insecureAcceptAnything

[jimt]

I tried following the Readme on a test machine with Silverblue installed. The rpm-ostree step results in the error message:

error: Preparing import: Fetching manifest: containers-policy.json specifies a default of 'insecureAcceptAnything'; refusing usage

[ryanabx]

Rebase to an unsigned image first, then rebase to the signed image:

rpm-ostree rebase ostree-unverified-registry:docker://ghcr.io/ublue-os/cosmic-base

Then:

rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/cosmic-base

Swap out cosmic-base with cosmic-silverblue if you were going to use that instead :p

Relevant PR: #15

[jimt]

Thanks for the quick response.

I may be missing another step because trying to rebase to the unsigned image produces the cryptic:
error: Creating importer: Failed to invoke skopeo proxy method OpenImage: remote error: invalid reference format

rpm-ostree rebase ostree-unverified-image:docker://ghcr.io/ublue-os/cosmic-base
If I change change registry to image in the command line, it pulls in the manifest ostree-unverified-registry. I don't understand the naming convention. (Obviously. Sorry for the noise.)

[ryanabx]

No worries! Try removing the docker:// from the command. I could have that part wrong

rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/cosmic-base

[jimt]

I had done:
sudo rpm-ostree rebase ostree-unverified-image:docker://ghcr.io/ublue-os/cosmic-silverblue:40-amd64
waited while my system pulled down 2.xGB, and after rebooting did indeed have COSMIC.

The version specifying registry (without the docker:// bit) also worked.

But after either of those, I still can't do the readme's second step of rebasing onto the "signed" image of either cosmic-base or cosmic-silverblue without getting the original error message about insecureAcceptAnything; refusing usage (Not that I really need a signed image for my playground machine.)

[castrojo]

Can you paste an rpm-ostree status and then also the result of running the rebase? Thanks!

[jimt]

~ ❯❯❯ sudo rpm-ostree status
[sudo] password for jim:
State: idle
Deployments:
● ostree-unverified-registry:ghcr.io/ublue-os/cosmic-silverblue:40-amd64
                   Digest: sha256:bca6ec1fef321ccdf6a7672c54fb3c5e6e2d3d37c793d4
75cadd9178b59c0e7b
                  Version: 40.20240304.0 (2024-03-04T15:07:47Z)
          LayeredPackages: btop exa gnome-tweaks ripgrep stow tailscale vim-enha
nced zoxide zsh

  ostree-unverified-image:docker://ghcr.io/ublue-os/cosmic-silverblue:40-amd64
                   Digest: sha256:bca6ec1fef321ccdf6a7672c54fb3c5e6e2d3d37c793d4
75cadd9178b59c0e7b
                  Version: 40.20240304.0 (2024-03-04T15:07:47Z)
          LayeredPackages: btop exa gnome-tweaks ripgrep stow tailscale vim-enha
nced zoxide zsh
~ ❯❯❯ rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/cosmic-sil
verblue:40-amd64
Pulling manifest: ostree-image-signed:docker://ghcr.io/ublue-os/cosmic-silverblu
e:40-amd64
error: Preparing import: Fetching manifest: containers-policy.json specifies a d
efault of `insecureAcceptAnything`; refusing usage
~ ❯❯❯ rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/cosmic-bas
e:40-amd64
Pulling manifest: ostree-image-signed:docker://ghcr.io/ublue-os/cosmic-base:40-a
md64
error: Preparing import: Fetching manifest: containers-policy.json specifies a d
efault of `insecureAcceptAnything`; refusing usage

[castrojo]

Ok I think what we need to do is include the ublue key and policy.json in this image. This image is deriving right from Fedora so it doesn't have our key in it, so it's not going to rebase to a signed image. I recommend just staying on the unsigned image for now so you're getting updates, and once we sort that we'll post rebase instructions.

[boredsquirrel]

Was this recently done? #22

btw rpm-ostree does not need sudo

[castrojo]

Ok we've rebased the images to use the ublue-os/main images instead of raw upstream, so next update you should have all the right keys.

Try the rebase to a signed image and that should work.

[gageberz]

It does work now.