Uploaded image for project: 'Red Hat Advanced Cluster Security'
  1. Red Hat Advanced Cluster Security
  2. ROX-29716

OCP image signatures cannot be verified

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Undefined Undefined
    • 4.8.0, 4.6.8, 4.7.5
    • 4.6.0, 4.7.0
    • Central
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • False
    • Moderate

      Verifying OCP image signatures fails even when they have a valid signature.

      How to reproduce

      • Add Red Hat Release Key 3 signature integration, disabling transparency log verification.
      • Scan any OCP image, for example: 
        roxctl image scan --image=quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c896b5d4b05343dfe94c0f75c9232a2a68044d0fa7a21b5f51ed796d23f1fcc5 --insecure-skip-tls-verify --force
      • Verification for all signatures fails.

              rh-ee-gualvare Guzman Alvarez
              rh-ee-gualvare Guzman Alvarez
              ACS Sensor & Ecosystem
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: