You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a ClusterImagePolicy is set on a scope to accept sigstore signatures, the underlying registry needs to be configured with use-sigstore-attachments: true.
does do that for the configured scope; but the use-sigstore-attachments option applies not to the “logical name”, but to each underlying mirror individually.
I.e. the option needs to be on every mirror of the scope. Without that, if the image is found on one of such mirrors, the c/image code will not be looking for signatures on the mirror, and policy enforcement is likely to fail.
The text was updated successfully, but these errors were encountered:
Thanks for writing up this summary 🙇 I've opened OCPBUGS-36344 with a Jira-side copy of this report, and an attempt at reproducer steps, so for convenient tracking on the Jira side.
When a
ClusterImagePolicy
is set on a scope to accept sigstore signatures, the underlying registry needs to be configured withuse-sigstore-attachments: true
.machine-config-operator/pkg/controller/container-runtime-config/helpers.go
Line 936 in 444decb
use-sigstore-attachments
option applies not to the “logical name”, but to each underlying mirror individually.I.e. the option needs to be on every mirror of the scope. Without that, if the image is found on one of such mirrors, the c/image code will not be looking for signatures on the mirror, and policy enforcement is likely to fail.
The text was updated successfully, but these errors were encountered: