-
Notifications
You must be signed in to change notification settings - Fork 198
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Image signature not getting verified for container-native builds signed with Cosign #4272
Comments
Thanks for filing this. This is an important issue to me and I want to be sure this works - we want an e2e test for this. I haven't yet context switched to do that. It is certainly possible there are bugs here. This is also related to containers/skopeo#1829 |
Hi, has there been any progress on this? |
Upon initial review, changes might need to be made to |
Deeper inspection revealed that,
@cgwalters any preferences in the solution forward? |
In that model we can't reuse already fetched layers, forcing every update to be an entire re-pull; it's a nonstarter.
This SGTM! |
Did you see the discussion in containers/skopeo#1829 btw? That's very related to the latter path. |
yes also looking over containers/skopeo#1844. Insightful |
I stumbled on this today, and had a look at a few PRs. I am not sure what's is blocking this. Is there a way I can help ? I'm happy to jump in and learn the codebase to contribute the missing bits if I can get a little guidance :) |
Fixed by containers/skopeo#2029 |
Let's keep this open until we have a bit more verification of the fix.
I think actually it's just bumping the |
Hopefully this will help with verification! https://universal-blue.org/blog/2023/07/19/sigstore-signed-images-are-now-here/ Thanks everyone for working on this! |
This does not appear to work for containers signed via the "keyless" method in github action workflows. A github workflow to sign a container using the github actions OIDC token as detailed in the See this example workflow with
Now, extract the certificate from the signature in the registry:
And dump the text of the cert:
The SAN is a URI and not an email address but The resulting signed container is perfectly verifiable using Here is my entire policy.json file:
For kicks I did try putting the URI from the certificate SAN into the |
@cgwalters have you had a chance to review this yet? Presumably what I'm attempting to do is beyond the capabilities of rpm-ostree/skopeo at this time. |
Bump on this again for @cgwalters and @RishabhSaini My conclusion at this point is the sigstore/cosign verification support available in rpm-ostree, podman and skopeo cannot support the keyless cosign signature workflow that works within CI workflows. I think the way containers policy.json allows specifying the certificate subject requires generalization to permit specifying a URI in addition to email. Is there any chance that this change might get picked up in rpm-ostree? It is nice to see support for cosign signed containers however the support appears incomplete. |
Hi, sorry for the delayed reply. We are going to look at doing some work on this issue soon I hope; pulling it more closely into the priority list. |
It is possible to verify keyless signatures with podman - let me try locally to see if I can find the problem with rpm-ostree - and if there is an issue let's get it fixed because it should be working as expected. |
So I don't disagree that podman can verify keyless signatures in the general sense. The problem is keyless signatures made in CI via github actions (in this specific case, I have not tried gitlab CI). Could you share if you're referring to verifying keyless signatures with podman created in a CI job? The certificate SAN is different and none of the documentation I have reviewed for containers policy.json indicates how I can specify a certificate identity other than an email address (Fulcio certificates for CI jobs do not have an email address identity). |
I see now - I read too quickly - if this is a limitation it should not be, I'm going to dig in to fix this (but first I'll be sure it's not just a docs limitation) |
Is rpm-ostree using the signature verification logic in containers/image and containers/skopeo? I do see some skopeo proxy errors when signature validation fails. I very quickly looked through the skopeo and image repos and only found references to subjectEmail for Fulcio certs. If you need any package builds tested let me know, I would be able to test. |
@jmpolom I used a github workflow to sign a container using the github actions OIDC token, just as you have done in a previous message of yours. However, my cert still uses an email address as the SAN and not a URI, so I was not able to reproduce the container image. containers/skopeo#2182 should fix your problem since I've been able to configure my |
Could you link me to the exact github workflow you used? I would like to review it. I was trying to see if there was a way to switch to an email address when performing the signature in a workflow using the OIDC token but could not find anything. Perhaps it has been added or there has been an upstream change I'm not aware of. PR looks reasonable though. Figured it would be fairly straightforward to support the URI based SAN. This definitely should be supported functionality. Question before I can test: on an ostree based system how do I replace something in |
https://github.com/lukewarmtemp/custom-container-images/blob/main/.github/workflows/docker-image.yml
I just use the following to remove immutability and replace the bin in
|
Ah, I think I see why you did not end up with a container signed with a URI as the SAN. Are you defining a github actions secret called I believe you are inadvertently using the "workaround" method for the issue described here. It's not really a workaround because you need to enter the one time code from the workflow in a browser manually so your builds are not really automatic at that point. What you want to use is the I will try to test this later this week. You may want to revise your test workflow to use the workflow token instead of a user defined access token. |
This occurred so far in the past I no longer recall what I was going to test. I don't think I tested anything specific because I probably determined there was in fact nothing to test. I have a container image regularly being signed and I'll probably be building a system this week with it I'll try to pull with signature verification enabled. The PR by @lukewarmtemp did not appear to add the necessary functionality (logic seemed backwards) to resolve this issue. The PR is is also seemingly stalled on ideological grounds by the maintainer @mtrmac not wanting to add support for pulling the identity from the certificate SAN. See the PR for the details. Maybe someone else asking for this to "just work" (R) as it should might get things moving in the right direction. This remains an open issue and this functionality does not work as needed, as of today. |
@jmpolom @sallyom @frzifus @cgwalters
Like @jmpolom mentioned above, the issue is not with rpm-ostree but with github.com/containers/image - it only accepts
I verified that when signing with the non-gh-action manual browser flow where signature has:
The NON-bootc (NON-rpm-ostree) images are properly gated with a carefully configured containers/policy.json. @mtrmac will be helpful here - looks like containers/image needs to learn about gh-actions/workload-identity However, I cannot pull a bootable container image with the same configuration. So there seems to be 2 issues here:
|
so I don't have to look this up again to test, here's the
but what we want to work is this for fulcio (really need only the added subject, the Issuer is not the problem):
and also need this in
|
@sallyom It's actually a URI SAN, so you probably want subjectURI key (see containers/image#2235 (comment) and refer to the RFC). Or generalize the subject to match arbitrary text for what appears in the certificate SAN? Either should work if the maintainer agrees with it.
Is keyless sigstore signature verification completely broken for ostree containers? That would seem to be a worse issue than depicted here. I don't think I ever really could get this working so I can't recall if I ever got a signed image pulled via rpm-ostree or such tools.
I have been back and forth with @mtrmac about this in the draft PR I linked above. He does not seem interested in adding support for matching other texts (like a URI) in the certificate SAN. He believes this would somehow lead to users configuring insecure policies. I think the risk is low and his rationale seemed to be second guessing the decision made by the sigstore community to place certificate identity into the SAN. My thought is using anything else besides the SAN risks compatibility issues down the road? I was considering trying to add in the needed support but I'm not even clear it would be merged due the strong opinions of the maintainer. A fix for this issue has basically been stalled out because of this. There really wasn't a counter proposal from him as to what he'd deem acceptable to merge.
Is keyless sigstore signature verification completely broken for ostree containers? That would seem to be a worse issue than depicted here. I don't think I ever really could get this working so I can't recall if I ever got a signed image pulled via rpm-ostree or such tools. |
I am hoping this is not the case - one thing about testing yesterday is I was using multi-arch manifest list - maybe that was the issue? I will test more today - I'm testing with |
With |
I have a single architecture derivative I'm building that gets signed keylessly via the github OIDC token (so URI SAN). Please feel free to use it as a test case: https://github.com/jmpolom/fedora-ostree-ws-container/pkgs/container/fedora-silverblue-ws As far as I've seen all the centos/fedora bootc images at the end of the day still get built with rpm-ostree so there should be no difference. The underlying ostree libraries being used to pull the ostree container image should all be common anyway. |
I built my own container image based off of @cgwalters's Fedora Silverblue image from this repo, pushed it onto a container registry, and signed it using Cosign. Now, I'm trying to rebase onto it using
ostree-image-signed
, butrpm-ostree
does not seem to be checking for a good signature.I set up
containers-policy.json(5)
andcontainers-registries.d(5)
along with the public key of the image (see below). Interestingly, everything works as expected when I try to pull the image withpodman pull
(i.e., bad signatures are getting rejected). However,rpm-ostree
does not seem to care about bad signatures, or even that one exists at all.I'm not quite sure if I'm doing something wrong here, or if this is a bug. The documentation on this seems to be quite sparse still (understandably).
Host system details
I've tested this both in a virtual machine and on real hardware.
Expected vs actual behavior
I'll be using my pre-made image,
ghcr.io/ahgencer/silverblue:pr-3
, as an example.With good signature
Expected and actual:
So far, so good.
With bad / no signature
Expected:
Actual:
Steps to reproduce it
Starting from a fresh, up-to-date Fedora Silverblue image, add / modify the following files:
/etc/containers/policy.json
:/etc/containers/registries.d/ocitree.yaml
:To test with a known-good signature, the public key in
/etc/pki/containers/ocitree.pub
should be:If we instead use a non-matching public key, the rebase should fail, because effectively it looks like the image was signed using a different private key. Here is one example of a public key that should fail the verification:
If it helps, the repository where I'm building my image can be found in the
pr-cosign
branch here.Would you like to work on the issue?
I'm not familiar enough with
rpm-ostree
(or any other project that might be affected by this) to work on this issue myself.The text was updated successfully, but these errors were encountered: