rpm-ostree and podman fali to load the generated image with ASN.1 signature errors

[dperson]

Both rpm-ostree and podman produce the same error:

❯ rpm-ostree upgrade
note: automatic updates (stage) are enabled
Pulling manifest: ostree-image-signed:docker://ghcr.io/dperson/silver-ublue:latest
error: Creating importer: Failed to invoke skopeo proxy method OpenImage: remote error: cryptographic signature verification failed: invalid signature when validating ASN.1 encoded signature

While cosign thinks everything is good:

❯  cosign verify --key projects/ublue-os/cosign.pub ghcr.io/dperson/silver-ublue:latest

Verification for ghcr.io/dperson/silver-ublue:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"ghcr.io/dperson/silver-ublue"},"image":{"docker-manifest-digest":"sha256:9ee4922f79e62beb828c02c74a8c4e77f28508aad6983e719c870b4152079a6f"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEUCICzgS/QCzQC4rURzj602kKUG/Gi9Apbi4eK3O/ogdaimAiEArKaJs0LJdFm+fkPZlbdHj3/HfRDD7WKmyEXWh4GMCQQ=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI1ZTljMzBmYjc3NzU5MDRlMDkyNzdkYzE4M2E3ZTVhNTg1NzRmMWEzYTcyMGU0OGNjNWFlZjZhOGYxMzlkZTdjIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FVUNJRElEWFBtMWlFeGVlTTZhaG9uNmFtMy9hR2ZTdTk4c01vM1ROek5jOVloTkFpRUFxanFiTDhrSWhUNlZsOWMzcEQ1cEtqdC9MQkZTU1grSWh3TUtZS21KaDIwPSIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGY0RCM2RWUmFLekUyY2xaVVVEZEpUMkp6WW5JellsTkxRa0V5T1FwV1pqaGhaVk53VURoV2RqUjJaVWRHVkVaaFJUWnNTMmhTYXpGSWQyZzRjMlZJYkhGTlptbEliVGx4WVN0V00wZDFlVWhUVGxKclZDdEJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=","integratedTime":1709003820,"logIndex":74227925,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}}}}]

The builds are running successfully, I'm not sure what or how I messed things up... the repo is public, you're welcome to look. Running rpm-ostree rebase has the same issue as upgrade.

The only thing my searches found was this link, which was caused by something messed up in /etc/containers. So I cleared it entirely replacing it with the contents of my /usr/etc/containers.

I really like how you cleaned up the design / layout of the template. Now if I can just get the images to work... Thanks!

[dperson]

Okay weirdly while rpm-ostree rebase ostree-unverified-registry:ghcr.io/dperson/silver-ublue:latest was giving the same errors.

I found in /etc/containers/policy.json a pointer to my old (previous repo) public key. When I pointed it to a file with my new public key, it's working again. Not sure why the rebase to the unverified image repo wouldn't work though...

[xynydev]

If you had modified the /etc/policy.json manually previously, it wouldn't be overwritten by a rewrite.

[dperson]

I had not (prior to this issue).