B
BlueBuild3mo ago
Sneexy

invalid signature when validating ASN.1 encoded signature

i've replaced the keys in my repository because i thought something broke and would be a possible solution, then realized nothing was actually broken but it was already too late and have changed them the images build fine, but when trying to do rpm-ostree upgrade or rebase to the unverified image, i get error: Creating importer: Failed to invoke skopeo proxy method OpenImage: remote error: cryptographic signature verification failed: invalid signature when validating ASN.1 encoded signature (repo link)
No description
Solution:
I'll copy my answer: For anyone who encounters this, those are the steps to solve the issue: Copy new cosign.pub from your repo to /etc/pki/containers/$your_image_name.pub...
Jump to solution
13 Replies
Luke Skywunker
Luke Skywunker3mo ago
You have 2 choices here. You can either 1. rebase to your image as an unsigned ref (ostree-unverified-image:docker://image.registry/name), reboot, and then rebase back to a signed ref (ostree-image-signed:docker://image.registry/name) 2. you can take your public key and put it somewhere in /etc/ - Update /etc/containers/policy.json to point to the new public key path - Run rpm-ostree upgrade and reboot - Revert policy.json changes so it will use the public key that's part of your image We do have an open issue to try to come up with a mechanism for easily moving over to a new set of keys, but haven't gotten around to that
Luke Skywunker
Luke Skywunker3mo ago
https://github.com/blue-build/cli/issues/195
GitHub
feat: Add ability to sign with at least 2 keys · Issue #195 · blue-...
We should add a way for our users to be able to sign their image with at least 2 different keys to allow migrating from one key to another. This would be useful for instances where a key leaked and...
Luke Skywunker
Luke Skywunker3mo ago
Shit, sorry I didn't fully read your screenshot I've not seen that before Are you able to pull that image at all with podman? Also a link to your repo would be helpful
Sneexy
SneexyOP3mo ago
https://github.com/sneexy-boi/bluebuild-custom/ link
GitHub
GitHub - sneexy-boi/bluebuild-custom
Contribute to sneexy-boi/bluebuild-custom development by creating an account on GitHub.
Sneexy
SneexyOP3mo ago
podman seems to be pulling in the image successfully
Luke Skywunker
Luke Skywunker3mo ago
I think I found the bug, I'm working on a fix OH wait, the bug I found isn't related to this Could you post your /etc/containers/policy.json?
Sneexy
SneexyOP3mo ago
{
  "default": [
    {
      "type": "reject"
    }
  ],
  "transports": {
    "docker": {
      "ghcr.io/sneexy-boi/wuzetka": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/etc/pki/containers/wuzetka.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ],
      "registry.access.redhat.com": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
        }
      ],
      "registry.redhat.io": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
        }
      ],
      "quay.io/toolbx-images": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/etc/pki/containers/quay.io-toolbx-images.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ],
      "ghcr.io/ublue-os": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/etc/pki/containers/ublue-os.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ],
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "docker-daemon": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "atomic": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "containers-storage": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
{
  "default": [
    {
      "type": "reject"
    }
  ],
  "transports": {
    "docker": {
      "ghcr.io/sneexy-boi/wuzetka": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/etc/pki/containers/wuzetka.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ],
      "registry.access.redhat.com": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
        }
      ],
      "registry.redhat.io": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
        }
      ],
      "quay.io/toolbx-images": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/etc/pki/containers/quay.io-toolbx-images.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ],
      "ghcr.io/ublue-os": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/etc/pki/containers/ublue-os.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ],
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "docker-daemon": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "atomic": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "containers-storage": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "dir": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "oci": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "oci-archive": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "docker-archive": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "tarball": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    }
  }
}
    "dir": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "oci": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "oci-archive": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "docker-archive": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "tarball": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    }
  }
}
Luke Skywunker
Luke Skywunker3mo ago
I'm really unsure what's happening here. @fiftydinar @Gerblesh have any idea?
fiftydinar
fiftydinar3mo ago
It looks like the same error when I screwed up
Luke Skywunker
Luke Skywunker3mo ago
How'd you fix it?
fiftydinar
fiftydinar3mo ago
The same way that Ublue solved the issue
Solution
fiftydinar
fiftydinar3mo ago
I'll copy my answer: For anyone who encounters this, those are the steps to solve the issue: Copy new cosign.pub from your repo to /etc/pki/containers/$your_image_name.pub sudo cp your-cosign.pub /etc/pki/containers/$your_image_name.pub Modify /etc/containers/policy.json, locate your image registry link, in keyPath edit location to be from /usr/etc to /etc "keyPath": "/etc/pki/containers/$your_image_name.pub" Run rpm-ostree upgrade & reboot Copy new policy.json sudo cp /usr/etc/containers/policy.json /etc/containers/policy.json Profit You can verify if new cosign & policy.json is used here. If they're not listed, then you're good. This command tracks changed files in /etc compared to /usr/etc sudo ostree admin config-diff
Sneexy
SneexyOP3mo ago
yep, this works
Want results from more Discord servers?
Add your server