fix(signing): add writable volume for TUF cache in distroless container#1736
Open
ab-ghosh wants to merge 1 commit into
Open
fix(signing): add writable volume for TUF cache in distroless container#1736ab-ghosh wants to merge 1 commit into
ab-ghosh wants to merge 1 commit into
Conversation
When signers.x509.tuf.mirror.url is set to a custom TUF mirror, the sigstore library tries to create a cache directory at $HOME/.sigstore/root. In the Chains distroless container, HOME defaults to "/" and readOnlyRootFilesystem is true, causing "mkdir /.sigstore: read-only file system" and blocking signing. Add an emptyDir volume mounted at /home/nonroot and set HOME to point there, giving the TUF client a writable cache location. Signed-off-by: ab-ghosh <abghosh@redhat.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Member
Author
|
/retest |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
When
signers.x509.tuf.mirror.urlis set to a custom TUF mirror (e.g., one provided by the Trusted Artifact Signer operator), the sigstore TUF library tries to create a cache directory at$HOME/.sigstore/root. In the Chains distroless container,HOMEdefaults to/(user 65532) andreadOnlyRootFilesystem: trueis set, causing:error configuring x509 signer: initialize tuf: creating cached local store: mkdir /.sigstore: read-only file system
This blocks artifact signing when using private sigstore deployments.
Fix: Add an
emptyDirvolume (sigstore-cache) mounted at/home/nonrootand setHOME=/home/nonroot, giving the TUF client a writable cache location.The default TUF mirror (
https://tuf-repo-cdn.sigstore.dev) is unaffected since it skips TUF initialization entirely (trust root is embedded in the binary).Testing:
read-only file systemerror is gone after the fixSubmitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
Release Notes