You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I configured podman to sign and verify using GPG keys (through policy.json)
I podman image sign a couple image, and verified that
i can pull the signed ones
i cannot pull the non-signed ones
Then i tried to "unconfigure" image signing (deleted policy.json, default.yaml and removed sigstore folders).
Now when i podman push harbor.example.org/test-project/test-sig:latest i get the following message :
Error: Copying this image would require changing layer representation, which we cannot do: "Would invalidate signatures"
If i add the --remove-signatures options, i can push the image into the registry with success.
But if i later push again without adding the --remove-signatures option, i get the same message.
My questions are :
AFAIK GPG signatures are not stored in the remote registry (this is no OCI artefact, like Notation does), so as i purged the sigstore folder and deconfigured, how/where does podman find/detect a signature ?
If the --remove signature does what it says it does, as i deconfigured GPG signing, and used it once, i should not require it for later push, as there should not be any signature left
As i am using Harbor 2.12, is there anything to do on the registry side when deconfiguring GPG image signing ?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
I am using Debians's 12 podman 4.3.1 version.
I configured podman to sign and verify using GPG keys (through policy.json)
I
podman image signa couple image, and verified thatThen i tried to "unconfigure" image signing (deleted policy.json, default.yaml and removed sigstore folders).
Now when i
podman push harbor.example.org/test-project/test-sig:latesti get the following message :Error: Copying this image would require changing layer representation, which we cannot do: "Would invalidate signatures"If i add the
--remove-signaturesoptions, i can push the image into the registry with success.But if i later push again without adding the
--remove-signaturesoption, i get the same message.My questions are :
--remove signaturedoes what it says it does, as i deconfigured GPG signing, and used it once, i should not require it for later push, as there should not be any signature leftThanks in advance for any feedback
Beta Was this translation helpful? Give feedback.
All reactions