releng/tickets
16
3
Fork 2
Code Issues 107 Pull requests Projects Releases Packages Wiki Activity Actions

Sign container images #10624

New issue
Open
opened 2022-02-07 22:50:13 +00:00 by demiobenour · 14 comments
demiobenour commented 2022-02-07 22:50:13 +00:00
Copy link

  • Describe the issue

    Fedora’s container images should be signed by official Fedora project keys, just like Red Hat’s are.

  • When do you need this? (YYYY/MM/DD)

    2022/02/21 but sooner would be amazing

  • When is this no longer needed or useful? (YYYY/MM/DD)

    N/A — sooner is better than later, but later is better than never

  • If we cannot complete your request, what is the impact?

    Qubes OS will need to generate and sign its own container images, since it cannot verify the authenticity of ones shipped by Fedora.

* Describe the issue Fedora’s container images should be signed by official Fedora project keys, just like Red Hat’s are. * When do you need this? (YYYY/MM/DD) 2022/02/21 but sooner would be amazing * When is this no longer needed or useful? (YYYY/MM/DD) N/A — sooner is better than later, but later is better than never * If we cannot complete your request, what is the impact? Qubes OS will need to generate and sign its own container images, since it cannot verify the authenticity of ones shipped by Fedora.
zlopez commented 2022-02-08 09:53:11 +00:00
Member
Copy link

Metadata Update from @zlopez:

  • Issue tagged with: meeting
**Metadata Update from @zlopez**: - Issue tagged with: meeting
humaton commented 2022-02-08 16:21:36 +00:00
Owner
Copy link

Any ideas about how to approach this? @cverna @otaylor

Any ideas about how to approach this? @cverna @otaylor
amedvede commented 2025-10-06 11:30:40 +00:00
Owner
Copy link

Metadata Update from @amedvede:

  • Issue tagged with: sprint-2
**Metadata Update from @amedvede**: - Issue tagged with: sprint-2
amedvede commented 2025-10-06 16:13:09 +00:00
Owner
Copy link

@demiobenour Do it still needed?

@demiobenour Do it still needed?
amedvede commented 2025-10-06 16:13:10 +00:00
Owner
Copy link

Metadata Update from @amedvede:

  • Issue assigned to amedvede
**Metadata Update from @amedvede**: - Issue assigned to amedvede
demiobenour commented 2025-10-06 16:31:30 +00:00
Author
Copy link

@amedvede if it hasn't been implemented, it's still needed.

@amedvede if it hasn't been implemented, it's still needed.
jcline commented 2025-10-06 17:13:57 +00:00
Copy link

Related to this, travier requested a way to use cosign to sign containers. Those wouldn't be GPG signatures, though.

Related to this, [travier](https://github.com/fedora-infra/siguldry/issues/49) requested a way to use cosign to sign containers. Those wouldn't be GPG signatures, though.
jnsamyak commented 2025-10-07 08:35:02 +00:00
Owner
Copy link

Metadata Update from @jnsamyak:

  • Issue tagged with: medium-gain, medium-trouble
**Metadata Update from @jnsamyak**: - Issue tagged with: medium-gain, medium-trouble
amedvede commented 2025-10-08 18:26:13 +00:00
Owner
Copy link

Investigating it

Investigating it
amedvede commented 2025-10-20 11:13:02 +00:00
Owner
Copy link

Issue tagged with: sprint-3

Issue tagged with: sprint-3
amedvede commented 2025-11-03 12:42:26 +00:00
Owner
Copy link

Issue tagged with: sprint-4

Issue tagged with: sprint-4
jnsamyak commented 2025-11-04 09:00:27 +00:00
Owner
Copy link

Metadata Update from @jnsamyak:

  • Issue untagged with: sprint-2, sprint-3
**Metadata Update from @jnsamyak**: - Issue **un**tagged with: sprint-2, sprint-3
amedvede commented 2025-11-07 11:41:43 +00:00
Owner
Copy link

Hey all, lets go deep into this problem and hopefully will fix it soon enough

  1. We making 3 container images fedora-base, fedora-minimal, fedora-toolbox and sync those images to quay.io, we build them using pungi. And here I see at least in description that it uses kickstarts to build container image for docker hub. So question is what exactly images you would to be signed?
    2)As far as I know we don't support to update dockerhub, and it should be documented somewhere. Can you suggest the place where? Also fix if I'm mistaking.
    3)Can you verify that image is still not signed? because pungi config has variable sigkey so it might be signed indeed. Would like to mention that I'm not an expert in signing and just trying to learn how this process works so fix me where I'm wrong.
    4)If it still needed I believe it should be done on on pungi side
Hey all, lets go deep into this problem and hopefully will fix it soon enough 1) We making 3 container images `fedora-base`, `fedora-minimal`, `fedora-toolbox` and sync those images to quay.io, we build them using pungi. And [here](https://github.com/fedora-cloud/docker-brew-fedora) I see at least in description that it uses kickstarts to build container image for docker hub. So question is what exactly images you would to be signed? 2)As far as I know we don't support to update dockerhub, and it should be documented somewhere. Can you suggest the place where? Also fix if I'm mistaking. 3)Can you verify that image is still not signed? because `pungi` config has variable `sigkey` so it might be signed indeed. Would like to mention that I'm not an expert in signing and just trying to learn how this process works so fix me where I'm wrong. 4)If it still needed I believe it should be done on on pungi side
siosm commented 2026-01-26 11:19:23 +00:00
Copy link

As far as I know the Fedora container images are still not signed.

As Jeremy mentioned, I requested in https://github.com/fedora-infra/siguldry/issues/49 support for cosign signatures.

In the mean time, we are currently signing Fedora CoreOS container images with GPG signatures (https://github.com/coreos/fedora-coreos-config/blob/testing-devel/overlay.d/17fcos-container-signing/etc/containers/registries.d/fedora-coreos.yaml) but this is not ideal.

As far as I know the Fedora container images are still not signed. As Jeremy mentioned, I requested in https://github.com/fedora-infra/siguldry/issues/49 support for cosign signatures. In the mean time, we are currently signing Fedora CoreOS container images with GPG signatures (https://github.com/coreos/fedora-coreos-config/blob/testing-devel/overlay.d/17fcos-container-signing/etc/containers/registries.d/fedora-coreos.yaml) but this is not ideal.
jnsamyak added this to the Backlog project 2026-04-30 08:47:22 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
modular-tags-at-branchtime
product-release
createrepoc
bz-epel
branch-eol-sop
multiline-sop
weird-loop
container-branching
unretire
blocking-for-f27
json-json-json
orphan-management
find-failures-owners
cvsadmin
twoweek-stable
rawhide-stable
Labels
Clear labels   
after freeze

   
automation

   
backlog
Tasks that will take longer then ~4 hours to do

  
blocked

   
change-ack
Changes that have releng work and are accepted

  
change-nak
Changes that have releng work and have been rejected

  
change-noreleng
Changes that do not have any releng work

  
changes
  
Closed As
Can't Fix
 Closed with the reason of Can't Fix

  
Closed As
Duplicate
 Closed with the reason of Duplicate

  
Closed As
Fixed
 Closed with the reason of Fixed

  
Closed As
Fixed with Explanation
 Closed with the reason of Fixed with Explanation

  
Closed As
Get back later
 Closed with the reason of Get back later

  
Closed As
Grooming
 Closed with the reason of Grooming

  
Closed As
Insufficient data
 Closed with the reason of Insufficient data

  
Closed As
Invalid
 Closed with the reason of Invalid

  
Closed As
It's all good
 Closed with the reason of It's all good

  
Closed As
taiga
 Closed with the reason of taiga

  
Closed As
upstream
 Closed with the reason of upstream

  
day-to-day
These are small, self-contained tasks that are part of normal operations but are async from sprint planning.

  
dev

   
docs

   
easyfix

   
epel

   
f26

   
f27
Fedora 27

  
f28
Fedora 28

  
f29
Fedora 29

  
f30

   
f31

   
f32

   
f33
Fedora 33

  
f34

   
f35
Fedora 35

  
f36

   
f37

   
f38

   
f39
Fedora 39

  
f40

   
f41
Fedora 41

  
f42
Fedora 42

  
f43
Fedora 43

  
f44
Fedora 44

  
f45
Fedora 45

  
fedora

   
groomed

   
high-gain

   
high-trouble

   
in-progress

   
in-review

   
investigation

   
legal

   
low-gain

   
low-trouble

   
mass rebuild

   
medium-gain

   
medium-trouble

   
meeting

   
mini-initiative

   
new_artifact
New artifact for fedora release

  
ops

   
pdc_retirement

   
rawhide

   
RCA
Root cause analysis

  
review

   
script

   
sidetarget

   
sprint-0

   
sprint-1
Releng Sprint 1 Tracker

  
sprint-2
Sprint 2

  
sprint-3
Releng Sprint 3 Tracker

  
sprint-4
RelEng Spring 4 Tracker

  
sprint-5
RelEng Sprint Tracker 5 (Nov 18 - Dec 02)

  
unfrozen
Revisit after freeze

  
waiting on external
  
Backlog Status
Needs Review
 Needs to go through refinement

  
Backlog Status
Ready
 Ready for sprint

  
chore

   
documentation
  
points
01
 A task that is simple, small, and has very little uncertainty. It should be easy enough for any team member to pick up and complete quickly, without a lot of discussion or research.

  
points
02
 This is a task that is slightly more complex or larger than a "1." It might involve two or three simple steps, but the outcome is still very clear and there's little uncertainty.

  
points
03
 Medium-sized task with some noticeable complexity. It might require a bit more thought or collaboration. The steps are well-defined, but it's not a trivial change.

  
points
05
 A significant piece of work. It has more complexity and a higher degree of uncertainty than smaller tasks. It might require some research, a design discussion, or collaboration across multiple teams.

  
points
08
 Complex task with a lot of uncertainty. It's often the largest size that a team will consider for a single sprint. It likely requires a detailed breakdown and multiple team members to complete.

  
points
13
 Any task that feels like it's a "13" or more is considered an Epic. These are too large and uncertain to be worked on in a single sprint and should be broken down.

  
Priority
High
 This is for work that is critical and needs to be addressed in the next sprint. It's often for urgent bugs, important features, or a major piece of technical debt that is blocking other work.

  
Priority
Low
 This is for work that is good to do but not urgent. It's a candidate for being worked on when there's extra time or when it rises in importance. It can stay in the backlog for a longer period.

  
Priority
Medium
 This is for important work that should be done soon, but isn't as urgent as a high-priority item. It will likely be considered for the next 1-2 sprints.

  
Sprint Status
Blocked
 Work items that cannot progress due to external dependencies, blockers, or issues that need resolution.

  
Sprint Status
Done
 Work items that have been completed, reviewed, and integrated. No further work is needed within the current sprint.

  
Sprint Status
In Progress
 Work items currently being worked on by a team member. Active development, research, or implementation is happening.

  
Sprint Status
Review
 Work items that are complete but need review, testing, or approval before being marked as done.

  
Sprint Status
To Do
 Work items that are committed to the sprint but haven't been started yet. These items are ready to be picked up by team members.

  
Technical Debt
Work that addresses shortcuts, workarounds, or suboptimal implementations that were done previously to meet deadlines. These items improve code quality, maintainability, or performance without adding new features.

  
Work Item
Bug
 Issues where the system is not working as intended or designed. Bugs represent deviations from expected behavior.

  
Work Item
Epic
 Large initiatives that are broken down into multiple smaller work items (user stories, tasks, bugs). Epics represent significant features or projects that span multiple sprints.

  
Work Item
Spike
 Time-boxed research, investigation, or proof-of-concept work to reduce uncertainty or explore solutions. Spikes help inform future development decisions.

  
Work Item
Task
 Used to break down larger user stories into smaller, manageable implementation pieces. They focus on the specific technical steps needed to deliver the user story's value.

  
Work Item
User Story
 User-facing features or functionality that can be framed from a user perspective, describing what someone wants to accomplish and why.

No labels
after freeze
automation
backlog
blocked
change-ack
change-nak
change-noreleng
changes
Closed As
Can't Fix
Closed As
Duplicate
Closed As
Fixed
Closed As
Fixed with Explanation
Closed As
Get back later
Closed As
Grooming
Closed As
Insufficient data
Closed As
Invalid
Closed As
It's all good
Closed As
taiga
Closed As
upstream
day-to-day
dev
docs
easyfix
epel
f26
f27
f28
f29
f30
f31
f32
f33
f34
f35
f36
f37
f38
f39
f40
f41
f42
f43
f44
f45
fedora
groomed
high-gain
high-trouble
in-progress
in-review
investigation
legal
low-gain
low-trouble
mass rebuild
medium-gain
medium-trouble
meeting
mini-initiative
new_artifact
ops
pdc_retirement
rawhide
RCA
review
script
sidetarget
sprint-0
sprint-1
sprint-2
sprint-3
sprint-4
sprint-5
unfrozen
waiting on external
Backlog Status
Needs Review
Backlog Status
Ready
chore
documentation
points
01
points
02
points
03
points
05
points
08
points
13
Priority
High
Priority
Low
Priority
Medium
Sprint Status
Blocked
Sprint Status
Done
Sprint Status
In Progress
Sprint Status
Review
Sprint Status
To Do
Technical Debt
Work Item
Bug
Work Item
Epic
Work Item
Spike
Work Item
Task
Work Item
User Story
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Backlog
Assignees
Clear assignees
No assignees
7 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Depends on
#13334 Document releng container build process
releng/tickets
Reference
releng/tickets#10624
No description provided.