Loading...

XML

Word

Printable

Type: Story
Resolution: Done
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
- groomed

Story Points:
3
Blocked:
False
Blocked Reason:
None
Ready:
False
Intelligence Requested:
Market:

Sprint:
OTA 254, OTA 255

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Recently ART pushed some Cosign / Sigstore signatures to quay.io/openshift-release-dev/ocp-release as part of ART-7995. Those broke graph-builder scrapes, with errors like:

[2024-04-18T15:49:02Z ERROR graph_builder::graph] failed to fetch all release metadata from quay.io/openshift-release-dev/ocp-release
[2024-04-18T15:49:02Z ERROR graph_builder::graph] fetching manifest and manifestref for openshift-release-dev/ocp-release:sha256-5a5943dea60b40f73ecee685b12fff1d65cc8bfe946f762fdfe862969483ddbb.sig: unknown media type ManifestV2S1

as the graph-builder failed to parse the Sigstore signature's media types:

$ oc image info -o json quay.io/openshift-release-dev/ocp-release:sha256-5a5943dea60b40f73ecee685b12fff1d65cc8bfe946f762fdfe862969483ddbb.sig | grep mediaType
  "mediaType": "application/vnd.oci.image.manifest.v1+json",
      "mediaType": "application/vnd.dev.cosign.simplesigning.v1+json",

vs. its expected release images:

$ oc image info -o json quay.io/openshift-release-dev/ocp-release:4.15.6-x86_64 | grep mediaType
  "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",

We mitigated for now by copying actual release image manifests into those tags, but that just got graph-builder scraping working again in the short term. This card is about teaching Cincinnati to handle the presence of tagged Sigstore manifests. Options include:

Teach Cincinnati about application/vnd.oci.image.manifest.v1+json and application/vnd.dev.cosign.simplesigning.v1+json, so it can process them without choking. See this previous example of extending media-type support.
Teaching Cincinnati to ignore releases that lack the io.openshift.release label (previous discussion). This would be a new direction, but would also help Cincinnati avoid excessive memory consumption when pointed at a repository containing more than just release images.

Definition of done:

ART can push new Sigstore signatures into *.sig tags, and our centrally-hosted Cincinnati will keep happily scraping.

is related to

OCPNODE-2231 Validate OpenShift release images using sigstore

Closed

relates to

OTA-1170 [TechPreview] Support verifying release images with Sigstore signatures

Closed

OCPSTRAT-1585 Installer enable/disable Sigstore policy, and version-pod failure accessability

In Progress

OCPSTRAT-1245 [Tech Preview]Add sigstore signatures to core OCP payload and enable verification- phase 1

Closed

links to

openshift/cincinnati#920: OTA-1267: ignore incorrect images instead of erroring out

openshift/enhancements#1633: OTA-1294: enhancements/security/openshift-image-policy: Propose new enhancement

openshift/openshift-tests-private#17854: OCPQE-23539 update release repo

RHEA-2024:130539 RHEA: OSUS Enhancement Update

mentioned on

Merge request - OTA-1267: data/services/cincinnati/cicd/ci-int/saas: Bump production Cincinnati 2024-06-17

(3 links to, 1 mentioned on)

Assignee:: Pratik Mahajan

Reporter:: W. Trevor King

QA Contact:: Jian Li

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/04/18 5:18 PM

Updated:: 2024/08/08 4:12 PM

Resolved:: 2024/06/26 9:37 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates