-
Notifications
You must be signed in to change notification settings - Fork 380
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot pull sigstore signed image with podman #2350
Comments
Thanks for reaching out. Yes,
Compare the long discussion in #2235. |
Ah, that makes sense. Thank you for the response! So ideally, if I'm reading #2235 correctly, if implemented my So at the moment, this is not implemented and I would need to either use a personal key to sign to work around this rather than using the Gitlab OIDC keyless solution, or wait. Is that right? |
With #2235, I think it probably be closer to |
Got it, thank you. I'll close this then and subscribe to #2235. Thanks again for the help |
Hello, I have a project in Gitlab which is building, signing and verifying (via Cosign) some Fedora Silverblue images[1] following the recommended documentation[2].
In the CI pipeline, the signed images can be verified as expected. Similarly, in a (local) alpine container, if i do a separate verification, I'm greeted with:
The Issuer is what I currently have mapped to
oidcIssuer
inpolicy.json
The Subject is what I currently have mapped to
subjectEmail
inpolicy.json
The relevant contents of
policy.json
:And the registries.d entry:
However when trying to do a
podman pull
I get:It feels like there's a missing configuration detail regarding
Required email
. Was I wrong to assume thatSubject
from the cosign verification output and Gitlab documentation maps tosubjectEmail
? Any help/guidance would be much appreciated. Thank you!.The text was updated successfully, but these errors were encountered: