Failed to invoke method OpenImage: A signature was required, but no signature exists

General
1

A few days ago, I set up a custom image based on quay[.]io/fedora-ostree-desktops/silverblue:42

However, I’ve hit a brick wall. I’ve been unable to rebase to the signed image and currently can’t upgrade my system.

I get the following when trying to rebase

$ sudo bootc switch --enforce-container-sigpolicy ghcr.io/myGithub/fedora-bootc:latest
ERROR Switching: Pulling: Creating importer: failed to invoke method OpenImage: failed to invoke method OpenImage: A signature was required, but no signature exists

My bootc status is the following

$ sudo bootc status
● Booted image: ghcr.io/myGithub/fedora-bootc:latest
        Digest: sha256:ff05513f713d3d9d6b0df797c262d1e50f49fc33cae371639f202b4021f4af3c
       Version: latest (2025-03-10 20:28:35 UTC)

  Rollback image: ghcr.io/myGithub/fedora-bootc:latest
          Digest: sha256:fdaca628329c4b7eaa5f89e95a1b8422d7cb0ce3a97907fc7f065198fa9602ee
         Version: latest (2025-03-10 19:07:27 UTC)

My rpm-ostree status is the following

$ rpm-ostree status
State: idle
AutomaticUpdates: stage; rpm-ostreed-automatic.timer: inactive
Deployments:
● ostree-unverified-registry:ghcr.io/myGithub/fedora-bootc:latest
                   Digest: sha256:ff05513f713d3d9d6b0df797c262d1e50f49fc33cae371639f202b4021f4af3c
                  Version: latest (2025-03-10T20:31:33Z)

  ostree-unverified-registry:ghcr.io/myGithub/fedora-bootc:latest
                   Digest: sha256:fdaca628329c4b7eaa5f89e95a1b8422d7cb0ce3a97907fc7f065198fa9602ee
                  Version: latest (2025-03-10T19:09:36Z)

My /etc/containers/policy.json is the following

 {
  "default": [
    {
      "type": "insecureAcceptAnything"
    }
  ],
  "transports": {
    "docker-daemon": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "docker": {
      "ghcr.io/myGithub/fedora-bootc": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/etc/pki/containers/myGithub_fedora-bootc.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ]
    }
  }
}

and to verify that the key does exist,

$ ls /etc/pki/containers/myGithub_fedora-bootc.pub
/etc/pki/containers/myGithub_fedora-bootc.pub

The only reason that comes to mind why this is not working is that according to Fedora’s “Roadmap to Fedora Bootable Containers” (Roadmap to Fedora Bootable Containers (#26) · Issues · fedora / Fedora Atomic Desktops / SIG Issue Tracker · GitLab), under “Switching to composefs” they mention that they are currently not using signatures. Does this mean my derived container also has no signature?