Closed mtrmac closed 2 months ago
Thanks to @wking for reporting and tracking down this issue.
Thanks for writing up this summary :bow: I've opened OCPBUGS-36344 with a Jira-side copy of this report, and an attempt at reproducer steps, so for convenient tracking on the Jira side.
I will look into this next sprint. :eyes:
When a
ClusterImagePolicy
is set on a scope to accept sigstore signatures, the underlying registry needs to be configured withuse-sigstore-attachments: true
. https://github.com/openshift/machine-config-operator/blob/444decb1dfd1ebb3fb7c2e5a96ff3b3d53b6f492/pkg/controller/container-runtime-config/helpers.go#L936 does do that for the configured scope; but theuse-sigstore-attachments
option applies not to the “logical name”, but to each underlying mirror individually.I.e. the option needs to be on every mirror of the scope. Without that, if the image is found on one of such mirrors, the c/image code will not be looking for signatures on the mirror, and policy enforcement is likely to fail.