-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to bind a signed image at install time #812
Comments
Hm, only glancing at this one thing I notice is
It's a legacy media type, not OCI. This is a thing we should start trying to change across Red Hat images. But indeed there may be a larger conflict here even with OCI that may need fixing. |
Hey @cgwalters we just stumbled on this while tying to locally build one RHEL 9.4 image. With a really simple
That fails with:
|
Hi @Odilhao that issue is related (in fact ultimately the same I suspect) but practically distinct because the failure there is in bootc-image-builder code. For reasons I don't understand really (and we're debating in multiple places), bootc-image-builder ends up copying the input container's rootfs and running it via custom tooling instead of just launching it via a standard OCI mechanism (e.g. podman). |
cc @mvo5 @achilleas-k re ⬆ |
When bootc tries to copy the signed image from the host to the install disk it fails with the following error:
Adding "--remove-signatures" to the
podman image push
command here fixes this error, however the result is an unsigned image. I did some digging through the containers/image code, skopeo docs, and containers-storage.conf docs. It looks like the only way to copy and sign an image is to re-sign the image when copying it, I couldn't find a way to copy a signed image while preserving the signature. I might be missing something though.The text was updated successfully, but these errors were encountered: