Enable RH Registry signature verification by default

[jasinner]

Description

All images in the Red Hat registry are signed. We have the GPG key on disk to enable verification of these images when pulling, all that's left to do is configure Cri-o to verify the signatures when pulling those images.

Steps to reproduce the issue:

See: https://access.redhat.com/verify-images-ocp4

Describe the results you received:

Signatures are not verified

Describe the results you expected:

Verification steps from the reproduction article are met

Output of oc adm release info --commits | grep machine-config-operator:

machine-config-operator                       https://github.com/openshift/machine-config-operator                       d780d197a9c5848ba786982c0c4aaa7487297046

Additional environment details (platform, options, etc.):

OCP 4.2.12

[smarterclayton]

Are there any negative implications of turning on verification? Would it fail for images that don’t have signatures for some reason (and are we certain all of them have signatures)?

[cgwalters]

This almost may merit an enhancement but I'd also be fine just trying it out in master (4.4) for a bit...

[adambkaplan]

Would we want builds to perform similar signature checks for the base/builder images?

[jasinner]

Are there any negative implications of turning on verification? Would it fail for images that don’t have signatures for some reason (and are we certain all of them have signatures)?

According to DELIVERY-5889 and DELIVERY-6699 they should all be signed. If an image doesn't have a signature and your pulling from one of the Red Hat repos (registry.access.redhat.com), or (registry.redhat.io) the pull will fail.

[jasinner]

Would we want builds to perform similar signature checks for the base/builder images?

Sure, why not.

[adambkaplan]

This almost may merit an enhancement but I'd also be fine just trying it out in master (4.4) for a bit...

@cgwalters I'd like to see an enhancement so we can discuss what to do in builds. It's unclear to me how frequently customers use non-Red Hat images in their build pipelines.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

[openshift-bot]

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

[openshift-ci-robot]

@openshift-bot: Closing this issue.

Details

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[bparees]

Are there any negative implications of turning on verification? Would it fail for images that don’t have signatures for some reason (and are we certain all of them have signatures)?

just for posterity: today the catalog images consumed by OLM are not signed. We're working on fixing that, though it looks like they'll be signed w/ a different key than the standard release key. So any effort to enable signature verification by default needs to take into account how the olm catalog images can be verified (or exempt them from verification)