My blue-build spin has a valid invalid signature?

[pboling]

TL;DR

It seems to me that the instructions for rotating a signing key with cosign are incorrect.

Details

Repo: https://github.com/pboling/galtzo2 (renamed to have 2 on the end, as I'm starting over from scratch)

Error

➜  ujust update
note: automatic updates (stage) are enabled
Pulling manifest: ostree-image-signed:docker://ghcr.io/pboling/galtzo:latest
error: Creating importer: failed to invoke method OpenImage: failed to invoke method OpenImage: cryptographic signature verification failed: invalid signature when validating ASN.1 encoded signature
Looking for updates…

When I check the signature manually, it is valid. I am not sure how to resolve this.

➜  cosign verify --key cosign.pub ghcr.io/pboling/galtzo
setting TUF refresh period to 24h0m0s

Verification for ghcr.io/pboling/galtzo:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"ghcr.io/pboling/galtzo"},"image":{"docker-manifest-digest":"sha256:d98c65fee85c6023c49c2dc8b2ffaf6d4ab27889f0d0c93b8b500fc911819553"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEQCIEJaEAcCLvwLSp5KB9n7Jssv/DYpP8JKVtnyOu+5GnGZAiBobeKwNBkD0K7gM5k1Wv0BOqejYTdJn2JzbJvsYs1SnA==","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI5ZmU0ZmZkMzdiNjdjYmJlY2NhNTA5Y2M0MjZhYzM5NjJlNjczN2IzYjIzMWE1YzA5YTRmNWM2M2U4MDEyYThjIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUURkYVIzaDQwVDMzYjdkRnNkeTJZSU1TRFprOENGWEthdVpHdHVibkhtcmlBSWhBT3YxRzNBSExRcE9KNXNGUzFZVUMyeFZ6NEJNbC9rcUlwMjRNSEtmOUVhaiIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGV25WcGJHaG9hVFYyTkdFMWJEUnhlVTl2VTA5eVkzUkZUVE5MVHdwcVdGWTVNM3BDVGpoNloyaGhaVzUwY1ZKbFdqZG9VMFp4UWxrelFXRjRSRFIyVnpRMU5YQkhUa0U0YldWSVFrcEJaamxyWVhkbVdIUkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=","integratedTime":1753510284,"logIndex":314339497,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}}}}]

How did I get here?

I read the documentation here: https://blue-build.org/how-to/cosign/

I saw that it was possible to renew the signing key for an image, and thinking I may want to do that at some point I wanted to try it so I would understand the process. So I udpated the key, according to the instructions on the blue-build homepage, and pushed the new public key to the repo, and updated the secret in the repo.

After that the image stopped installing.

I tried following the instructions again, generated another new signing key, and set the secret, and pushed the public one, but the result was the same.

[pboling]

Update

This may not actually work. Apparently it is more complex, and there is no built in support for rotating the signing key in blue-build yet.

Original

Now I'm switching to the new build, and I realize my problem.

After rotating the keys I needed to rebase to the "new build", even though it was the "same build" from my perspective. When the keys change is has to reset the signing.

rpm-ostree rebase ostree-unverified-registry:ghcr.io/pboling/galtzo-os:latest

🤦 I had the process for rebasing to another atomic desktop documented in my own README, I just hadn't connected it to the idea of key rotation.

The compelte steps, after updating the signing key, are:

• First rebase to the unsigned image, to get the proper signing keys and policies installed:

rpm-ostree rebase ostree-unverified-registry:ghcr.io/pboling/galtzo-os:latest

• Reboot to complete the rebase:

systemctl reboot

• Then rebase to the signed image, like so:

rpm-ostree rebase ostree-image-signed:docker://ghcr.io/pboling/galtzo-os:latest

• Reboot again to complete the installation

systemctl reboot