-
Notifications
You must be signed in to change notification settings - Fork 782
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proxy: Policy verification of OCI Image before pulling #2029
Conversation
The above change causes the following output if a container image signed by sigstore is given the wrong key:
|
92beea2
to
1cf4feb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, OK I think this makes sense to just do by default.
Are there cases where we want the equivalent of skopeo inspect --insecure-policy
? Hmm...perhaps not.
As a procedural note I've created experimental-image-proxy label to track PRs to this subsystem. |
Rebasing to sync the branch |
Unsure why the CI is failing "timed out". The tests for ostree-rs-ext passed on the previous run and work locally on my end. Would the owners kindly re-rerun the ostree-rs-ext test as I suspect it was a flake |
There's a "Re-run" button next to the check...I clicked it, but so far not seeing a change? |
FWIW we do see the |
Ah, dang. OK, I'm reopening ostreedev/ostree-rs-ext#322 (comment) |
Signed-off-by: RishabhSaini <rsaini@redhat.com>
Updated |
@@ -266,6 +268,23 @@ func (h *proxyHandler) openImageImpl(args []any, allowNotFound bool) (replyBuf, | |||
return ret, err | |||
} | |||
|
|||
unparsedTopLevel := image.UnparsedInstance(imgsrc, nil) | |||
policy, err := signature.DefaultPolicy(h.sysctx) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While I think this is OK for now, maybe it makes sense to cache this in the future?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally, cache the PolicyContext
(as long as it is used from a single thread).
(Right now that does not make a difference, but a branch caching the imported keys in a native format inside a PolicyContext
is floating around.)
I was thinking more about this and one problem, and this is basically what motivated #1829 is that basically well I kind of originally painted us into a corner in having e.g. But then...in practice the policy does default to being unset except for a few special base images in e.g. RHEL. So...we may mostly be OK here. I also think issue 1829 is still highly relevant in that we do want to drop the ultra-hacky code in https://github.com/ostreedev/ostree-rs-ext/blob/main/lib/src/container/skopeo.rs#L10 Anyways...I think we're probably OK. I want to do some more testing of this PR myself. To be clear did you do the whole thing with setting up e.g. cosign and requiring it in the container policy? |
Yes, I have tested this system by singing and uploading a signed container image to my registry using cosign and skopeo. Then rebasing from the remote registry behaves appropriately. |
if err != nil { | ||
return ret, err | ||
} | ||
allowed, err := policyContext.IsRunningImageAllowed(context.Background(), unparsedTopLevel) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here'd what we want is a new API like IsRunningImageSigned
and it would fail if the signature policy is insecureAcceptAnything
for ostreedev/ostree-rs-ext#79
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A late review I’m afraid.
@@ -266,6 +268,23 @@ func (h *proxyHandler) openImageImpl(args []any, allowNotFound bool) (replyBuf, | |||
return ret, err | |||
} | |||
|
|||
unparsedTopLevel := image.UnparsedInstance(imgsrc, nil) | |||
policy, err := signature.DefaultPolicy(h.sysctx) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was there a specific reason not to use opts.global.getPolicyContext
here?
That would also immediately handle --insecure-policy
per #2029 (review) .
policyContext, err := signature.NewPolicyContext(policy) | ||
if err != nil { | ||
return ret, err | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
policyContext.Destroy
is required by the API when done.
if !allowed || err != nil { | ||
return ret, err | ||
} | ||
if !allowed && err == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is dead code AFAICS. The code has already returned ret, nil
above.
Should be resolved by #2048. |
Helps address the lack of policy verification in rpm-ostree:
coreos/rpm-ostree#4272
An Image pull triggered by
rpm-ostree rebase
will look to verify the policy by default as a part ofOpenImage
The other route taken here adds a new API call
#1829