Error verifying signature: Invalid GPG signature: (*packet.Signature)( "nil)"

[jam49]

I tried building the new version (eg 1.14.x) for ubuntu 20.04 as per:

https://github.com/containers/skopeo/issues/1648

However once built i get : Error verifying signature: Invalid GPG signature: (*packet.Signature)( "nil)" when running skopeo standalone-verify manifest.json <image name> ${gpgkeyfingerprint} signature-1 When running the same command with the skopeo version that comes with ubuntu 20.04 (v1.5.0) the signature verifies fine.

Is there something special about the build in the ubuntu repo?

[mtrmac]

Thanks for reaching out.

That failure doesn’t look like something that should be significantly affected by the build environment; it’s a direct outcome of parsing that signature, with golang.org/x/crypto/openpgp implementation that did change between those versions, but only very slightly.

My first guess, absurd as it may seem, is be that, in fact, the two reproducers are not reading the same signature-1. Failing that, really a small behavior difference between the two golang.org/x/crypto/openpgp implementations, or perhaps in how they are compiled.

[jam49]

Its the same signature, it's pulled from a repo location. I agree, it smells like a parsing error. The signature was signed via skopeo v 1.12 but verifies fine with the ubuntu skopeo 1.5.0 oddly.

The wrench in the works maybe grs-grp package from gara-sign. I'll do some more checking.

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.

[ktdreyer]

I've built skopeo 1.15.0 for Ubuntu 20.04 and it works well. I'm using this to GPG-sign and push many images.

Here's the Dockerfile I use:

FROM ubuntu:20.04 AS skopeo-build

ENV GO_VERSION=1.21.8
ENV SKOPEO_VERSION=1.15.0

ENV DEBIAN_FRONTEND=noninteractive
RUN apt update
RUN apt install --no-install-recommends -y curl git-core gcc make pkg-config libgpgme-dev ca-certificates

WORKDIR /usr/local

RUN curl -fsSL "https://dl.google.com/go/go${GO_VERSION}.linux-amd64.tar.gz" \
  | tar -xzf - --strip-components=1

ENV GOPATH /go
ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH"

WORKDIR /usr/src/skopeo

RUN curl -fsSL "https://github.com/containers/skopeo/archive/refs/tags/v${SKOPEO_VERSION}.tar.gz" \
  | tar -xzf - --strip-components=1

RUN CGO_ENABLED=1 DISABLE_DOCS=1 make BUILDTAGS="exclude_graphdriver_btrfs exclude_graphdriver_devicemapper" GO_DYN_FLAGS=

RUN ./bin/skopeo --version

FROM ubuntu:20.04

ENV DEBIAN_FRONTEND=noninteractive
RUN apt update
RUN apt install --no-install-recommends -y libgpgme11

COPY --from=skopeo-build /usr/src/skopeo/bin/skopeo /usr/local/bin/
COPY --from=skopeo-build /usr/src/skopeo/default-policy.json /etc/containers/policy.json

RUN skopeo --version

You can bump GO_VERSION and SKOPEO_VERSION as needed.

I build it on my Fedora workstation like this:

podman build --pull --tag skopeo-binary .
container_id=$(podman create localhost/skopeo-binary:latest)

# Extract the new "skopeo" executable into the current working directory:
podman cp $container_id:/usr/local/bin/skopeo .

# Clean up the Ubuntu container:
podman rm $container_id

# Distribute the binary somewhere that my CI system can download it:
ssh webserver.example.com "mkdir public_html/somewhere/skopeo-1.15.0/"
rsync skopeo webserver.example.com:public_html/somewhere/skopeo-1.15.0/

[ktdreyer]

By the way @jam49 , I also use garasign at my employer. I wonder if our environments are similar ...

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.

[mtrmac]

Investigating a bit more, this error should is reported when the key ID in the signature does not match any of the provided keys. I don’t see anything obviously related to the version differences reported above triggering the error.

I have filed https://github.com/containers/image/pull/2466 to improve the error message, at least, so that it includes the non-matching key ID.

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.

[mtrmac]

The error reporting improvement was just included in recently-released Skopeo 1.16.0.

For now I’ll assume that the key mismatch was the underlying cause, but please reopen if that’s not the case.