-
Story
-
Resolution: Done
-
Major
-
None
-
None
-
None
-
3
-
False
-
None
-
False
-
-
-
OTA 254, OTA 255
Recently ART pushed some Cosign / Sigstore signatures to quay.io/openshift-release-dev/ocp-release as part of ART-7995. Those broke graph-builder scrapes, with errors like:
[2024-04-18T15:49:02Z ERROR graph_builder::graph] failed to fetch all release metadata from quay.io/openshift-release-dev/ocp-release [2024-04-18T15:49:02Z ERROR graph_builder::graph] fetching manifest and manifestref for openshift-release-dev/ocp-release:sha256-5a5943dea60b40f73ecee685b12fff1d65cc8bfe946f762fdfe862969483ddbb.sig: unknown media type ManifestV2S1
as the graph-builder failed to parse the Sigstore signature's media types:
$ oc image info -o json quay.io/openshift-release-dev/ocp-release:sha256-5a5943dea60b40f73ecee685b12fff1d65cc8bfe946f762fdfe862969483ddbb.sig | grep mediaType "mediaType": "application/vnd.oci.image.manifest.v1+json", "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",
vs. its expected release images:
$ oc image info -o json quay.io/openshift-release-dev/ocp-release:4.15.6-x86_64 | grep mediaType "mediaType": "application/vnd.docker.distribution.manifest.v2+json", "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
We mitigated for now by copying actual release image manifests into those tags, but that just got graph-builder scraping working again in the short term. This card is about teaching Cincinnati to handle the presence of tagged Sigstore manifests. Options include:
- Teach Cincinnati about application/vnd.oci.image.manifest.v1+json and application/vnd.dev.cosign.simplesigning.v1+json, so it can process them without choking. See this previous example of extending media-type support.
- Teaching Cincinnati to ignore releases that lack the io.openshift.release label (previous discussion). This would be a new direction, but would also help Cincinnati avoid excessive memory consumption when pointed at a repository containing more than just release images.
Definition of done:
- ART can push new Sigstore signatures into *.sig tags, and our centrally-hosted Cincinnati will keep happily scraping.
- is related to
-
OCPNODE-2231 Validate OpenShift release images using sigstore
- Closed
- relates to
-
OTA-1170 [TechPreview] Support verifying release images with Sigstore signatures
- Closed
-
OCPSTRAT-1585 Installer enable/disable Sigstore policy, and version-pod failure accessability
- In Progress
-
OCPSTRAT-1245 [Tech Preview]Add sigstore signatures to core OCP payload and enable verification- phase 1
- Closed
- links to
-
RHEA-2024:130539 RHEA: OSUS Enhancement Update
- mentioned on