From 2ac0d4108aa1bf4c9a5561017e8f9365375272fc Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Fri, 17 Jan 2025 11:27:32 +0200 Subject: [PATCH 01/13] Adjust mirror registry script to support signature copy --- test/bin/mirror_registry.sh | 57 ++++++++++++++++++++++++++----------- 1 file changed, 40 insertions(+), 17 deletions(-) diff --git a/test/bin/mirror_registry.sh b/test/bin/mirror_registry.sh index a641dfc33a..93699968a0 100755 --- a/test/bin/mirror_registry.sh +++ b/test/bin/mirror_registry.sh @@ -18,6 +18,26 @@ setup_prereqs() { "${SCRIPTDIR}/../../scripts/dnf_retry.sh" "install" "podman skopeo jq" fi + # Create registry repository base directory structure + mkdir -p "${MIRROR_REGISTRY_DIR}" + mkdir -p "${QUAY_CONFIG_DIR}" + + # Create a new pull secret file containing authentication information for both + # remote (from PULL_SECRET environment) and local registries + cat > "${QUAY_CONFIG_DIR}/microshift_auth.json" < "${QUAY_CONFIG_DIR}/pull_secret.json" + chmod 600 "${QUAY_CONFIG_DIR}/pull_secret.json" + # Reset the pull secret variable to point to the new file + PULL_SECRET="${QUAY_CONFIG_DIR}/pull_secret.json" + # TLS authentication is disabled in Quay local registry. The mirror-images.sh # helper uses skopeo without TLS options and it defaults to https, so we need # to configure registries.conf.d for skopeo to try http instead. @@ -42,25 +62,28 @@ setup_prereqs() { insecure = true EOF - # Create registry repository base directory structure - mkdir -p "${MIRROR_REGISTRY_DIR}" - mkdir -p "${QUAY_CONFIG_DIR}" +# Complete the source registry configuration to use sigstore attachments. +# Note that registry.redhat.io.yaml should already be present. +sudo bash -c 'cat > /etc/containers/registries.d/registry.quay.io.yaml' < "${QUAY_CONFIG_DIR}/microshift_auth.json" < /etc/containers/registries.d/registry.quay.local.yaml' < "${QUAY_CONFIG_DIR}/pull_secret.json" - chmod 600 "${QUAY_CONFIG_DIR}/pull_secret.json" - # Reset the pull secret variable to point to the new file - PULL_SECRET="${QUAY_CONFIG_DIR}/pull_secret.json" } setup_registry() { From cdcf7bf90777c4d22abb1fcde466c19639fee3ab Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Fri, 17 Jan 2025 14:48:28 +0200 Subject: [PATCH 02/13] Adjust kickstart configuration to support signature verification --- .../includes/post-containers.cfg | 43 +++++++++++++++---- 1 file changed, 35 insertions(+), 8 deletions(-) diff --git a/test/kickstart-templates/includes/post-containers.cfg b/test/kickstart-templates/includes/post-containers.cfg index 3dc39ec896..7996f3327f 100644 --- a/test/kickstart-templates/includes/post-containers.cfg +++ b/test/kickstart-templates/includes/post-containers.cfg @@ -15,6 +15,7 @@ cat > /etc/containers/registries.conf.d/999-microshift-mirror.conf < /etc/containers/registries.conf.d/999-microshift-mirror.conf < /etc/containers/registries.conf.d/999-microshift-mirror.conf < /etc/containers/RedHat_ReleaseKey3.pub + +# Configure containers policy to use the Red Hat public key +if [ -f /etc/containers/policy.json ] ; then + mv /etc/containers/policy.json /etc/containers/policy.json.orig +fi cat > /etc/containers/policy.json < /etc/containers/registries.d/registry.quay.io.yaml <> /etc/hosts < Date: Sun, 19 Jan 2025 09:52:14 +0200 Subject: [PATCH 03/13] Add authfile argument to skopeo commands --- test/bin/pyutils/build_bootc_images.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/bin/pyutils/build_bootc_images.py b/test/bin/pyutils/build_bootc_images.py index 940faf5ca5..7b2c50b363 100644 --- a/test/bin/pyutils/build_bootc_images.py +++ b/test/bin/pyutils/build_bootc_images.py @@ -393,6 +393,7 @@ def ostree_rev_in_registry(ce_imgref): try: dst_ref_cmd = [ "skopeo", "inspect", + "--authfile", PULL_SECRET, f"docker://{ce_targetimg}", "2>/dev/null", "|", "jq", "-r", "'.Labels[\"ostree.commit\"]'" @@ -438,6 +439,7 @@ def ostree_rev_in_registry(ce_imgref): # necessary for subsequent builds that depend on this container image copy_args = [ "sudo", "skopeo", "copy", + "--authfile", PULL_SECRET, f"docker://{ce_targetimg}", f"containers-storage:{ce_localimg}" ] From fecb474afdf9a4bbb5c772b496b2a248c0246f4a Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Sun, 19 Jan 2025 10:11:33 +0200 Subject: [PATCH 04/13] Add authfile argument to rpm-ostree command --- test/bin/pyutils/build_bootc_images.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/test/bin/pyutils/build_bootc_images.py b/test/bin/pyutils/build_bootc_images.py index 7b2c50b363..f9d40d97bc 100644 --- a/test/bin/pyutils/build_bootc_images.py +++ b/test/bin/pyutils/build_bootc_images.py @@ -423,9 +423,12 @@ def ostree_rev_in_registry(ce_imgref): common.record_junit(ce_path, "process-container-encapsulate", "SKIPPED") return - # Run the container image build command + # Run the container image build command. + # The REGISTRY_AUTH_FILE setting is required for skopeo to succeed + # in accessing container registries that might require authentication. build_args = [ - "sudo", "rpm-ostree", "compose", + "sudo", f"REGISTRY_AUTH_FILE={PULL_SECRET}", + "rpm-ostree", "compose", "container-encapsulate", "--repo", os.path.join(IMAGEDIR, "repo"), ce_imgref, From f89c985a7a92efdf888f9489299eba14e1c67a0c Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Sun, 19 Jan 2025 13:01:19 +0200 Subject: [PATCH 05/13] Explicitly add Red Hat Release Public key contents --- .../includes/post-containers.cfg | 42 +++++++++++++++---- 1 file changed, 34 insertions(+), 8 deletions(-) diff --git a/test/kickstart-templates/includes/post-containers.cfg b/test/kickstart-templates/includes/post-containers.cfg index 7996f3327f..a974dff6b6 100644 --- a/test/kickstart-templates/includes/post-containers.cfg +++ b/test/kickstart-templates/includes/post-containers.cfg @@ -1,7 +1,7 @@ # The pull secret is mandatory for MicroShift builds on top of OpenShift, but not OKD # The /etc/crio/crio.conf.d/microshift.conf references the /etc/crio/openshift-pull-secret file mkdir -p /etc/crio -cat > /etc/crio/openshift-pull-secret < /etc/crio/openshift-pull-secret <<'EOF' REPLACE_PULL_SECRET EOF chmod 600 /etc/crio/openshift-pull-secret @@ -9,7 +9,7 @@ chmod 600 /etc/crio/openshift-pull-secret # Setup mirror registries configuration here, as the hostname is dynamic and the file is verbose. # Use hostnames as IP addresses are not allowed. mkdir -p /etc/containers/registries.conf.d -cat > /etc/containers/registries.conf.d/999-microshift-mirror.conf < /etc/containers/registries.conf.d/999-microshift-mirror.conf <<'EOF' [[registry]] prefix = "" location = "REPLACE_MIRROR_HOSTNAME:REPLACE_MIRROR_PORT" @@ -33,15 +33,33 @@ cat > /etc/containers/registries.conf.d/999-microshift-mirror.conf < /etc/containers/RedHat_ReleaseKey3.pub +cat > /etc/containers/RedHat_ReleaseKey3.pub <<'EOF' +pub 4096R/E60D446E63405576 2024-09-20 +uid Red Hat, Inc. (release key 3) + +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0ASyuH2TLWvBUqPHZ4Ip +75g7EncBkgQHdJnjzxAW5KQTMh/siBoB/BoSrtiPMwnChbTCnQOIQeZuDiFnhuJ7 +M/D3b7JoX0m123NcCSn67mAdjBa6Bg6kukZgCP4ZUZeESajWX/EjylFcRFOXW57p +RDCEN42J/jYlVqt+g9+Grker8Sz86H3l0tbqOdjbz/VxHYhwF0ctUMHsyVRDq2QP +tqzNXlmlMhS/PoFr6R4u/7HCn/K+LegcO2fAFOb40KvKSKKVD6lewUZErhop1CgJ +XjDtGmmO9dGMF71mf6HEfaKSdy+EE6iSF2A2Vv9QhBawMiq2kOzEiLg4nAdJT8wg +ZrMAmPCqGIsXNGZ4/Q+YTwwlce3glqb5L9tfNozEdSR9N85DESfQLQEdY3CalwKM +BT1OEhEX1wHRCU4drMOej6BNW0VtscGtHmCrs74jPezhwNT8ypkyS+T0zT4Tsy6f +VXkJ8YSHyenSzMB2Op2bvsE3grY+s74WhG9UIA6DBxcTie15NSzKwfzaoNWODcLF +p7BY8aaHE2MqFxYFX+IbjpkQRfaeQQsouDFdCkXEFVfPpbD2dk6FleaMTPuyxtIT +gjVEtGQK2qGCFGiQHFd4hfV+eCA63Jro1z0zoBM5BbIIQ3+eVFwt3AlZp5UVwr6d +secqki/yrmv3Y0dqZ9VOn3UCAwEAAQ== +-----END PUBLIC KEY----- +EOF # Configure containers policy to use the Red Hat public key if [ -f /etc/containers/policy.json ] ; then mv /etc/containers/policy.json /etc/containers/policy.json.orig fi -cat > /etc/containers/policy.json < /etc/containers/policy.json <<'EOF' { "default": [ { @@ -69,14 +87,22 @@ cat > /etc/containers/policy.json < /etc/containers/registries.d/registry.quay.io.yaml < /etc/containers/registries.d/registry.quay.io.yaml <<'EOF' docker: quay.io/openshift-release-dev: use-sigstore-attachments: true EOF +# Configure the MicroShift local registries to use sigstore attachments +cat > /etc/containers/registries.d/registry.quay.local.yaml <<'EOF' +docker: + REPLACE_MIRROR_HOSTNAME:REPLACE_MIRROR_PORT: + use-sigstore-attachments: true +EOF + # Add the mirror registry host name resolution -cat >> /etc/hosts <> /etc/hosts <<'EOF' REPLACE_VM_BRIDGE_IP REPLACE_MIRROR_HOSTNAME EOF From dd1a8731d6da8f57a6fe4a2c3b447f08592f5e5e Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Sun, 19 Jan 2025 13:29:32 +0200 Subject: [PATCH 06/13] Add sigstore setting to registry.redhat.io configuration --- test/bin/mirror_registry.sh | 19 ++++++++++++++++--- .../includes/post-containers.cfg | 8 -------- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/test/bin/mirror_registry.sh b/test/bin/mirror_registry.sh index 93699968a0..6b195a9840 100755 --- a/test/bin/mirror_registry.sh +++ b/test/bin/mirror_registry.sh @@ -41,7 +41,7 @@ EOF # TLS authentication is disabled in Quay local registry. The mirror-images.sh # helper uses skopeo without TLS options and it defaults to https, so we need # to configure registries.conf.d for skopeo to try http instead. - sudo bash -c 'cat > /etc/containers/registries.conf.d/900-microshift-mirror.conf' << EOF + sudo bash -c 'cat > /etc/containers/registries.conf.d/900-microshift-mirror.conf' < /etc/containers/registries.d/registry.quay.io.yaml' < /etc/containers/registries.d/registry.quay.io.yaml' <<'EOF' docker: quay.io: use-sigstore-attachments: true EOF +if [ -e /etc/containers/registries.d/registry.redhat.io.yaml ] && + [ ! -e /etc/containers/registries.d/registry.redhat.io.yaml.orig ]; then + sudo mv /etc/containers/registries.d/registry.redhat.io.yaml /etc/containers/registries.d/registry.redhat.io.yaml.orig +fi + +sudo bash -c 'cat > /etc/containers/registries.d/registry.redhat.io.yaml' <<'EOF' +docker: + registry.redhat.io: + use-sigstore-attachments: true + sigstore: https://registry.redhat.io/containers/sigstore +EOF + # Configure the destination local registry to use sigstore attachments. # Note: The sigstore staging directory is required because not all registries # support direct copy of signatures. In this case, the signatures are downloaded diff --git a/test/kickstart-templates/includes/post-containers.cfg b/test/kickstart-templates/includes/post-containers.cfg index a974dff6b6..ddbea99fd3 100644 --- a/test/kickstart-templates/includes/post-containers.cfg +++ b/test/kickstart-templates/includes/post-containers.cfg @@ -87,14 +87,6 @@ cat > /etc/containers/policy.json <<'EOF' } EOF -# Configure the MicroShift remote registries to use sigstore attachments -# Note that registry.redhat.io.yaml should already be present. -cat > /etc/containers/registries.d/registry.quay.io.yaml <<'EOF' -docker: - quay.io/openshift-release-dev: - use-sigstore-attachments: true -EOF - # Configure the MicroShift local registries to use sigstore attachments cat > /etc/containers/registries.d/registry.quay.local.yaml <<'EOF' docker: From 687a33cf4d5b40f2e0529118e5348bacb19974ef Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Sun, 19 Jan 2025 16:37:06 +0200 Subject: [PATCH 07/13] Add quay.io sigstore setting in kickstart --- test/kickstart-templates/includes/post-containers.cfg | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/test/kickstart-templates/includes/post-containers.cfg b/test/kickstart-templates/includes/post-containers.cfg index ddbea99fd3..d1a35170e1 100644 --- a/test/kickstart-templates/includes/post-containers.cfg +++ b/test/kickstart-templates/includes/post-containers.cfg @@ -87,7 +87,13 @@ cat > /etc/containers/policy.json <<'EOF' } EOF -# Configure the MicroShift local registries to use sigstore attachments +# Configure the MicroShift remote and local registries to use sigstore attachments +cat > /etc/containers/registries.d/registry.quay.io.yaml <<'EOF' +docker: + quay.io/openshift-release-dev: + use-sigstore-attachments: true +EOF + cat > /etc/containers/registries.d/registry.quay.local.yaml <<'EOF' docker: REPLACE_MIRROR_HOSTNAME:REPLACE_MIRROR_PORT: From 5c2871b00533301dac4d30d55d23cdeac70718fd Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Sun, 19 Jan 2025 17:07:59 +0200 Subject: [PATCH 08/13] Add option to toggle sigstore verification in kickstart --- test/bin/scenario.sh | 2 + .../includes/post-containers-sigstore.cfg | 66 ++++++++++++++++ .../includes/post-containers.cfg | 77 ++----------------- .../kickstart-bootc.ks.template | 5 ++ .../kickstart-centos.ks.template | 5 ++ .../kickstart-liveimg.ks.template | 5 ++ .../kickstart-templates/kickstart.ks.template | 5 ++ 7 files changed, 93 insertions(+), 72 deletions(-) create mode 100644 test/kickstart-templates/includes/post-containers-sigstore.cfg diff --git a/test/bin/scenario.sh b/test/bin/scenario.sh index de6e833876..a267c8c133 100755 --- a/test/bin/scenario.sh +++ b/test/bin/scenario.sh @@ -26,6 +26,7 @@ VM_BOOT_TIMEOUT=1200 # Overall total boot times are around 15m VM_GREENBOOT_TIMEOUT=1800 # Greenboot readiness may take up to 15-30m depending on the load SKIP_SOS=${SKIP_SOS:-false} # may be overridden in global settings file SKIP_GREENBOOT=${SKIP_GREENBOOT:-false} # may be overridden in scenario file +IMAGE_SIGSTORE_ENABLED=true # may be overridden in scenario file VNC_CONSOLE=${VNC_CONSOLE:-false} # may be overridden in global settings file TEST_RANDOMIZATION="all" # may be overridden in scenario file TEST_EXECUTION_TIMEOUT="30m" # may be overriden in scenario file @@ -300,6 +301,7 @@ prepare_kickstart() { -e "s|REPLACE_MIRROR_HOSTNAME|${hostname}|g" \ -e "s|REPLACE_MIRROR_PORT|${MIRROR_REGISTRY_PORT}|g" \ -e "s|REPLACE_VM_BRIDGE_IP|${VM_BRIDGE_IP}|g" \ + -e "s|REPLACE_IMAGE_SIGSTORE_ENABLED|${IMAGE_SIGSTORE_ENABLED}|g" \ "${ifile}" > "${output_file}" done record_junit "${vmname}" "prepare_kickstart" "OK" diff --git a/test/kickstart-templates/includes/post-containers-sigstore.cfg b/test/kickstart-templates/includes/post-containers-sigstore.cfg new file mode 100644 index 0000000000..4488a322ed --- /dev/null +++ b/test/kickstart-templates/includes/post-containers-sigstore.cfg @@ -0,0 +1,66 @@ +# Red Hat public keys are published at https://access.redhat.com/security/team/key. +# Currently release key 3 is used. +cat > /etc/containers/RedHat_ReleaseKey3.pub <<'EOF' +pub 4096R/E60D446E63405576 2024-09-20 +uid Red Hat, Inc. (release key 3) + +-----BEGIN PUBLIC KEY----- +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0ASyuH2TLWvBUqPHZ4Ip +75g7EncBkgQHdJnjzxAW5KQTMh/siBoB/BoSrtiPMwnChbTCnQOIQeZuDiFnhuJ7 +M/D3b7JoX0m123NcCSn67mAdjBa6Bg6kukZgCP4ZUZeESajWX/EjylFcRFOXW57p +RDCEN42J/jYlVqt+g9+Grker8Sz86H3l0tbqOdjbz/VxHYhwF0ctUMHsyVRDq2QP +tqzNXlmlMhS/PoFr6R4u/7HCn/K+LegcO2fAFOb40KvKSKKVD6lewUZErhop1CgJ +XjDtGmmO9dGMF71mf6HEfaKSdy+EE6iSF2A2Vv9QhBawMiq2kOzEiLg4nAdJT8wg +ZrMAmPCqGIsXNGZ4/Q+YTwwlce3glqb5L9tfNozEdSR9N85DESfQLQEdY3CalwKM +BT1OEhEX1wHRCU4drMOej6BNW0VtscGtHmCrs74jPezhwNT8ypkyS+T0zT4Tsy6f +VXkJ8YSHyenSzMB2Op2bvsE3grY+s74WhG9UIA6DBxcTie15NSzKwfzaoNWODcLF +p7BY8aaHE2MqFxYFX+IbjpkQRfaeQQsouDFdCkXEFVfPpbD2dk6FleaMTPuyxtIT +gjVEtGQK2qGCFGiQHFd4hfV+eCA63Jro1z0zoBM5BbIIQ3+eVFwt3AlZp5UVwr6d +secqki/yrmv3Y0dqZ9VOn3UCAwEAAQ== +-----END PUBLIC KEY----- +EOF + +# Configure containers policy to use the Red Hat public key +if [ -f /etc/containers/policy.json ] ; then + mv /etc/containers/policy.json /etc/containers/policy.json.orig +fi +cat > /etc/containers/policy.json <<'EOF' +{ + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + "quay.io/openshift-release-dev": [{ + "type": "sigstoreSigned", + "keyPath": "/etc/containers/RedHat_ReleaseKey3.pub", + "signedIdentity": { + "type": "matchRepoDigestOrExact" + } + }], + "registry.redhat.io": [{ + "type": "sigstoreSigned", + "keyPath": "/etc/containers/RedHat_ReleaseKey3.pub", + "signedIdentity": { + "type": "matchRepoDigestOrExact" + } + }] + } + } +} +EOF + +# Configure the MicroShift remote and local registries to use sigstore attachments +cat > /etc/containers/registries.d/registry.quay.io.yaml <<'EOF' +docker: + quay.io/openshift-release-dev: + use-sigstore-attachments: true +EOF + +cat > /etc/containers/registries.d/registry.quay.local.yaml <<'EOF' +docker: + REPLACE_MIRROR_HOSTNAME:REPLACE_MIRROR_PORT: + use-sigstore-attachments: true +EOF diff --git a/test/kickstart-templates/includes/post-containers.cfg b/test/kickstart-templates/includes/post-containers.cfg index d1a35170e1..61113895a3 100644 --- a/test/kickstart-templates/includes/post-containers.cfg +++ b/test/kickstart-templates/includes/post-containers.cfg @@ -6,6 +6,11 @@ REPLACE_PULL_SECRET EOF chmod 600 /etc/crio/openshift-pull-secret +# Add the mirror registry host name resolution +cat >> /etc/hosts <<'EOF' +REPLACE_VM_BRIDGE_IP REPLACE_MIRROR_HOSTNAME +EOF + # Setup mirror registries configuration here, as the hostname is dynamic and the file is verbose. # Use hostnames as IP addresses are not allowed. mkdir -p /etc/containers/registries.conf.d @@ -32,75 +37,3 @@ cat > /etc/containers/registries.conf.d/999-microshift-mirror.conf <<'EOF' location = "REPLACE_MIRROR_HOSTNAME:REPLACE_MIRROR_PORT/microshift" insecure = true EOF - -# Red Hat public keys are published at https://access.redhat.com/security/team/key. -# Currently release key 3 is used. -cat > /etc/containers/RedHat_ReleaseKey3.pub <<'EOF' -pub 4096R/E60D446E63405576 2024-09-20 -uid Red Hat, Inc. (release key 3) - ------BEGIN PUBLIC KEY----- -MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0ASyuH2TLWvBUqPHZ4Ip -75g7EncBkgQHdJnjzxAW5KQTMh/siBoB/BoSrtiPMwnChbTCnQOIQeZuDiFnhuJ7 -M/D3b7JoX0m123NcCSn67mAdjBa6Bg6kukZgCP4ZUZeESajWX/EjylFcRFOXW57p -RDCEN42J/jYlVqt+g9+Grker8Sz86H3l0tbqOdjbz/VxHYhwF0ctUMHsyVRDq2QP -tqzNXlmlMhS/PoFr6R4u/7HCn/K+LegcO2fAFOb40KvKSKKVD6lewUZErhop1CgJ -XjDtGmmO9dGMF71mf6HEfaKSdy+EE6iSF2A2Vv9QhBawMiq2kOzEiLg4nAdJT8wg -ZrMAmPCqGIsXNGZ4/Q+YTwwlce3glqb5L9tfNozEdSR9N85DESfQLQEdY3CalwKM -BT1OEhEX1wHRCU4drMOej6BNW0VtscGtHmCrs74jPezhwNT8ypkyS+T0zT4Tsy6f -VXkJ8YSHyenSzMB2Op2bvsE3grY+s74WhG9UIA6DBxcTie15NSzKwfzaoNWODcLF -p7BY8aaHE2MqFxYFX+IbjpkQRfaeQQsouDFdCkXEFVfPpbD2dk6FleaMTPuyxtIT -gjVEtGQK2qGCFGiQHFd4hfV+eCA63Jro1z0zoBM5BbIIQ3+eVFwt3AlZp5UVwr6d -secqki/yrmv3Y0dqZ9VOn3UCAwEAAQ== ------END PUBLIC KEY----- -EOF - -# Configure containers policy to use the Red Hat public key -if [ -f /etc/containers/policy.json ] ; then - mv /etc/containers/policy.json /etc/containers/policy.json.orig -fi -cat > /etc/containers/policy.json <<'EOF' -{ - "default": [ - { - "type": "reject" - } - ], - "transports": { - "docker": { - "quay.io/openshift-release-dev": [{ - "type": "sigstoreSigned", - "keyPath": "/etc/containers/RedHat_ReleaseKey3.pub", - "signedIdentity": { - "type": "matchRepoDigestOrExact" - } - }], - "registry.redhat.io": [{ - "type": "sigstoreSigned", - "keyPath": "/etc/containers/RedHat_ReleaseKey3.pub", - "signedIdentity": { - "type": "matchRepoDigestOrExact" - } - }] - } - } -} -EOF - -# Configure the MicroShift remote and local registries to use sigstore attachments -cat > /etc/containers/registries.d/registry.quay.io.yaml <<'EOF' -docker: - quay.io/openshift-release-dev: - use-sigstore-attachments: true -EOF - -cat > /etc/containers/registries.d/registry.quay.local.yaml <<'EOF' -docker: - REPLACE_MIRROR_HOSTNAME:REPLACE_MIRROR_PORT: - use-sigstore-attachments: true -EOF - -# Add the mirror registry host name resolution -cat >> /etc/hosts <<'EOF' -REPLACE_VM_BRIDGE_IP REPLACE_MIRROR_HOSTNAME -EOF diff --git a/test/kickstart-templates/kickstart-bootc.ks.template b/test/kickstart-templates/kickstart-bootc.ks.template index 9e09016ffe..b433fbe598 100644 --- a/test/kickstart-templates/kickstart-bootc.ks.template +++ b/test/kickstart-templates/kickstart-bootc.ks.template @@ -6,7 +6,12 @@ %post --log=/dev/console --erroronfail %include /post-microshift.cfg + %include /post-containers.cfg +if REPLACE_IMAGE_SIGSTORE_ENABLED ; then +%include /post-containers-sigstore.cfg +fi + %include /post-system.cfg %include /post-network.cfg diff --git a/test/kickstart-templates/kickstart-centos.ks.template b/test/kickstart-templates/kickstart-centos.ks.template index efd3f1a4a8..d712287c0d 100644 --- a/test/kickstart-templates/kickstart-centos.ks.template +++ b/test/kickstart-templates/kickstart-centos.ks.template @@ -5,7 +5,12 @@ %post --log=/dev/console --erroronfail %include /post-microshift.cfg + %include /post-containers.cfg +if REPLACE_IMAGE_SIGSTORE_ENABLED ; then +%include /post-containers-sigstore.cfg +fi + %include /post-system.cfg %include /post-network.cfg diff --git a/test/kickstart-templates/kickstart-liveimg.ks.template b/test/kickstart-templates/kickstart-liveimg.ks.template index d7216b3d78..58cd20f9b0 100644 --- a/test/kickstart-templates/kickstart-liveimg.ks.template +++ b/test/kickstart-templates/kickstart-liveimg.ks.template @@ -5,7 +5,12 @@ %post --log=/dev/console --erroronfail %include /post-microshift.cfg + %include /post-containers.cfg +if REPLACE_IMAGE_SIGSTORE_ENABLED ; then +%include /post-containers-sigstore.cfg +fi + %include /post-system.cfg %include /post-network.cfg %include /post-fips.cfg diff --git a/test/kickstart-templates/kickstart.ks.template b/test/kickstart-templates/kickstart.ks.template index 156f50d58d..da25011bc2 100644 --- a/test/kickstart-templates/kickstart.ks.template +++ b/test/kickstart-templates/kickstart.ks.template @@ -5,7 +5,12 @@ %post --log=/dev/console --erroronfail %include /post-microshift.cfg + %include /post-containers.cfg +if REPLACE_IMAGE_SIGSTORE_ENABLED ; then +%include /post-containers-sigstore.cfg +fi + %include /post-system.cfg %include /post-network.cfg %include /post-fips.cfg From ae1e09b69ddcc376b3b4252bd94b86e50a8b5020 Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Sun, 19 Jan 2025 20:38:25 +0200 Subject: [PATCH 09/13] Make a policy exception for unreleased images used by tests --- test/assets/kustomizations/base/pod-base.yaml | 2 +- test/assets/reboot/pod-with-pvc.yaml | 2 +- .../includes/post-containers-sigstore.cfg | 15 ++++++++++++++- 3 files changed, 16 insertions(+), 3 deletions(-) diff --git a/test/assets/kustomizations/base/pod-base.yaml b/test/assets/kustomizations/base/pod-base.yaml index b20e5baf42..8e01780051 100644 --- a/test/assets/kustomizations/base/pod-base.yaml +++ b/test/assets/kustomizations/base/pod-base.yaml @@ -9,7 +9,7 @@ spec: type: RuntimeDefault containers: - name: test-container - image: nginxinc/nginx-unprivileged:latest + image: docker.io/nginxinc/nginx-unprivileged:latest securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/test/assets/reboot/pod-with-pvc.yaml b/test/assets/reboot/pod-with-pvc.yaml index 1de6a98723..04e160c09f 100644 --- a/test/assets/reboot/pod-with-pvc.yaml +++ b/test/assets/reboot/pod-with-pvc.yaml @@ -21,7 +21,7 @@ spec: type: RuntimeDefault containers: - name: test-container - image: nginxinc/nginx-unprivileged:latest + image: docker.io/nginxinc/nginx-unprivileged:latest securityContext: allowPrivilegeEscalation: false capabilities: diff --git a/test/kickstart-templates/includes/post-containers-sigstore.cfg b/test/kickstart-templates/includes/post-containers-sigstore.cfg index 4488a322ed..135b501866 100644 --- a/test/kickstart-templates/includes/post-containers-sigstore.cfg +++ b/test/kickstart-templates/includes/post-containers-sigstore.cfg @@ -20,7 +20,8 @@ secqki/yrmv3Y0dqZ9VOn3UCAwEAAQ== -----END PUBLIC KEY----- EOF -# Configure containers policy to use the Red Hat public key +# Configure Red Hat containers policy to use the Red Hat public key, making +# an exception for unofficial / unreleased images that are used by tests if [ -f /etc/containers/policy.json ] ; then mv /etc/containers/policy.json /etc/containers/policy.json.orig fi @@ -46,6 +47,18 @@ cat > /etc/containers/policy.json <<'EOF' "signedIdentity": { "type": "matchRepoDigestOrExact" } + }], + "quay.io/microshift": [{ + "type": "insecureAcceptAnything" + }], + "quay.io/container-perf-tools": [{ + "type": "insecureAcceptAnything" + }], + "registry.ci.openshift.org": [{ + "type": "insecureAcceptAnything" + }], + "docker.io": [{ + "type": "insecureAcceptAnything" }] } } From e2e8f6b5e78e4700f9ccbd85b37b879d99ecf425 Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Mon, 20 Jan 2025 09:00:55 +0200 Subject: [PATCH 10/13] Signature verification should be disabled by default and reenabled in some cases --- .../includes/post-containers-sigstore.cfg | 2 +- .../includes/post-containers.cfg | 23 +++++++++++++++++++ 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/test/kickstart-templates/includes/post-containers-sigstore.cfg b/test/kickstart-templates/includes/post-containers-sigstore.cfg index 135b501866..836b6c96c8 100644 --- a/test/kickstart-templates/includes/post-containers-sigstore.cfg +++ b/test/kickstart-templates/includes/post-containers-sigstore.cfg @@ -22,7 +22,7 @@ EOF # Configure Red Hat containers policy to use the Red Hat public key, making # an exception for unofficial / unreleased images that are used by tests -if [ -f /etc/containers/policy.json ] ; then +if [ -e /etc/containers/policy.json ] && [ ! -e /etc/containers/policy.json.orig ]; then mv /etc/containers/policy.json /etc/containers/policy.json.orig fi cat > /etc/containers/policy.json <<'EOF' diff --git a/test/kickstart-templates/includes/post-containers.cfg b/test/kickstart-templates/includes/post-containers.cfg index 61113895a3..e1c65da3a6 100644 --- a/test/kickstart-templates/includes/post-containers.cfg +++ b/test/kickstart-templates/includes/post-containers.cfg @@ -37,3 +37,26 @@ cat > /etc/containers/registries.conf.d/999-microshift-mirror.conf <<'EOF' location = "REPLACE_MIRROR_HOSTNAME:REPLACE_MIRROR_PORT/microshift" insecure = true EOF + +# Skip signature verification for all images by default. +# Tests that support signature verification will overwrite this file and reenable +# it for selected Red Hat registries. +if [ -e /etc/containers/policy.json ] && [ ! -e /etc/containers/policy.json.orig ]; then + mv /etc/containers/policy.json /etc/containers/policy.json.orig +fi +cat > /etc/containers/policy.json <<'EOF' +{ + "default": [ + { + "type": "insecureAcceptAnything" + } + ], + "transports": + { + "docker-daemon": + { + "": [{"type":"insecureAcceptAnything"}] + } + } +} +EOF From 0e555ed8958827edef5bcb152d202b9da4a2281c Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Mon, 20 Jan 2025 09:21:22 +0200 Subject: [PATCH 11/13] Disable signature verification for optional tests --- test/scenarios-bootc/periodics/cos9-src@optional.sh | 3 +++ test/scenarios-bootc/presubmits/el95-src@optional.sh | 3 +++ test/scenarios/periodics/el94-src@optional.sh | 3 +++ 3 files changed, 9 insertions(+) diff --git a/test/scenarios-bootc/periodics/cos9-src@optional.sh b/test/scenarios-bootc/periodics/cos9-src@optional.sh index b152b00287..b908c10bd1 100644 --- a/test/scenarios-bootc/periodics/cos9-src@optional.sh +++ b/test/scenarios-bootc/periodics/cos9-src@optional.sh @@ -6,6 +6,9 @@ VM_BRIDGE_IP="$(get_vm_bridge_ip "${VM_MULTUS_NETWORK}")" # shellcheck disable=SC2034 # used elsewhere WEB_SERVER_URL="http://${VM_BRIDGE_IP}:${WEB_SERVER_PORT}" +# Disable signature verification due to unsigned images used in this test +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=false scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template cos9-bootc-source-optionals diff --git a/test/scenarios-bootc/presubmits/el95-src@optional.sh b/test/scenarios-bootc/presubmits/el95-src@optional.sh index ea239057af..ee4071525a 100644 --- a/test/scenarios-bootc/presubmits/el95-src@optional.sh +++ b/test/scenarios-bootc/presubmits/el95-src@optional.sh @@ -6,6 +6,9 @@ VM_BRIDGE_IP="$(get_vm_bridge_ip "${VM_MULTUS_NETWORK}")" # shellcheck disable=SC2034 # used elsewhere WEB_SERVER_URL="http://${VM_BRIDGE_IP}:${WEB_SERVER_PORT}" +# Disable signature verification due to unsigned images used in this test +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=false scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel95-bootc-source-optionals diff --git a/test/scenarios/periodics/el94-src@optional.sh b/test/scenarios/periodics/el94-src@optional.sh index b36673a589..c2b2006ff5 100644 --- a/test/scenarios/periodics/el94-src@optional.sh +++ b/test/scenarios/periodics/el94-src@optional.sh @@ -6,6 +6,9 @@ VM_BRIDGE_IP="$(get_vm_bridge_ip "${VM_MULTUS_NETWORK}")" # shellcheck disable=SC2034 # used elsewhere WEB_SERVER_URL="http://${VM_BRIDGE_IP}:${WEB_SERVER_PORT}" +# Disable signature verification due to unsigned images used in this test +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=false scenario_create_vms() { prepare_kickstart host1 kickstart.ks.template rhel-9.4-microshift-source-optionals From 85cf440c36890e079887e39f8c2e4c3db93b4bed Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Mon, 20 Jan 2025 09:24:51 +0200 Subject: [PATCH 12/13] Disable signature verification in upgrade / downgrade bootc tests --- .../periodics/el94-prel@el95-crel@upgrade-ok.sh | 5 +++++ .../el94-prel@el95-src@upgrade-fails-and-rolls-back.sh | 5 +++++ .../periodics/el94-prel@el95-src@upgrade-ostree2bootc-ok.sh | 5 +++++ .../el94-yminus2@el95-src@upgrade-ostree2bootc-ok.sh | 5 +++++ .../periodics/el95-crel@el95-src@optional-upgrade.sh | 5 +++++ .../periodics/el95-crel@el95-src@upgrade-fails.sh | 5 +++++ .../periodics/el95-src@upgrade-fails-cannot-backup.sh | 5 +++++ .../presubmits/el94-prel@el95-src@upgrade-ok.sh | 5 +++++ .../presubmits/el94-yminus2@el95-src@upgrade-ok.sh | 5 +++++ .../presubmits/el95-base@el95-src@upgrade-ok.sh | 5 +++++ .../presubmits/el95-crel@el95-src@upgrade-ok.sh | 5 +++++ test/scenarios-bootc/presubmits/el95-src@downgrade-block.sh | 5 +++++ ...el95-src@upgrade-fails-on-1st-boot-but-recovers-on-2nd.sh | 5 +++++ test/scenarios-bootc/presubmits/el95-src@upgrade-fails.sh | 5 +++++ 14 files changed, 70 insertions(+) diff --git a/test/scenarios-bootc/periodics/el94-prel@el95-crel@upgrade-ok.sh b/test/scenarios-bootc/periodics/el94-prel@el95-crel@upgrade-ok.sh index 5709e802df..3a5c02a6d9 100644 --- a/test/scenarios-bootc/periodics/el94-prel@el95-crel@upgrade-ok.sh +++ b/test/scenarios-bootc/periodics/el94-prel@el95-crel@upgrade-ok.sh @@ -2,6 +2,11 @@ # Sourced from scenario.sh and uses functions defined there. +# Disable signature verification because the test performs an upgrade to +# a target reference unsigned image that was generated by local builds +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=false + dest_image=rhel95-bootc-crel scenario_create_vms() { diff --git a/test/scenarios-bootc/periodics/el94-prel@el95-src@upgrade-fails-and-rolls-back.sh b/test/scenarios-bootc/periodics/el94-prel@el95-src@upgrade-fails-and-rolls-back.sh index ff9aeac079..3f6fb2c447 100644 --- a/test/scenarios-bootc/periodics/el94-prel@el95-src@upgrade-fails-and-rolls-back.sh +++ b/test/scenarios-bootc/periodics/el94-prel@el95-src@upgrade-fails-and-rolls-back.sh @@ -2,6 +2,11 @@ # Sourced from scenario.sh and uses functions defined there. +# Disable signature verification because the test performs an upgrade to +# a target reference unsigned image that was generated by local builds +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=false + scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-prel launch_vm --boot_blueprint rhel94-bootc diff --git a/test/scenarios-bootc/periodics/el94-prel@el95-src@upgrade-ostree2bootc-ok.sh b/test/scenarios-bootc/periodics/el94-prel@el95-src@upgrade-ostree2bootc-ok.sh index 5f46bb7b9f..70f4216229 100644 --- a/test/scenarios-bootc/periodics/el94-prel@el95-src@upgrade-ostree2bootc-ok.sh +++ b/test/scenarios-bootc/periodics/el94-prel@el95-src@upgrade-ostree2bootc-ok.sh @@ -2,6 +2,11 @@ # Sourced from scenario.sh and uses functions defined there. +# Disable signature verification because the test performs an upgrade to +# a target reference unsigned image that was generated by local builds +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=false + scenario_create_vms() { # The y-1 ostree image will be fetched from the cache as it is not built # as part of the bootc image build procedure diff --git a/test/scenarios-bootc/periodics/el94-yminus2@el95-src@upgrade-ostree2bootc-ok.sh b/test/scenarios-bootc/periodics/el94-yminus2@el95-src@upgrade-ostree2bootc-ok.sh index 4f7345696c..7bc8568554 100644 --- a/test/scenarios-bootc/periodics/el94-yminus2@el95-src@upgrade-ostree2bootc-ok.sh +++ b/test/scenarios-bootc/periodics/el94-yminus2@el95-src@upgrade-ostree2bootc-ok.sh @@ -2,6 +2,11 @@ # Sourced from scenario.sh and uses functions defined there. +# Disable signature verification because the test performs an upgrade to +# a target reference unsigned image that was generated by local builds +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=false + scenario_create_vms() { # The y-2 ostree image will be fetched from the cache as it is not built # as part of the bootc image build procedure diff --git a/test/scenarios-bootc/periodics/el95-crel@el95-src@optional-upgrade.sh b/test/scenarios-bootc/periodics/el95-crel@el95-src@optional-upgrade.sh index 35ab348a27..006b5d9b9f 100644 --- a/test/scenarios-bootc/periodics/el95-crel@el95-src@optional-upgrade.sh +++ b/test/scenarios-bootc/periodics/el95-crel@el95-src@optional-upgrade.sh @@ -2,6 +2,11 @@ # Sourced from scenario.sh and uses functions defined there. +# Disable signature verification because the test performs an upgrade to +# a target reference unsigned image that was generated by local builds +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=false + start_image=rhel95-bootc-crel-optionals scenario_create_vms() { diff --git a/test/scenarios-bootc/periodics/el95-crel@el95-src@upgrade-fails.sh b/test/scenarios-bootc/periodics/el95-crel@el95-src@upgrade-fails.sh index 599c0d3ad1..be86045334 100644 --- a/test/scenarios-bootc/periodics/el95-crel@el95-src@upgrade-fails.sh +++ b/test/scenarios-bootc/periodics/el95-crel@el95-src@upgrade-fails.sh @@ -2,6 +2,11 @@ # Sourced from scenario.sh and uses functions defined there. +# Disable signature verification because the test performs an upgrade to +# a target reference unsigned image that was generated by local builds +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=false + start_image=rhel95-bootc-crel scenario_create_vms() { diff --git a/test/scenarios-bootc/periodics/el95-src@upgrade-fails-cannot-backup.sh b/test/scenarios-bootc/periodics/el95-src@upgrade-fails-cannot-backup.sh index eb06df8be9..8da8310140 100644 --- a/test/scenarios-bootc/periodics/el95-src@upgrade-fails-cannot-backup.sh +++ b/test/scenarios-bootc/periodics/el95-src@upgrade-fails-cannot-backup.sh @@ -2,6 +2,11 @@ # Sourced from scenario.sh and uses functions defined there. +# Disable signature verification because the test performs an upgrade to +# a target reference unsigned image that was generated by local builds +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=false + scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel95-bootc-source launch_vm --boot_blueprint rhel95-bootc diff --git a/test/scenarios-bootc/presubmits/el94-prel@el95-src@upgrade-ok.sh b/test/scenarios-bootc/presubmits/el94-prel@el95-src@upgrade-ok.sh index d0397f3f57..9d567900b0 100644 --- a/test/scenarios-bootc/presubmits/el94-prel@el95-src@upgrade-ok.sh +++ b/test/scenarios-bootc/presubmits/el94-prel@el95-src@upgrade-ok.sh @@ -2,6 +2,11 @@ # Sourced from scenario.sh and uses functions defined there. +# Disable signature verification because the test performs an upgrade to +# a target reference unsigned image that was generated by local builds +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=false + scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-prel launch_vm --boot_blueprint rhel94-bootc diff --git a/test/scenarios-bootc/presubmits/el94-yminus2@el95-src@upgrade-ok.sh b/test/scenarios-bootc/presubmits/el94-yminus2@el95-src@upgrade-ok.sh index bb1c40edcc..6edda0d393 100644 --- a/test/scenarios-bootc/presubmits/el94-yminus2@el95-src@upgrade-ok.sh +++ b/test/scenarios-bootc/presubmits/el94-yminus2@el95-src@upgrade-ok.sh @@ -2,6 +2,11 @@ # Sourced from scenario.sh and uses functions defined there. +# Disable signature verification because the test performs an upgrade to +# a target reference unsigned image that was generated by local builds +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=false + scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel94-bootc-yminus2 launch_vm --boot_blueprint rhel94-bootc diff --git a/test/scenarios-bootc/presubmits/el95-base@el95-src@upgrade-ok.sh b/test/scenarios-bootc/presubmits/el95-base@el95-src@upgrade-ok.sh index 567519ff82..e4af682230 100644 --- a/test/scenarios-bootc/presubmits/el95-base@el95-src@upgrade-ok.sh +++ b/test/scenarios-bootc/presubmits/el95-base@el95-src@upgrade-ok.sh @@ -2,6 +2,11 @@ # Sourced from scenario.sh and uses functions defined there. +# Disable signature verification because the test performs an upgrade to +# a target reference unsigned image that was generated by local builds +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=false + scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel95-bootc-source-base launch_vm --boot_blueprint rhel95-bootc diff --git a/test/scenarios-bootc/presubmits/el95-crel@el95-src@upgrade-ok.sh b/test/scenarios-bootc/presubmits/el95-crel@el95-src@upgrade-ok.sh index 696e490328..bf6092731b 100644 --- a/test/scenarios-bootc/presubmits/el95-crel@el95-src@upgrade-ok.sh +++ b/test/scenarios-bootc/presubmits/el95-crel@el95-src@upgrade-ok.sh @@ -2,6 +2,11 @@ # Sourced from scenario.sh and uses functions defined there. +# Disable signature verification because the test performs an upgrade to +# a target reference unsigned image that was generated by local builds +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=false + start_image=rhel95-bootc-crel scenario_create_vms() { diff --git a/test/scenarios-bootc/presubmits/el95-src@downgrade-block.sh b/test/scenarios-bootc/presubmits/el95-src@downgrade-block.sh index c4a3941593..06a1cf2a26 100644 --- a/test/scenarios-bootc/presubmits/el95-src@downgrade-block.sh +++ b/test/scenarios-bootc/presubmits/el95-src@downgrade-block.sh @@ -2,6 +2,11 @@ # Sourced from scenario.sh and uses functions defined there. +# Disable signature verification because the test performs an upgrade to +# a target reference unsigned image that was generated by local builds +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=false + scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel95-bootc-source-fake-next-minor launch_vm --boot_blueprint rhel95-bootc diff --git a/test/scenarios-bootc/presubmits/el95-src@upgrade-fails-on-1st-boot-but-recovers-on-2nd.sh b/test/scenarios-bootc/presubmits/el95-src@upgrade-fails-on-1st-boot-but-recovers-on-2nd.sh index 499514b9ca..6aabdbba9d 100644 --- a/test/scenarios-bootc/presubmits/el95-src@upgrade-fails-on-1st-boot-but-recovers-on-2nd.sh +++ b/test/scenarios-bootc/presubmits/el95-src@upgrade-fails-on-1st-boot-but-recovers-on-2nd.sh @@ -2,6 +2,11 @@ # Sourced from scenario.sh and uses functions defined there. +# Disable signature verification because the test performs an upgrade to +# a target reference unsigned image that was generated by local builds +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=false + scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel95-bootc-source launch_vm --boot_blueprint rhel95-bootc diff --git a/test/scenarios-bootc/presubmits/el95-src@upgrade-fails.sh b/test/scenarios-bootc/presubmits/el95-src@upgrade-fails.sh index f76a61e5ee..ed579b5a90 100644 --- a/test/scenarios-bootc/presubmits/el95-src@upgrade-fails.sh +++ b/test/scenarios-bootc/presubmits/el95-src@upgrade-fails.sh @@ -2,6 +2,11 @@ # Sourced from scenario.sh and uses functions defined there. +# Disable signature verification because the test performs an upgrade to +# a target reference unsigned image that was generated by local builds +# shellcheck disable=SC2034 # used elsewhere +IMAGE_SIGSTORE_ENABLED=false + scenario_create_vms() { prepare_kickstart host1 kickstart-bootc.ks.template rhel95-bootc-source launch_vm --boot_blueprint rhel95-bootc From 4ba4768cac102d23395f41a0c75d925be9b00567 Mon Sep 17 00:00:00 2001 From: Gregory Giguashvili Date: Mon, 20 Jan 2025 13:33:29 +0200 Subject: [PATCH 13/13] Disable container signature verification by default --- test/bin/scenario.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test/bin/scenario.sh b/test/bin/scenario.sh index a267c8c133..18ebb44c9a 100755 --- a/test/bin/scenario.sh +++ b/test/bin/scenario.sh @@ -26,7 +26,9 @@ VM_BOOT_TIMEOUT=1200 # Overall total boot times are around 15m VM_GREENBOOT_TIMEOUT=1800 # Greenboot readiness may take up to 15-30m depending on the load SKIP_SOS=${SKIP_SOS:-false} # may be overridden in global settings file SKIP_GREENBOOT=${SKIP_GREENBOOT:-false} # may be overridden in scenario file -IMAGE_SIGSTORE_ENABLED=true # may be overridden in scenario file +# Container image signature verification should be disabled by default in the +# main branch because not all the images are signed +IMAGE_SIGSTORE_ENABLED=false # may be overridden in scenario file VNC_CONSOLE=${VNC_CONSOLE:-false} # may be overridden in global settings file TEST_RANDOMIZATION="all" # may be overridden in scenario file TEST_EXECUTION_TIMEOUT="30m" # may be overriden in scenario file