diff --git a/Remove-signatures-from-Docker-images.patch b/Remove-signatures-from-Docker-images.patch new file mode 100644 index 0000000..1da821b --- /dev/null +++ b/Remove-signatures-from-Docker-images.patch @@ -0,0 +1,58 @@ +From: Egbert Eich +Date: Wed Mar 13 17:41:43 2024 +0100 +Subject: Remove signatures from Docker images +Patch-mainline: Not yet +Git-repo: https://github.com/apptainer/apptainer +Git-commit: eb17f79efd7c2fc1a5bacbca3743b71f0a659355 +References: bsc#1221364 + +OCI image layouts do not support the storing of signatures. +Therefore, singed containers will cause apptainer to error +on ``apptainer build ..`` +with the message: + "Pushing signatures for OCI images is not supported" when +attempting to pull signed containers from a Docker registry. +To fix this, set an option to remove signatures. + +This fixes issue #2094. + +Signed-off-by: Egbert Eich +Signed-off-by: Egbert Eich +--- + internal/pkg/build/oci/oci.go | 5 +++-- + internal/pkg/build/sources/conveyorPacker_oci.go | 5 +++-- + 3 files changed, 7 insertions(+), 4 deletions(-) +diff --git a/CHANGELOG.md b/CHANGELOG.md +index edcddd3a3..d0c609053 100644 +diff --git a/internal/pkg/build/oci/oci.go b/internal/pkg/build/oci/oci.go +index 68e6f5989..46665917a 100644 +--- a/internal/pkg/build/oci/oci.go ++++ b/internal/pkg/build/oci/oci.go +@@ -125,8 +125,9 @@ func (t *ImageReference) newImageSource(ctx context.Context, sys *types.SystemCo + + // First we are fetching into the cache + _, err = copy.Image(ctx, policyCtx, t.ImageReference, t.source, ©.Options{ +- ReportWriter: w, +- SourceCtx: sys, ++ ReportWriter: w, ++ SourceCtx: sys, ++ RemoveSignatures: true, + }) + if err != nil { + return nil, err +diff --git a/internal/pkg/build/sources/conveyorPacker_oci.go b/internal/pkg/build/sources/conveyorPacker_oci.go +index f4107da63..14a545a53 100644 +--- a/internal/pkg/build/sources/conveyorPacker_oci.go ++++ b/internal/pkg/build/sources/conveyorPacker_oci.go +@@ -301,8 +301,9 @@ func (cp *OCIConveyorPacker) Pack(ctx context.Context) (*sytypes.Bundle, error) + func (cp *OCIConveyorPacker) fetch(ctx context.Context) error { + // cp.srcRef contains the cache source reference + _, err := copy.Image(ctx, cp.policyCtx, cp.tmpfsRef, cp.srcRef, ©.Options{ +- ReportWriter: io.Discard, +- SourceCtx: cp.sysCtx, ++ ReportWriter: io.Discard, ++ SourceCtx: cp.sysCtx, ++ RemoveSignatures: true, + }) + return err + } diff --git a/apptainer.changes b/apptainer.changes index b0cfcb1..b8e1f9c 100644 --- a/apptainer.changes +++ b/apptainer.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Mar 13 19:28:40 UTC 2024 - Egbert Eich + +- Fix 'apptainer build' using signed packages from the SUSE + Registry (bsc#1221364). + * Remove-signatures-from-Docker-images.patch + ------------------------------------------------------------------- Wed Jan 31 14:14:20 UTC 2024 - Egbert Eich diff --git a/apptainer.spec b/apptainer.spec index 56c167b..9e2404d 100644 --- a/apptainer.spec +++ b/apptainer.spec @@ -41,6 +41,7 @@ Source4: SLE-15SP6.def Source5: Leap.def Source20: %{name}-rpmlintrc Source21: vendor.tar.gz +Patch1: Remove-signatures-from-Docker-images.patch BuildRequires: cryptsetup BuildRequires: fdupes BuildRequires: gcc @@ -102,6 +103,7 @@ based on the latest openSUSE Leap release. %prep %setup -q -n %{name}-%{version}%{?vers_suffix} +%autopatch -p1 cp %{S:1} . %build