Ahoy! I’m out sick from work and of course that means I need to tinker endlessly with this OCI/bootc stuff.
I’m working on a “Bluefin GTS inspired” image derived from upstream Silverblue, but I can’t seem to wrap my head around the container signing stuff.
I have that working already on a Bluefin derivative here (created using the ublue-os/image-template repository). However, the verification there actually seems like it’s probably coming from the ublue-os-signing package since the image is derived from Bluefin.
This brings me to my new image. The container signing is the same as on the Bluefin derivative, and the same as the ublue-os/image-template repo. The pipeline passes the signing step, and I can verify the key like this:
$ cosign verify --key cosign.pub ghcr.io/skyler544/minus-one:latest
Verification for ghcr.io/skyler544/minus-one:latest --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The signatures were verified against the specified public key
... json blob elided
I installed Fedora Silverblue 42 (in a VM) from an old ISO I had lying around and then rebased like so to my new image:
$ sudo bootc switch ghcr.io/skyler544/minus-one && systemctl reboot
All good so far, the image works.
The next step should be rebasing onto the signed image like this:
silver@fedora:~$ sudo bootc switch --enforce-container-sigpolicy ghcr.io/skyler544/minus-one:latest
[sudo] password for silver:
error: Switching: Preparing import: Fetching manifest: failed to invoke method OpenImage: A signature was required, but no signature exists
I’ve been debugging this for a while and can’t for the life of me figure out what the problem is. I made sure that my image has the necessary files (taken from this post) /etc/containers/policy.json and /etc/containers/registries.d/skyler544.yaml that podman (?) uses to check the sigstore, but I can’t get past this step.
I also found this post that seems to be describing a very similar problem with a minor difference in the error message. Copilot reckons the output of this command will explain the problem:
$ sudo podman --log-level=debug pull ghcr.io/skyler544/minus-one:latest
but I can’t make sense of it. Attaching the output as a file since it’s a lot.
I understand that this is coming out of nowhere but I think that since many of you have been through similar challenges you may have a better idea of what’s going on here than I.
I’m aware that there may be more than a little X/Y problem here but I can’t compare my assumptions to anything because I’m just starting out on this journey.