Uploaded image for project: 'OpenShift Over the Air'
  1. OpenShift Over the Air
  2. OTA-1267

Cincinnati compatibility with Cosign / Sigstore signatures

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Major Major
    • None
    • None
    • None
    • 3
    • False
    • None
    • False
    • OTA 254, OTA 255

      Recently ART pushed some Cosign / Sigstore signatures to quay.io/openshift-release-dev/ocp-release as part of ART-7995. Those broke graph-builder scrapes, with errors like:

      [2024-04-18T15:49:02Z ERROR graph_builder::graph] failed to fetch all release metadata from quay.io/openshift-release-dev/ocp-release
      [2024-04-18T15:49:02Z ERROR graph_builder::graph] fetching manifest and manifestref for openshift-release-dev/ocp-release:sha256-5a5943dea60b40f73ecee685b12fff1d65cc8bfe946f762fdfe862969483ddbb.sig: unknown media type ManifestV2S1
      

      as the graph-builder failed to parse the Sigstore signature's media types:

      $ oc image info -o json quay.io/openshift-release-dev/ocp-release:sha256-5a5943dea60b40f73ecee685b12fff1d65cc8bfe946f762fdfe862969483ddbb.sig | grep mediaType
        "mediaType": "application/vnd.oci.image.manifest.v1+json",
            "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
      

      vs. its expected release images:

      $ oc image info -o json quay.io/openshift-release-dev/ocp-release:4.15.6-x86_64 | grep mediaType
        "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      

      We mitigated for now by copying actual release image manifests into those tags, but that just got graph-builder scraping working again in the short term. This card is about teaching Cincinnati to handle the presence of tagged Sigstore manifests. Options include:

      • Teach Cincinnati about application/vnd.oci.image.manifest.v1+json and application/vnd.dev.cosign.simplesigning.v1+json, so it can process them without choking. See this previous example of extending media-type support.
      • Teaching Cincinnati to ignore releases that lack the io.openshift.release label (previous discussion). This would be a new direction, but would also help Cincinnati avoid excessive memory consumption when pointed at a repository containing more than just release images.

      Definition of done:

      • ART can push new Sigstore signatures into *.sig tags, and our centrally-hosted Cincinnati will keep happily scraping.

            pratikam Pratik Mahajan
            trking W. Trevor King
            Jian Li Jian Li
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: