Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1461324 - Log image changes on verify-image-signature without --save #19976

Merged
merged 1 commit into from
Jun 20, 2018
Merged

Bug 1461324 - Log image changes on verify-image-signature without --save #19976

merged 1 commit into from
Jun 20, 2018

Conversation

wozniakjan
Copy link
Contributor

@wozniakjan wozniakjan requested review from mfojtik and bparees June 12, 2018 11:24
@openshift-ci-robot openshift-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jun 12, 2018
@wozniakjan wozniakjan changed the title Bug 1461324 - Log image changes on verify-signature without --save [WIP] Bug 1461324 - Log image changes on verify-signature without --save Jun 12, 2018
@openshift-ci-robot openshift-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 12, 2018
@wozniakjan wozniakjan changed the title [WIP] Bug 1461324 - Log image changes on verify-signature without --save [WIP] Bug 1461324 - Log image changes on verify-image-signature without --save Jun 12, 2018
@bparees bparees self-assigned this Jun 12, 2018
@bparees
Copy link
Contributor

bparees commented Jun 12, 2018

@wozniakjan maybe it would be worth updating the image signature docs to warn people about this behavior?

https://docs.openshift.org/latest/admin_guide/image_signatures.html#verifying-image-signatures-using-openshift-cli

@wozniakjan
Copy link
Contributor Author

@bparees it actually says it, roughly in the middle of that page

"Using the --save flag on already verified image together with invalid GPG key or invalid expected identity causes the saved verification status to be removed, and the image will become unverified."

which is similar to the information the oc command gives us

origin/pkg/oc/admin/image/verify-signature.go

Lines 45 to 47 in 5e0bfba

Note that using the "--save" flag on already verified image together with invalid GPG
key or invalid expected identity will cause the saved verification status to be removed
and the image will become "unverified".

@bmcelvee do you think maybe a red exclamation mark would be appropriate here? https://github.com/openshift/openshift-docs/blob/master/admin_guide/image_signatures.adoc

@bparees
Copy link
Contributor

bparees commented Jun 12, 2018

"Using the --save flag on already verified image together with invalid GPG key or invalid expected identity causes the saved verification status to be removed, and the image will become unverified."

@wozniakjan that's not the same as removing the (unverified) signatures which is what happens, right?

@bmcelvee
Copy link

@wozniakjan I agree, it really couldn't hurt to call that line out in an "important" box. As is it's easy for a reader to gloss over it and run into trouble. I can open a docs PR now, or wait to see if additional docs updates are required for this PR.

@wozniakjan
Copy link
Contributor Author

@wozniakjan that's not the same as removing the (unverified) signatures which is what happens, right?

That may very well be. I read the code first and then tried to see if I can find corresponding information in docs and probably made an assumption a little to early. I don't think the code discriminates between verified/unverified signature, it removes all signatures if expected-identity does not match.

origin/pkg/oc/admin/image/verify-signature.go

Lines 211 to 218 in 5e0bfba

for i, s := range img.Signatures {
// Verify the signature against the policy
signedBy, err := o.verifySignature(pc, img, s.Content)
if err != nil {
fmt.Fprintf(o.ErrOut, "error verifying signature %s for image %s (verification status will be removed): %v\n", img.Signatures[i].Name, o.InputImage, err)
img.Signatures[i] = imageapi.ImageSignature{}
continue
}

@wozniakjan I agree, it really couldn't hurt to call that line out in an "important" box. As is it's easy for a reader to gloss over it and run into trouble. I can open a docs PR now, or wait to see if additional docs updates are required for this PR.

@bmcelvee PR emphasizing the information in "important" box would be great I think, maybe also explicitly stating ...saved verified status with all previous signatures to be removed... instead of original ...saved verification status to be removed...

@wozniakjan wozniakjan mentioned this pull request Jun 15, 2018
Merged
@bparees
Copy link
Contributor

bparees commented Jun 19, 2018

@wozniakjan is this still WIP?

@wozniakjan wozniakjan changed the title [WIP] Bug 1461324 - Log image changes on verify-image-signature without --save Bug 1461324 - Log image changes on verify-image-signature without --save Jun 19, 2018
@openshift-ci-robot openshift-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 19, 2018
@wozniakjan
Copy link
Contributor Author

@bparees thanks for the reminder, removing the WIP. Wasn't entirely sure whether docs update or more verbose logging, and in the end, both might complement each other well

@bparees
Copy link
Contributor

bparees commented Jun 19, 2018

@bparees thanks for the reminder, removing the WIP. Wasn't entirely sure whether docs update or more verbose logging, and in the end, both might complement each other well

yeah i think both are good.

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Jun 19, 2018
@openshift-ci-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bparees, wozniakjan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 19, 2018
@bparees
Copy link
Contributor

bparees commented Jun 19, 2018

/retest

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

2 similar comments
@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-bot
Copy link
Contributor

/retest

Please review the full test history for this PR and help us cut down flakes.

@openshift-merge-robot openshift-merge-robot merged commit f5b16cb into openshift:master Jun 20, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mfojtik mfojtik Awaiting requested review from mfojtik

@bparees bparees Awaiting requested review from bparees

@juanvallejo juanvallejo Awaiting requested review from juanvallejo

@soltysh soltysh Awaiting requested review from soltysh

Assignees

@bparees bparees

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. component/image lgtm Indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@wozniakjan @bparees @bmcelvee @openshift-ci-robot @openshift-bot @openshift-merge-robot