Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
None

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Intelligence Requested:
Market:

Regression:
None

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

PX Impact Score:

The previous fix for ACM-21309 (PR #7807) attempted to allow unsigned images by setting a global default: insecureAcceptAnything policy.
However, installations on OCP 4.19 still fail when pulling from registry.redhat.io with: Source image rejected: A signature was required.

Investigation (supported by OCPBUGS-55106) reveals that RHCOS 4.19 ships with a /etc/containers/policy.json that explicitly enforces signature verification for:
- registry.redhat.io
- registry.access.redhat.com

These are defined under the docker transport.
Because specific scope matches take precedence over the default scope, the global insecure setting is ignored for these registries.

This ticket tracks the fix to explicitly inject insecureAcceptAnything for these specific registry scopes under the docker transport.

impacts account

OCPBUGS-55106 RHCOS 4.19 live iso x86_64 contains restrictive policy.json

Verified

ACM-21309 Nightly images should be signed or served from other registry

Resolved

links to

openshift/assisted-service#8493: ACM-27290: Explicitly set docker transport in policy.json

Assignee:: Omer Vishlitzky

Reporter:: Omer Vishlitzky

QA Contact:: Gal Amado

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2025/12/07 11:45 AM

Updated:: 2025/12/09 3:33 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates