Skip to content

bug(policy): move policy verification to sub-manifest level#758

Closed
ricardomaraschini wants to merge 1 commit intocontainers:mainfrom
ricardomaraschini:move-policy-evaluation
Closed

bug(policy): move policy verification to sub-manifest level#758
ricardomaraschini wants to merge 1 commit intocontainers:mainfrom
ricardomaraschini:move-policy-evaluation

Conversation

@ricardomaraschini
Copy link
Copy Markdown
Contributor

@ricardomaraschini ricardomaraschini commented Apr 10, 2026

move policy evaluation from openImageImpl() to cacheTargetManifest(), ensuring signature verification happens on platform-specific manifests rather than manifest lists.

this change affects the skopeo experimental-image-proxy (json-proxy) used by rpm-ostree for fetching container images.

podman and skopeo seem to verify signatures only on sub-manifests, not on manifest lists. this change aligns our json-proxy behavior with the existing container runtime verification model.

@github-actions github-actions bot added the common Related to "common" package label Apr 10, 2026
@packit-as-a-service
Copy link
Copy Markdown

packit-as-a-service bot commented Apr 10, 2026

Packit jobs failed. @containers/packit-build please check.

@ricardomaraschini
bug(policy): move policy verification to sub-manifest level
7e1ca54 
move policy evaluation from openImageImpl() to cacheTargetManifest(),
ensuring signature verification happens on platform-specific manifests
rather than manifest lists.

this change affects the skopeo experimental-image-proxy (json-proxy)
used by rpm-ostree for fetching container images.

podman and skopeo seem to verify signatures only on sub-manifests, not
on manifest lists. this change aligns our json-proxy behavior with the
existing container runtime verification model.

Signed-off-by: Ricardo Maraschini <ricardo.maraschini@gmail.com>
mtrmac
mtrmac reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@mtrmac mtrmac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

Stand-alone, this would probably be sufficient (doing the check in cacheTargetManifest means we wouldn’t enforce signatures on GetBlob and GetRawBlob; but there’s a risk of breaking existing users.

containers/skopeo#2400 is a stalled implementation that allows a signature on either the top level or the per-platform manifest. I think that’s a safer change to make.

@ricardomaraschini
Copy link
Copy Markdown
Contributor Author

ricardomaraschini commented Apr 10, 2026

Thanks!

Stand-alone, this would probably be sufficient (doing the check in cacheTargetManifest means we wouldn’t enforce signatures on GetBlob and GetRawBlob; but there’s a risk of breaking existing users.

containers/skopeo#2400 is a stalled implementation that allows a signature on either the top level or the per-platform manifest. I think that’s a safer change to make.

No worries, let's close this one then.

@wking wking mentioned this pull request Apr 10, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtrmac mtrmac mtrmac left review comments

Assignees

No one assigned

Labels

common Related to "common" package

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ricardomaraschini @mtrmac