8000 rkt fetch: can fetch incorrect signature · Issue #1982 · rkt/rkt · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
This repository was archived by the owner on Feb 24, 2020. It is now read-only.

rkt fetch: can fetch incorrect signature #1982

Closed
cgonyeo opened this issue Jan 15, 2016 · 0 comments
Closed

rkt fetch: can fetch incorrect signature #1982

cgonyeo opened this issue Jan 15, 2016 · 0 comments
Assignees
@cgonyeo
Labels
area/security component/stage0 kind/bug priority/P1
Milestone
v0.16.0

Comments

@cgonyeo
Copy link
Member
cgonyeo commented Jan 15, 2016

In the following log, I run an image with these dependencies:

aci.gonyeo.com/blog --> aci.gonyeo.com/nginx --> aci.gonyeo.com/alpine

It fetches and correctly verifies the first two ACIs. The third image, aci.gonyeo.com/alpine, fails verification because for some reason rkt fetches the signature for aci.gonyeo.com/nginx.

derek@haruko ~> sudo rkt fetch aci.gonyeo.com/blog               
rkt: searching for app image aci.gonyeo.com/blog
rkt: remote fetching from URL "https://aci.gonyeo.com/blog-latest-linux-amd64.aci"
prefix: "aci.gonyeo.com/blog"
key: "https://aci.gonyeo.com/pubkeys.gpg"
gpg key fingerprint is: 391A 2660 3B7D 1A7B 969B  DB93 8D6A 284F 420B 2594
    subkey fingerprint: 818A 735C A7D6 60F5 F113  8ED8 29A7 820C 14D5 7505
        Derek Gonyeo (ACI signing key) <derek@gonyeo.com>
Key "https://aci.gonyeo.com/pubkeys.gpg" already in the keystore
rkt: downloading signature from https://aci.gonyeo.com/blog-latest-linux-amd64.aci.asc
Downloading signature: 473 B of an unknown total size
Downloading ACI: [=============================================] 275 KB/275 KB 
rkt: signature verified:
  Derek Gonyeo (ACI signing key) <derek@gonyeo.com>
rkt: searching for app image aci.gonyeo.com/nginx
rkt: remote fetching from URL "https://aci.gonyeo.com/nginx-latest-linux-amd64.aci"
prefix: "aci.gonyeo.com/nginx"
key: "https://aci.gonyeo.com/pubkeys.gpg"
gpg key fingerprint is: 391A 2660 3B7D 1A7B 969B  DB93 8D6A 284F 420B 2594
    subkey fingerprint: 818A 735C A7D6 60F5 F113  8ED8 29A7 820C 14D5 7505
        Derek Gonyeo (ACI signing key) <derek@gonyeo.com>
Key "https://aci.gonyeo.com/pubkeys.gpg" already in the keystore
rkt: downloading signature from https://aci.gonyeo.com/nginx-latest-linux-amd64.aci.asc
Downloading signature: 473 B of an unknown total size
Downloading ACI: [=============================================] 1.3 MB/1.3 MB 
rkt: signature verified:
  Derek Gonyeo (ACI signing key) <derek@gonyeo.com>
rkt: searching for app image aci.gonyeo.com/alpine
rkt: remote fetching from URL "https://aci.gonyeo.com/alpine-latest-linux-amd64.aci"
prefix: "aci.gonyeo.com/alpine"
key: "https://aci.gonyeo.com/pubkeys.gpg"
gpg key fingerprint is: 391A 2660 3B7D 1A7B 969B  DB93 8D6A 284F 420B 2594
    subkey fingerprint: 818A 735C A7D6 60F5 F113  8ED8 29A7 820C 14D5 7505
        Derek Gonyeo (ACI signing key) <derek@gonyeo.com>
Key "https://aci.gonyeo.com/pubkeys.gpg" already in the keystore
rkt: downloading signature from https://aci.gonyeo.com/nginx-latest-linux-amd64.aci.asc
Downloading signature: 473 B of an unknown total size
Downloading ACI: [=============================================] 2.49 MB/2.49 MB
openpgp: invalid signature: hash tag doesn't match
@cgonyeo cgonyeo self-assigned this Jan 15, 2016
@cgonyeo cgonyeo added this to the v0.16.0 milestone Jan 15, 2016
iaguis added a commit to kinvolk/rkt that referenced this issue Jan 18, 2016
@iaguis
rkt/image: clean asc object before every fetch
caaf32e 
If we don't do this, we could use the asc object from a previous image,
resulting on the incorrect signature being fetched.

Fixes rkt#1982
@iaguis iaguis mentioned this issue Jan 18, 2016
Merged
@iaguis iaguis mentioned this issue Jan 19, 2016
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@cgonyeo cgonyeo

Labels
area/security component/stage0 kind/bug priority/P1
Projects
None yet
Milestone
v0.16.0
Development

No branches or pull requests
2 participants
@alban @cgonyeo
0