release-dev/ocp-release:4.13.1-x86_64"}}, "optional": {"creator": "Red Hat OpenShift Signing Authority 0.0.1"}}
2023/10/12 14:18:46  [INFO]   : image found : quay.io/openshift-release-dev/ocp-release:4.13.1-x86_64
2023/10/12 14:18:46  [INFO]   : public Key : 567E347AD0044ADE55BA8A5F199E2F91FD431D51
2023/10/12 14:18:46  [INFO]   : copying  quay.io/openshift-release-dev/ocp-release:4.13.1-x86_64 
2023/10/12 14:19:45  [INFO]   : total release images to copy 184 
2023/10/12 14:19:45  [INFO]   : related images length 0 
2023/10/12 14:19:45  [INFO]   : images to copy (before duplicates) 0 
2023/10/12 14:19:45  [INFO]   : total operator images to copy 0 
2023/10/12 14:19:45  [INFO]   : total additional images to copy 0 
2023/10/12 14:19:45  [INFO]   : images to mirror 184 
2023/10/12 14:19:45  [INFO]   : batch count 23 
2023/10/12 14:19:45  [INFO]   : batch index 0 
2023/10/12 14:19:45  [INFO]   : batch size 8 
2023/10/12 14:19:45  [INFO]   : remainder size 0 
2023/10/12 14:19:45  [INFO]   : starting batch 0 
2023/10/12 14:19:47  [INFO]   : completed batch 0
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1dac5e9e31c011322d414a74f1aeb1ab2b4d766679b2ea7df359fa3456a7b83d: reading manifest sha256:1dac5e9e31c011322d414a74f1aeb1ab2b4d766679b2ea7df359fa3456a7b83d in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3a8b33263729ab42c0ff29b9d5e8b767b7b1a9b31240c592fa8d173463fb04d1: reading manifest sha256:3a8b33263729ab42c0ff29b9d5e8b767b7b1a9b31240c592fa8d173463fb04d1 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2e1b327b96ce3b897f25133b0d119fbe671e499dee2483e72f5953cc85947a06: reading manifest sha256:2e1b327b96ce3b897f25133b0d119fbe671e499dee2483e72f5953cc85947a06 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ce3e2e4aac617077ac98b82d9849659595d85cd31f17b3213da37bc5802b78e1: reading manifest sha256:ce3e2e4aac617077ac98b82d9849659595d85cd31f17b3213da37bc5802b78e1 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c9836bc7472215104f20ba7f0656ad69061681cc626165cee18470645c880d33: reading manifest sha256:c9836bc7472215104f20ba7f0656ad69061681cc626165cee18470645c880d33 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ee080b37108cc5bee6b0e0d1e55148f4aa67e3d236d53fb7d9aee4a83d187603: reading manifest sha256:ee080b37108cc5bee6b0e0d1e55148f4aa67e3d236d53fb7d9aee4a83d187603 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:29ef5c21337a918bb51939045206386790d22dec33cc705f668bdd0c7c9d5b51: reading manifest sha256:29ef5c21337a918bb51939045206386790d22dec33cc705f668bdd0c7c9d5b51 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6a6bb6f9a57bc5484a3c3e3223606719c963b9939b07d40c2c7eaccf97ce6a20: reading manifest sha256:6a6bb6f9a57bc5484a3c3e3223606719c963b9939b07d40c2c7eaccf97ce6a20 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [INFO]   : start time: 2023-10-12 14:18:44.486017397 +0200 CEST m=+0.063208194
collection time: 2023-10-12 14:19:45.331170391 +0200 CEST m=+60.908361187
mirror time: 2023-10-12 14:19:47.390820731 +0200 CEST m=+62.968011585
2023/10/12 14:19:47  [ERROR]  : [Worker] error in batch - refer to console logs

Update the /etc/containers/policy.json to the correct value for quay.io/openshift-release-dev/openshift-release-dev

{
 "default": [
     {
         "type": "insecureAcceptAnything"
     }
 ],
 "transports":
   {
     "docker-daemon":
         {
             "": [{"type":"insecureAcceptAnything"}]
         },
     "docker":
       {
         "registry.redhat.io/redhat/certified-operator-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io/redhat/community-operator-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io/redhat/redhat-marketplace-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
           }
         ],
          "registry.access.redhat.com": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
           }
         ],
          "quay.io/openshift-release-dev/openshift-release-dev" :[
	          {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
           }
          ]
       }
   }
}

This should now execute without any problems

Checklist:

My code follows the style guidelines of this project
I have performed a self-review of my own code
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
My changes generate no new warnings
I have added tests that prove my fix is effective or that my feature works
New and existing unit tests pass locally with my changes
Any dependent changes have been merged and published in downstream modules

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

lmzuccarelli · 2023-10-12T13:25:16Z

/hold

openshift-ci-robot · 2023-10-12T15:47:02Z

@lmzuccarelli: This pull request references CFE-965 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.15.0" version, but no target version was set.

In response to this:

Description

This change enables secure policy for signature verification on release and additionalImages (in V2) for all RedHat based images

Refer to v2/README.md for more details

Type of change

Please delete options that are not relevant.

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to not work as expected)
This change requires a documentation update

How Has This Been Tested?

Testing

Checking additional images first - imagesetconfig

kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
storageConfig:
 local:
   path: /tmp/storageBackend

mirror:
 additionalImages:
 - name: registry.access.redhat.com/ubi8/ubi:latest

Ensure the additionalImages signature verification fails

Set a bad entry in /etc/container/policy.json (for registry.access.redhat.com)

{
 "default": [
     {
         "type": "insecureAcceptAnything"
     }
 ],
 "transports":
   {
     "docker-daemon":
         {
             "": [{"type":"insecureAcceptAnything"}]
         },
     "docker":
       {
         "registry.redhat.io/redhat/certified-operator-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io/redhat/community-operator-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io/redhat/redhat-marketplace-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-9-primary"
           }
         ],
          "registry.access.redhat.com": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-9-primary"
           }
         ],
          "quay.io/openshift-release-dev/openshift-release-dev" :[
	          {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
           }
          ]
       }
   }
}

Execute oc-binary with --secure-policy flag

oc-mirror --v2 --config imstcfg.yaml file://cfe-965 --secure-policy

Console output

2023/10/12 13:53:38  [INFO]   : mode mirrorToDisk 
2023/10/12 13:53:38  [INFO]   : local storage registry will log to /home/lzuccarelli/go/src/github.com/openshift/oc-mirror/logs/registry.log
2023/10/12 13:53:38  [INFO]   : starting local storage on :5000
2023/10/12 13:53:38  [INFO]   : total release images to copy 0 
2023/10/12 13:53:38  [INFO]   : related images length 0 
2023/10/12 13:53:38  [INFO]   : images to copy (before duplicates) 0 
2023/10/12 13:53:38  [INFO]   : total operator images to copy 0 
2023/10/12 13:53:38  [INFO]   : total additional images to copy 1 
2023/10/12 13:53:38  [INFO]   : images to mirror 1 
2023/10/12 13:53:38  [INFO]   : batch count 1 
2023/10/12 13:53:38  [INFO]   : batch index 0 
2023/10/12 13:53:38  [INFO]   : batch size 1 
2023/10/12 13:53:38  [INFO]   : remainder size 0 
2023/10/12 13:53:38  [INFO]   : starting batch 0 
2023/10/12 13:53:41  [INFO]   : completed batch 0
2023/10/12 13:53:41  [ERROR]  : [Worker] errArray copying image 1/4 from manifest list: Source image rejected: None of the signatures were accepted, reasons: Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.October, 9, 11, 31, 34, 0, time.Local), ExpTimestamp:time.Date(1970, time.January, 1, 1, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.October, 9, 11, 31, 34, 0, time.Local), ExpTimestamp:time.Date(1970, time.January, 1, 1, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.October, 9, 11, 31, 34, 0, time.Local), ExpTimestamp:time.Date(1970, time.January, 1, 1, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.October, 9, 11, 31, 34, 0, time.Local), ExpTimestamp:time.Date(1970, time.January, 1, 1, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.October, 9, 11, 31, 34, 0, time.Local), ExpTimestamp:time.Date(1970, time.January, 1, 1, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}; Invalid GPG signature: gpgme.Signature{Summary:128, Fingerprint:"199E2F91FD431D51", Status:gpgme.Error{err:0x9}, Timestamp:time.Date(2023, time.October, 9, 11, 31, 34, 0, time.Local), ExpTimestamp:time.Date(1970, time.January, 1, 1, 0, 0, 0, time.Local), WrongKeyUsage:false, PKATrust:0x0, ChainModel:false, Validity:0, ValidityReason:error(nil), PubkeyAlgo:1, HashAlgo:8}
2023/10/12 13:53:41  [INFO]   : start time: 2023-10-12 13:53:38.936597935 +0200 CEST m=+0.068315660
collection time: 2023-10-12 13:53:38.936887769 +0200 CEST m=+0.068605489
mirror time: 2023-10-12 13:53:41.276122489 +0200 CEST m=+2.407840215
2023/10/12 13:53:41  [ERROR]  : [Worker] error in batch - refer to console logs

Update /etc/containers/policy.json to correct value

{
 "default": [
     {
         "type": "insecureAcceptAnything"
     }
 ],
 "transports":
   {
     "docker-daemon":
         {
             "": [{"type":"insecureAcceptAnything"}]
         },
     "docker":
       {
         "registry.redhat.io/redhat/certified-operator-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io/redhat/community-operator-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io/redhat/redhat-marketplace-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
           }
         ],
          "registry.access.redhat.com": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
           }
         ],
          "quay.io/openshift-release-dev/openshift-release-dev" :[
	          {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
           }
          ]
       }
   }
}

Re-run oc-mirror

oc-mirror --v2 --config imstcfg.yaml file://cfe-965 --secure-policy

Console output

2023/10/12 14:04:51  [INFO]   : mode mirrorToDisk
2023/10/12 14:04:51  [INFO]   : local storage registry will log to /home/lzuccarelli/go/src/github.com/openshift/oc-mirror/logs/registry.log
2023/10/12 14:04:51  [INFO]   : starting local storage on :5000
2023/10/12 14:04:51  [INFO]   : total release images to copy 0
2023/10/12 14:04:51  [INFO]   : related images length 0
2023/10/12 14:04:51  [INFO]   : images to copy (before duplicates) 0
2023/10/12 14:04:51  [INFO]   : total operator images to copy 0
2023/10/12 14:04:51  [INFO]   : total additional images to copy 1
2023/10/12 14:04:51  [INFO]   : images to mirror 1
2023/10/12 14:04:51  [INFO]   : batch count 1
2023/10/12 14:04:51  [INFO]   : batch index 0
2023/10/12 14:04:51  [INFO]   : batch size 1
2023/10/12 14:04:51  [INFO]   : remainder size 0
2023/10/12 14:04:51  [INFO]   : starting batch 0
2023/10/12 14:07:44  [INFO]   : completed batch 0
2023/10/12 14:07:44  [INFO]   : start time: 2023-10-12 14:04:51.824126921 +0200 CEST m=+0.056019003
collection time: 2023-10-12 14:04:51.824638937 +0200 CEST m=+0.056531021
mirror time: 2023-10-12 14:07:44.201467392 +0200 CEST m=+172.433359478

Update imagesetconfig to include a release

kind: ImageSetConfiguration
apiVersion: mirror.openshift.io/v1alpha2
storageConfig:
 local:
   path: /tmp/storageBackend

mirror:
 platform:
   channels:
   - name: stable-4.13
     type: ocp
     minVersion: 4.13.1
     maxVersion: 4.1i3.1

Ensure the release signature fails

Update /etc/containers/policy.json with a bad entry

{
 "default": [
     {
         "type": "insecureAcceptAnything"
     }
 ],
 "transports":
   {
     "docker-daemon":
         {
             "": [{"type":"insecureAcceptAnything"}]
         },
     "docker":
       {
         "registry.redhat.io/redhat/certified-operator-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io/redhat/community-operator-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io/redhat/redhat-marketplace-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
           }
         ],
    "registry.access.redhat.com": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
           }
         ],
    "quay.io/openshift-release-dev/openshift-release-dev" :[
	    {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-39-primary"
           }
    ]
       }
   }
}

Execute oc-mirror

oc-mirror --v2 --config imstcfg.yaml file://cfe-965 --secure-policy

Console output

2023/10/12 14:18:44  [INFO]   : mode mirrorToDisk 
2023/10/12 14:18:44  [INFO]   : local storage registry will log to /home/lzuccarelli/go/src/github.com/openshift/oc-mirror/logs/registry.log
2023/10/12 14:18:44  [INFO]   : starting local storage on :5000
2023/10/12 14:18:44  [INFO]   : processing minimum version 4.13.1 and maximum version 4.13.1
2023/10/12 14:18:45  [INFO]   : Found update 4.13.1
2023/10/12 14:18:45  [WARN]   : signature for 9c92b5ec203ee7f81626cc4e9f02086484056a76548961e5895916f136302b1f not in cache
2023/10/12 14:18:45  [INFO]   : signature 9c92b5ec203ee7f81626cc4e9f02086484056a76548961e5895916f136302b1f
2023/10/12 14:18:46  [INFO]   : content {"critical": {"image": {"docker-manifest-digest": "sha256:9c92b5ec203ee7f81626cc4e9f02086484056a76548961e5895916f136302b1f"}, "type": "atomic container signature", "identity": {"docker-reference": "quay.io/openshift-release-dev/ocp-release:4.13.1-x86_64"}}, "optional": {"creator": "Red Hat OpenShift Signing Authority 0.0.1"}}
2023/10/12 14:18:46  [INFO]   : image found : quay.io/openshift-release-dev/ocp-release:4.13.1-x86_64
2023/10/12 14:18:46  [INFO]   : public Key : 567E347AD0044ADE55BA8A5F199E2F91FD431D51
2023/10/12 14:18:46  [INFO]   : copying  quay.io/openshift-release-dev/ocp-release:4.13.1-x86_64 
2023/10/12 14:19:45  [INFO]   : total release images to copy 184 
2023/10/12 14:19:45  [INFO]   : related images length 0 
2023/10/12 14:19:45  [INFO]   : images to copy (before duplicates) 0 
2023/10/12 14:19:45  [INFO]   : total operator images to copy 0 
2023/10/12 14:19:45  [INFO]   : total additional images to copy 0 
2023/10/12 14:19:45  [INFO]   : images to mirror 184 
2023/10/12 14:19:45  [INFO]   : batch count 23 
2023/10/12 14:19:45  [INFO]   : batch index 0 
2023/10/12 14:19:45  [INFO]   : batch size 8 
2023/10/12 14:19:45  [INFO]   : remainder size 0 
2023/10/12 14:19:45  [INFO]   : starting batch 0 
2023/10/12 14:19:47  [INFO]   : completed batch 0
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1dac5e9e31c011322d414a74f1aeb1ab2b4d766679b2ea7df359fa3456a7b83d: reading manifest sha256:1dac5e9e31c011322d414a74f1aeb1ab2b4d766679b2ea7df359fa3456a7b83d in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:3a8b33263729ab42c0ff29b9d5e8b767b7b1a9b31240c592fa8d173463fb04d1: reading manifest sha256:3a8b33263729ab42c0ff29b9d5e8b767b7b1a9b31240c592fa8d173463fb04d1 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2e1b327b96ce3b897f25133b0d119fbe671e499dee2483e72f5953cc85947a06: reading manifest sha256:2e1b327b96ce3b897f25133b0d119fbe671e499dee2483e72f5953cc85947a06 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ce3e2e4aac617077ac98b82d9849659595d85cd31f17b3213da37bc5802b78e1: reading manifest sha256:ce3e2e4aac617077ac98b82d9849659595d85cd31f17b3213da37bc5802b78e1 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c9836bc7472215104f20ba7f0656ad69061681cc626165cee18470645c880d33: reading manifest sha256:c9836bc7472215104f20ba7f0656ad69061681cc626165cee18470645c880d33 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:ee080b37108cc5bee6b0e0d1e55148f4aa67e3d236d53fb7d9aee4a83d187603: reading manifest sha256:ee080b37108cc5bee6b0e0d1e55148f4aa67e3d236d53fb7d9aee4a83d187603 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:29ef5c21337a918bb51939045206386790d22dec33cc705f668bdd0c7c9d5b51: reading manifest sha256:29ef5c21337a918bb51939045206386790d22dec33cc705f668bdd0c7c9d5b51 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [ERROR]  : [Worker] errArray initializing source docker://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:6a6bb6f9a57bc5484a3c3e3223606719c963b9939b07d40c2c7eaccf97ce6a20: reading manifest sha256:6a6bb6f9a57bc5484a3c3e3223606719c963b9939b07d40c2c7eaccf97ce6a20 in quay.io/openshift-release-dev/ocp-v4.0-art-dev: unauthorized: access to the requested resource is not authorized
2023/10/12 14:19:47  [INFO]   : start time: 2023-10-12 14:18:44.486017397 +0200 CEST m=+0.063208194
collection time: 2023-10-12 14:19:45.331170391 +0200 CEST m=+60.908361187
mirror time: 2023-10-12 14:19:47.390820731 +0200 CEST m=+62.968011585
2023/10/12 14:19:47  [ERROR]  : [Worker] error in batch - refer to console logs

Update the /etc/containers/policy.json to the correct value for quay.io/openshift-release-dev/openshift-release-dev

{
 "default": [
     {
         "type": "insecureAcceptAnything"
     }
 ],
 "transports":
   {
     "docker-daemon":
         {
             "": [{"type":"insecureAcceptAnything"}]
         },
     "docker":
       {
         "registry.redhat.io/redhat/certified-operator-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io/redhat/community-operator-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io/redhat/redhat-marketplace-index": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-isv"
           }
         ],
         "registry.redhat.io": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
           }
         ],
          "registry.access.redhat.com": [
           {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
           }
         ],
          "quay.io/openshift-release-dev/openshift-release-dev" :[
	          {
             "type": "signedBy",
             "keyType": "GPGKeys",
             "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
           }
          ]
       }
   }
}

This should now execute without any problems

Checklist:

My code follows the style guidelines of this project
I have performed a self-review of my own code
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
My changes generate no new warnings
I have added tests that prove my fix is effective or that my feature works
New and existing unit tests pass locally with my changes
Any dependent changes have been merged and published in downstream modules

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

sherine-k

Nice work @lmzuccarelli !
Thank you
I have just a small doubt about removing the creation of workingDir in executor.go code.
LGTM otherwise ;)

v2/pkg/cli/executor.go

lmzuccarelli · 2023-10-31T10:32:28Z

/unhold

sherine-k

/lgtm

openshift-ci · 2023-10-31T10:49:52Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lmzuccarelli, sherine-k

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [lmzuccarelli,sherine-k]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

aguidirh · 2023-10-31T13:27:41Z

v2/pkg/diff/diff.go

@@ -1,268 +0,0 @@
-package diff


Good to see this diff mechanism going away

openshift-ci · 2023-10-31T13:53:15Z

@lmzuccarelli: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

aguidirh

/lgtm

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Oct 12, 2023

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 12, 2023

openshift-ci bot requested review from aguidirh and sherine-k October 12, 2023 13:31

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 12, 2023

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 19, 2023

sherine-k reviewed Oct 31, 2023

View reviewed changes

v2/pkg/cli/executor.go Outdated Show resolved Hide resolved

v2/pkg/cli/executor.go Outdated Show resolved Hide resolved

lmzuccarelli force-pushed the CFE-965 branch from d760369 to 30ab579 Compare October 31, 2023 10:11

openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 31, 2023

lmzuccarelli force-pushed the CFE-965 branch from 30ab579 to 9a8e219 Compare October 31, 2023 10:31

openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 31, 2023

sherine-k approved these changes Oct 31, 2023

View reviewed changes

openshift-ci bot assigned sherine-k Oct 31, 2023

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 31, 2023

Update from review

62b998b

lmzuccarelli force-pushed the CFE-965 branch from 9a8e219 to 62b998b Compare October 31, 2023 10:56

openshift-ci bot removed the lgtm Indicates that a PR is ready to be merged. label Oct 31, 2023

aguidirh reviewed Oct 31, 2023

View reviewed changes

Remove imstcfg.yaml

2c89e7b

aguidirh reviewed Oct 31, 2023

View reviewed changes

openshift-ci bot assigned aguidirh Oct 31, 2023

openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Oct 31, 2023

openshift-ci bot merged commit f3a42be into openshift:main Oct 31, 2023
5 checks passed

lmzuccarelli deleted the CFE-965 branch January 4, 2024 14:29

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CFE-965: [V2] Enable signature verification #709

CFE-965: [V2] Enable signature verification #709

lmzuccarelli commented Oct 12, 2023 •

edited

openshift-ci-robot commented Oct 12, 2023 •

edited by openshift-ci bot

Description

Type of change

How Has This Been Tested?

Testing

Checklist:

lmzuccarelli commented Oct 12, 2023

openshift-ci-robot commented Oct 12, 2023 •

edited by openshift-ci bot

Description

Type of change

How Has This Been Tested?

Testing

Checklist:

sherine-k left a comment

lmzuccarelli commented Oct 31, 2023

sherine-k left a comment

openshift-ci bot commented Oct 31, 2023

aguidirh Oct 31, 2023

openshift-ci bot commented Oct 31, 2023

aguidirh left a comment

CFE-965: [V2] Enable signature verification #709

CFE-965: [V2] Enable signature verification #709

Conversation

lmzuccarelli commented Oct 12, 2023 • edited

Description

Type of change

How Has This Been Tested?

Testing

Checklist:

openshift-ci-robot commented Oct 12, 2023 • edited by openshift-ci bot

Description

Type of change

How Has This Been Tested?

Testing

Checklist:

lmzuccarelli commented Oct 12, 2023

openshift-ci-robot commented Oct 12, 2023 • edited by openshift-ci bot

Description

Type of change

How Has This Been Tested?

Testing

Checklist:

sherine-k left a comment

Choose a reason for hiding this comment

lmzuccarelli commented Oct 31, 2023

sherine-k left a comment

Choose a reason for hiding this comment

openshift-ci bot commented Oct 31, 2023

aguidirh Oct 31, 2023

Choose a reason for hiding this comment

openshift-ci bot commented Oct 31, 2023

aguidirh left a comment

Choose a reason for hiding this comment

lmzuccarelli commented Oct 12, 2023 •

edited

openshift-ci-robot commented Oct 12, 2023 •

edited by openshift-ci bot

openshift-ci-robot commented Oct 12, 2023 •

edited by openshift-ci bot