Closed RobusTetus closed 10 months ago
Hum, this is weird. I will have to look at this.
Hum, I indeed have the same error with podman but cosign tells me the images signatures are valid. 🤔
Hum, I indeed have the same error with podman but cosign tells me the images signatures are valid. 🤔
Yes, I have noticed on quay.io that the cosign signatures are indeed there. I have read redhat docs on sigstore verification but there is nothing different from what you have in README.md. I am genuinely confused on what is breaking.
podman pull --log-level=debug quay.io/toolbx-images/centos-toolbox:stream9
INFO[0000] podman filtering at log level debug
DEBU[0000] Called pull.PersistentPreRunE(podman pull --log-level=debug quay.io/toolbx-images/centos-toolbox:stream9)
DEBU[0000] Using conmon: "/usr/bin/conmon"
INFO[0000] Using boltdb as database backend
DEBU[0000] Initializing boltdb state at /var/home/tim/.local/share/containers/storage/libpod/bolt_state.db
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /var/home/tim/.local/share/containers/storage
DEBU[0000] Using run root /run/user/1000/containers
DEBU[0000] Using static dir /var/home/tim/.local/share/containers/storage/libpod
DEBU[0000] Using tmp dir /run/user/1000/libpod/tmp
DEBU[0000] Using volume path /var/home/tim/.local/share/containers/storage/volumes
DEBU[0000] Using transient store: false
DEBU[0000] [graphdriver] trying provided driver "overlay"
DEBU[0000] Cached value indicated that overlay is supported
DEBU[0000] Cached value indicated that overlay is supported
DEBU[0000] Cached value indicated that metacopy is not being used
DEBU[0000] Cached value indicated that native-diff is usable
DEBU[0000] backingFs=xfs, projectQuotaSupported=false, useNativeDiff=true, usingMetacopy=false
DEBU[0000] Initializing event backend journald
DEBU[0000] Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument
DEBU[0000] Configured OCI runtime runc initialization failed: no valid executable found for OCI runtime runc: invalid argument
DEBU[0000] Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument
DEBU[0000] Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument
DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument
DEBU[0000] Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument
DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument
DEBU[0000] Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument
DEBU[0000] Using OCI runtime "/usr/bin/crun"
INFO[0000] Setting parallel job count to 25
DEBU[0000] Pulling image quay.io/toolbx-images/centos-toolbox:stream9 (policy: always)
DEBU[0000] Looking up image "quay.io/toolbx-images/centos-toolbox:stream9" in local containers storage
DEBU[0000] Normalized platform linux/amd64 to {amd64 linux [] }
DEBU[0000] Trying "quay.io/toolbx-images/centos-toolbox:stream9" ...
DEBU[0000] parsed reference into "[overlay@/var/home/tim/.local/share/containers/storage+/run/user/1000/containers]@8b5cb3b4ad68ab1d5014c4009bfc60f845f0f41b1c89022d04033a21d490b399"
DEBU[0000] Found image "quay.io/toolbx-images/centos-toolbox:stream9" as "quay.io/toolbx-images/centos-toolbox:stream9" in local containers storage
DEBU[0000] Found image "quay.io/toolbx-images/centos-toolbox:stream9" as "quay.io/toolbx-images/centos-toolbox:stream9" in local containers storage ([overlay@/var/home/tim/.local/share/containers/storage+/run/user/1000/containers]@8b5cb3b4ad68ab1d5014c4009bfc60f845f0f41b1c89022d04033a21d490b399)
DEBU[0000] exporting opaque data as blob "sha256:8b5cb3b4ad68ab1d5014c4009bfc60f845f0f41b1c89022d04033a21d490b399"
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf"
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf.d/000-shortnames.conf"
DEBU[0000] Normalized platform linux/amd64 to {amd64 linux [] }
DEBU[0000] Attempting to pull candidate quay.io/toolbx-images/centos-toolbox:stream9 for quay.io/toolbx-images/centos-toolbox:stream9
DEBU[0000] parsed reference into "[overlay@/var/home/tim/.local/share/containers/storage+/run/user/1000/containers]quay.io/toolbx-images/centos-toolbox:stream9"
Trying to pull quay.io/toolbx-images/centos-toolbox:stream9...
DEBU[0000] Copying source image //quay.io/toolbx-images/centos-toolbox:stream9 to destination image [overlay@/var/home/tim/.local/share/containers/storage+/run/user/1000/containers]quay.io/toolbx-images/centos-toolbox:stream9
DEBU[0000] Using registries.d directory /etc/containers/registries.d
DEBU[0000] Trying to access "quay.io/toolbx-images/centos-toolbox:stream9"
DEBU[0000] No credentials matching quay.io/toolbx-images/centos-toolbox found in /run/user/1000/containers/auth.json
DEBU[0000] No credentials matching quay.io/toolbx-images/centos-toolbox found in /var/home/tim/.config/containers/auth.json
DEBU[0000] Found credentials for quay.io/toolbx-images/centos-toolbox in credential helper containers-auth.json in file /var/home/tim/.docker/config.json
DEBU[0000] Lookaside configuration: using "docker" namespace quay.io/toolbx-images
DEBU[0000] No signature storage configuration found for quay.io/toolbx-images/centos-toolbox:stream9, using built-in default file:///var/home/tim/.local/share/containers/sigstore
DEBU[0000] Looking for TLS certificates and private keys in /etc/docker/certs.d/quay.io
DEBU[0000] Sigstore attachments: using "docker" namespace quay.io/toolbx-images
DEBU[0000] GET https://quay.io/v2/
DEBU[0000] Ping https://quay.io/v2/ status 401
DEBU[0000] GET https://quay.io/v2/auth?account=openshift-release-dev%2Bocm_access_c273414d3a374a04b57d071678c1f310&scope=repository%3Atoolbx-images%2Fcentos-toolbox%3Apull&service=quay.io
DEBU[0000] Increasing token expiration to: 60 seconds
DEBU[0000] GET https://quay.io/v2/toolbx-images/centos-toolbox/manifests/stream9
DEBU[0000] Content-Type from manifest GET is "application/vnd.oci.image.index.v1+json"
DEBU[0000] Using SQLite blob info cache at /var/home/tim/.local/share/containers/cache/blob-info-cache-v1.sqlite
DEBU[0000] Source is a manifest list; copying (only) instance sha256:d95326eb8f36e881f449e106efa70cea95304fb5ac9e8add538d1ee4f57b2246 for current system
DEBU[0000] GET https://quay.io/v2/toolbx-images/centos-toolbox/manifests/sha256:d95326eb8f36e881f449e106efa70cea95304fb5ac9e8add538d1ee4f57b2246
DEBU[0001] Content-Type from manifest GET is "application/vnd.oci.image.manifest.v1+json"
DEBU[0001] IsRunningImageAllowed for image docker:quay.io/toolbx-images/centos-toolbox:stream9
DEBU[0001] Using transport "docker" specific policy section quay.io/toolbx-images
DEBU[0001] Reading /var/home/tim/.local/share/containers/sigstore/toolbx-images/centos-toolbox@sha256=d95326eb8f36e881f449e106efa70cea95304fb5ac9e8add538d1ee4f57b2246/signature-1
DEBU[0001] Looking for sigstore attachments in quay.io/toolbx-images/centos-toolbox:sha256-d95326eb8f36e881f449e106efa70cea95304fb5ac9e8add538d1ee4f57b2246.sig
DEBU[0001] GET https://quay.io/v2/toolbx-images/centos-toolbox/manifests/sha256-d95326eb8f36e881f449e106efa70cea95304fb5ac9e8add538d1ee4f57b2246.sig
DEBU[0001] Content-Type from manifest GET is "application/json"
DEBU[0001] Fetching sigstore attachment manifest failed, assuming it does not exist: reading manifest sha256-d95326eb8f36e881f449e106efa70cea95304fb5ac9e8add538d1ee4f57b2246.sig in quay.io/toolbx-images/centos-toolbox: manifest unknown
DEBU[0001] Requirement 0: denied, done
DEBU[0001] Error pulling candidate quay.io/toolbx-images/centos-toolbox:stream9: copying system image from manifest list: Source image rejected: A signature was required, but no signature exists
Error: copying system image from manifest list: Source image rejected: A signature was required, but no signature exists
DEBU[0001] Shutting down engines
Looks like this is related to multi-arch images. I have the following other repositories that work but they are x86_64 only: https://github.com/travier/quay-containerfiles
In my test repo (https://github.com/travier/cosign-test), the cosign example does not "work" but the podman one does:
# Validates using cosign but podman pull fails
$ cosign verify --key quay.io-travier-containers.pub quay.io/travier/cosign-example:latest-cosign
$ podman pull --log-level=debug quay.io/travier/cosign-example:latest-cosign
# Does not validate using cosign but podman pull works
$ cosign verify --key quay.io-travier-containers.pub quay.io/travier/cosign-example:latest-podman
$ podman pull --log-level=debug quay.io/travier/cosign-example:latest-podman
Looks like this is related to multi-arch images.
My device is x86_64 too, so podman should follow my architecture when pulling an image, right?
However when searching I have stumbled upon this blog. Where when pushing the image, they are using --remove-signatures flag.
By default the Podman ecosystem treats signatures as an integral part of the image. So “–remove-signatures” is necessary to make a copy that doesn’t include the signatures, including copies that don’t preserve the images bit-for-bit-exactly.
Maybe sigstore/cosign-installer@v3.3.0
you are using in the workflow is not signing/pushing images this way :thinking:. At this point I am honestly just guessing. :laughing:
Confirmed with:
$ podman pull --log-level=debug quay.io/travier/cosign-example:latest-cosign-x86_64
which works when the multi-arch image does not. So this is likely an issue in how podman verifies the signature for multi-arch containers. Or we need to build and sign our multi-arch containers differently using cosign.
Looks like this is working now! The Fedora & Ubuntu images are still building but I just pulled the CentOS one and it worked for me. Thanks a lot for the report!
I have followed carefully the
README.md
to set up verification. Just for the record, here is what I did./etc/pki/containers
ox-images/images/main/quay.io-toolbx-images.pub/etc/pki/containers/
/etc/pki/containers
/etc/containers/registries.d/quay.io-toolbx-images.yaml
/etc/containers/registries.d/quay.io-toolbx-images.yaml
/etc/containers/policy.json
which now contains the following:After this. Trying to download a fresh image with
toolbox --verbose create --image quay.io/toolbx-images/ubuntu-toolbox:23.04
reports following:Just to be sure I checked
/etc/pki/containers/quay.io-toolbx-images.pub
and it does contain signature matching with this repo.