Skopeo copy fails

Question

Skopeo copy fails

akshaykumar-vijapur opened this issue 6 months ago · comments

akshaykumar-vijapur commented 6 months ago

Hello team,

We encountered an issue while attempting to verify a signed image

We have copied an image named us.icr.io/namespace1/image1 to a different namespace. Below are the details of the process and the error encountered:

Copy the signed image to different namespace:

skopeo copy docker://us.icr.io/namespace1/image1@sha256:d5570a5d02d93d914e1d97231a4e9519fad1f6263782c1edd63d8887a38b93b4 docker://us.icr.io/namespace2/image1@sha256:d5570a5d02d93d914e1d97231a4e9519fad1f6263782c1edd63d8887a38b93b4 --src-creds ***:{API-KEY} --dest-creds ***:{API-KEY}

We attempted to verify the signature of the image present in namespace2 using the following command:

skopeo --policy /tmp/certificates/artifact-13/policy.json copy docker://us.icr.io/namespace2/image1@sha256:d5570a5d02d93d914e1d97231a4e9519fad1f6263782c1edd63d8887a38b93b4 dir:/tmp/tmp.FzBNm4dtWP --src-creds ***:{API-KEY}

Error Encountered:

Source image rejected: None of the signatures were accepted, reasons: Signature for identity us.icr.io/namespace2/image1 is not accepted

Resolution Request:
Any assistance in resolving this issue would be greatly appreciated.

Miloslav Trmač · Answer 1 · Thu Mar 21 2024 22:31:43 GMT+0800 (China Standard Time)

Thanks for reaching out.

You don’t include the policy, so it’s impossible to tell in detail.

In general, the signature includes the identity of the image, and that, by default, matches where the image is copied from (= what the user enters as a request). If the image is moved elsewhere, that obviously doesn’t match.

There are three basic approaches for dealing with this, which can be combined in various ways:

The destination of a copy is an ~internal mirror, while the source is the “official location”. In that case, refer to the image using the “official location”, and use redirects in registries.conf (prefix/location) and/or OpenShift ICSP/IDMS/ITMS.
The destination of a copy is a mirror, the source is the “official location”, but references must refer to the destination for some reason: Use an appropriate signedIdentity option in policy.json, typically remapIdentity.
The source is ~internal (e.g. a staging / beta registry), the destination is the “official location”. In that case, either drop the original signature and re-sign when “publishing” the image using the official name; or make the first signature using --sign-identity and the official name (and potentially reconfigure up verification at the source using either of the two approaches above).

akshaykumar-vijapur · Answer 2 · Thu Mar 21 2024 22:42:26 GMT+0800 (China Standard Time)

@mtrmac

We have confirmed that both the image has same signature. But still it fails with above error.

here is policy.json

{
  "default": [
    {
      "type": "reject"
    }
  ],
  "transports": {
    "docker-daemon": {
      "": [
        {
          "type": "reject"
        }
      ]
    },
    "docker": {
      "": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "publicKey.gpg"
        }
      ]
    }
  }
}

Is it possible to provide an working command for any of the approach which you mentioned?

Thanks in advance.

github-actions · Answer 3 · Sun Apr 21 2024 08:00:58 GMT+0800 (China Standard Time)

A friendly reminder that this issue had no activity for 30 days.

Miloslav Trmač · Answer 4 · Fri Jun 28 2024 01:16:49 GMT+0800 (China Standard Time)

There’s general guidance above; along with reference documentation, that should be enough to get you started.