From fad8167e40a3c0bc56162a43d0e307c9015fa3cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Miguel=20Mart=C3=ADn?= Date: Mon, 14 Oct 2024 16:49:36 +0200 Subject: [PATCH] fix: use remove-signatures in skopeo copy stages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit According to [1] neither Docker daemon nor OCI support storing the container signatures, and skopeo copy refuses to just silently drop them and fails. When using `skopeo copy --remove-signatures` to make the copy, the signatures will be still read and policy.json will still be enforced, they just won’t be written into the destination. [1] https://github.com/containers/skopeo/issues/589#issuecomment-453894401 Resolves: THEEDGE-4032 Relates: RHEL-34807 Signed-off-by: Miguel Martín --- bib/cmd/bootc-image-builder/image.go | 1 + 1 file changed, 1 insertion(+) diff --git a/bib/cmd/bootc-image-builder/image.go b/bib/cmd/bootc-image-builder/image.go index e7fcdcb5..f4ece9cc 100644 --- a/bib/cmd/bootc-image-builder/image.go +++ b/bib/cmd/bootc-image-builder/image.go @@ -360,6 +360,7 @@ func manifestForISO(c *ManifestConfig, rng *rand.Rand) (*manifest.Manifest, erro // The ref is not needed and will be removed from the ctor later // in time img := image.NewAnacondaContainerInstaller(containerSource, "") + img.ContainerRemoveSignatures = true img.SquashfsCompression = "zstd" img.Product = c.SourceInfo.OSRelease.Name