How to run image signed using docker content trust in podman?

[sandeep-sarkar]

I signed and pushed an image to docker content trust using following steps:

docker trust key generate dockertest # this generates the public key dockertest.pub

docker trust signer add --key dockertest.pub dockertest sansark1/webhttpd4

docker trust sign docker.io/sansark1/webhttpd4:v1

Then in another machine where I had podman installed, I copied the public key dockertest.pub, and executed below commands:

podman image trust set -t reject default
podman image trust set --pubkeysfile dockertest.pub docker.io/sansark1/webhttpd4:v1

podman login -u sansark1 -p ********  docker.io

And then when I try to create container with the same image I get below error :

podman run -dit --name myapp -p 8080:80 docker.io/sansark1/webhttpd4:v1

Trying to pull docker.io/sansark1/webhttpd4:v1...
Error: Source image rejected: A signature was required, but no signature exists

How to address this issue ?

[mheon]

@vrothberg @mtrmac PTAL

[mtrmac]

The Podman ecosystem does not support the GitHub.com/docker/notary signing system, and there are no plans to work on that. (That ecosystem is supposed to be replaced by https://github.com/notaryproject/notaryproject , and our current focus is on https://github.com/sigstore/cosign ).

Right now, Podman implements c/image “simple signing” only, compare e.g. https://podman.io/blogs/2020/03/13/image-signing.html . There isn’t any single signing system that works for both Podman and Docker (though I expect it would be possible to sign a single image using two or even more systems, in principle).

[sandeep-sarkar]

So when the error message says no signature exists from where it is trying to check the signature ?

[sandeep-sarkar]

@mtrmac Thanks for your replies and sharing those interesting projects.

[mtrmac]

So when the error message says no signature exists from where it is trying to check the signature ?

Probably /var/lib/containers/sigstore see https://github.com/containers/image/blob/main/docs/containers-registries.d.5.md for the reference, and podman --log-level=debug for the exact location.

[sandeep-sarkar]

Okay. This is helpful. Thanks.