Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ClusterImagePolicy’s code to set use-sigstore-attachments does not set it for mirrors #4446

Closed
mtrmac opened this issue Jun 28, 2024 · 3 comments · Fixed by #4449
Closed

ClusterImagePolicy’s code to set use-sigstore-attachments does not set it for mirrors #4446

mtrmac opened this issue Jun 28, 2024 · 3 comments · Fixed by #4449

Comments

@mtrmac
Copy link
Contributor

mtrmac commented Jun 28, 2024

When a ClusterImagePolicy is set on a scope to accept sigstore signatures, the underlying registry needs to be configured with use-sigstore-attachments: true.

machine-config-operator/pkg/controller/container-runtime-config/helpers.go

Line 936 in 444decb

func generateSigstoreRegistriesdConfig(clusterScopePolicies map[string]signature.PolicyRequirements) ([]byte, error) {
does do that for the configured scope; but the use-sigstore-attachments option applies not to the “logical name”, but to each underlying mirror individually.

I.e. the option needs to be on every mirror of the scope. Without that, if the image is found on one of such mirrors, the c/image code will not be looking for signatures on the mirror, and policy enforcement is likely to fail.
@mtrmac
Copy link
Contributor Author

mtrmac commented Jun 28, 2024

Thanks to @wking for reporting and tracking down this issue.

@wking
Copy link
Member

wking commented Jun 28, 2024

Thanks for writing up this summary 🙇 I've opened OCPBUGS-36344 with a Jira-side copy of this report, and an attempt at reproducer steps, so for convenient tracking on the Jira side.

@QiWang19
Copy link
Member

I will look into this next sprint. 👀

@QiWang19 QiWang19 mentioned this issue Jul 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

OCPBUGS-36344: Add CIP relevant mirrors to sigstore attachement cfg QiWang19/machine-config-operator
3 participants
@wking @mtrmac @QiWang19