Skip to content

OCPBUGS-48180: modules/containers-signature-verify-skopeo: security.access.redhat.com key source #86821

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

OCPBUGS-48180: modules/containers-signature-verify-skopeo: security.access.redhat.com key source #86821

wants to merge 1 commit into from

Conversation

wking
Copy link
Member

@wking wking commented Jan 8, 2025
edited by ShaunaDiaz
Loading

Version(s): 4.12+

Issue:
OCPBUGS-48180

Link to docs preview:
Using skopeo to verify signatures of Red Hat container images, step 2

QE review:

  • QE has approved this change.

@wking
modules/containers-signature-verify-skopeo: security.access.redhat.co…
fffd2a8 
…m key source

Current outgoing docs are from 33130f4 (OCPBUGS#19749: add
verification for unsigned containers, 2024-01-09, openshift#68949) and they
recommend:

  $ curl -o pub.key https://access.redhat.com/security/data/fd431d51.txt

But in 2024-09, that content was moved to a new location (with a 301
redirect):

  $ curl -isL https://access.redhat.com/security/data/fd431d51.txt | grep -i 'HTTP\|Location\|PUBLIC'
  HTTP/2 301
  location: https://security.access.redhat.com/data/fd431d51.txt
  HTTP/1.1 200 OK
  -----BEGIN PGP PUBLIC KEY BLOCK-----
  -----END PGP PUBLIC KEY BLOCK-----

And the currently-doc'ed command (which does not allow redirects) will
exit 0 (success) while downloading an empty file:

  $ curl -o pub.key https://access.redhat.com/security/data/fd431d51.txt
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                   Dload  Upload   Total   Spent    Left  Speed
    0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  $ echo $?
  0
  $ wc -l pub.key
  0 pub.key

This commit pivots to the new canonical location. And it adds the
-L/--location option to protect ourselves from future moves.

  $ man curl | grep -1 'moved to a different location'
       -L, --location
              (HTTP) If the server reports that the requested page has moved to a different location (indicated with a Location: header and a 3XX response code), this option will make curl redo the request
              on  the  new place. If used together with -i, --include or -I, --head, headers from all requested pages will be shown. When authentication is used, curl only sends its credentials to the ini‐
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jan 8, 2025
@openshift-ci-robot
Copy link

@wking: This pull request references Jira Issue OCPBUGS-48180, which is invalid:

  • expected the bug to target the "4.19.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Current outgoing docs are from 33130f4 (#68949) and they recommend:

$ curl -o pub.key https://access.redhat.com/security/data/fd431d51.txt

But in 2024-09, that content was moved to a new location (with a 301 redirect), and the currently-doc'ed command (which does not allow redirects) will exit 0 (success) while downloading an empty file:

$ curl -o pub.key https://access.redhat.com/security/data/fd431d51.txt
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                Dload  Upload   Total   Spent    Left  Speed
 0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
$ echo $?
0
$ wc -l pub.key
0 pub.key

This commit pivots to the new canonical location. And it adds the -L/--location option to protect ourselves from future moves.

$ man curl | grep -1 'moved to a different location'
    -L, --location
           (HTTP) If the server reports that the requested page has moved to a different location (indicated with a Location: header and a 3XX response code), this option will make curl redo the request
           on  the  new place. If used together with -i, --include or -I, --head, headers from all requested pages will be shown. When authentication is used, curl only sends its credentials to the ini‐

Version(s): 4.12 through main

Issue: OCPBUGS-48180

Link to docs preview:

QE review:

  • QE has approved this change.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jan 8, 2025
@wking
Copy link
Member Author

wking commented Jan 8, 2025

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jan 8, 2025
@openshift-ci-robot
Copy link

@wking: This pull request references Jira Issue OCPBUGS-48180, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.19.0) matches configured target version for branch (4.19.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira ([email protected]), skipping review request.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@ocpdocs-previewbot
Copy link

🤖 Wed Jan 08 17:50:52 - Prow CI generated the docs preview:

https://86821--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/container_security/security-container-signature.html

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 8, 2025

@wking: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-ci-robot
Copy link

@wking: This pull request references Jira Issue OCPBUGS-48180, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.19.0) matches configured target version for branch (4.19.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira ([email protected]), skipping review request.

In response to this:

Version(s): 4.12+

Issue:
OCPBUGS-48180

Link to docs preview:
Using skopeo to verify signatures of Red Hat container images, step 2

QE review:

  • QE has approved this change.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@ShaunaDiaz ShaunaDiaz added this to the Continuous Release milestone Jan 8, 2025
@ShaunaDiaz ShaunaDiaz added the peer-review-done Signifies that the peer review team has reviewed this PR label Jan 8, 2025
ShaunaDiaz
ShaunaDiaz reviewed Jan 8, 2025
View reviewed changes
Copy link
Contributor

@ShaunaDiaz ShaunaDiaz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 8, 2025
@bergerhoffer
Copy link
Contributor

The branch/enterprise-4.19 label has been added to this PR.

This is because your PR targets the main branch and is labeled for enterprise-4.18. And any PR going into main must also target the latest version branch (enterprise-4.19).

If the update in your PR does NOT apply to version 4.19 onward, please re-target this PR to go directly into the appropriate version branch or branches (enterprise-4.x) instead of main.

@xiaojiey
Copy link

xiaojiey commented Mar 6, 2025

@lyman9966 Could you please take a look? Thanks.

@obrown1205
Copy link
Contributor

@lyman9966 Could you please take a look? Thanks.

@lyman9966 can you PTAL? cc @wking

@obrown1205
Copy link
Contributor

/label merge-review-needed

@openshift-ci openshift-ci bot added the merge-review-needed Signifies that the merge review team needs to review this PR label Mar 11, 2025
@obrown1205
Copy link
Contributor

/remove-label merge-review-needed

@openshift-ci openshift-ci bot removed the merge-review-needed Signifies that the merge review team needs to review this PR label Mar 11, 2025
@wking
Copy link
Member Author

wking commented Mar 17, 2025

/tide refresh

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ShaunaDiaz ShaunaDiaz ShaunaDiaz left review comments

Assignees

@ShaunaDiaz ShaunaDiaz

Labels
branch/enterprise-4.12 branch/enterprise-4.13 branch/enterprise-4.14 branch/enterprise-4.15 branch/enterprise-4.16 branch/enterprise-4.17 branch/enterprise-4.18 branch/enterprise-4.19 jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. peer-review-done Signifies that the peer review team has reviewed this PR size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
Continuous Release
Development

Successfully merging this pull request may close these issues.
7 participants
@wking @openshift-ci-robot @ocpdocs-previewbot @bergerhoffer @xiaojiey @obrown1205 @ShaunaDiaz