-
Bug
-
Resolution: Not a Bug
-
Major
-
None
-
4.20.0
-
Quality / Stability / Reliability
-
False
-
-
None
-
Critical
-
None
-
None
-
None
-
Proposed
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
After enabling SigstoreImageVerification images from quay.io/openshift-release-dev/ocp-release are not pulled due to a SignatureVerificationFailed error.
Version-Release number of selected component (if applicable):
4.20
How reproducible:
Before enabling SigstoreImageVerification, try to pull an image from quay.io/openshift-release-dev/ocp-release, image is pulled successfully. Enable this feature with TechPreviewNoUpgrade featureSet. Then, try to pull the any other image from the same repo and folder. An error saying that the Signature verification failed will be shown.
Steps to Reproduce:
1. Create a project (oc new-project cluster1) and a new pod pulling any image from quay.io/openshift-release-dev/ocp-release ("newpod1.yaml")
2. Check that the image is going to be pulled successfully ("pod_success_log.txt")
3. Enable TechPreviewNoUpgrade and check that "openshift" cluster policy is available by default: oc get clusterimagepolicy
4. Wait until policy.json and sigstore-registries.yaml are created/updated with policy info
5. Create another project: oc new-project test2 ("newpod2.yaml")
6. Create a pod that pulls the image from any tag under path quay.io/openshift-release-dev/ocp-release
Actual results:
Signature is not accepted. An error saying "cryptographic signature verification failed: crypto/rsa: verification error" is shown ("pod_error_log.txt").
Expected results:
Default signature should work.
Additional info:
Another images were tested, same behavior was observed.
- relates to
-
OCPNODE-3513 post-merge testing: ClusterImagePolicy and ImagePolicy to v1
-
- Closed
-