With OpenShift Container Platform 4.22, Red Hat enforces signature verification for the release image and payload (cluster operators and oeprands). The verification is controlled by the ClusterImagePolicy which specifies the Root CA and a scope of quay.io/openshift-release-dev/ocp-release and quay.io/openshift-release-dev/ocp-v4.0-art-dev. When an image is used on a node, the signatures are pulled from the mirror along with the image, and verified before starting a container. This verification expands on the ocp-release scope.
apiVersion: config.openshift.io/v1
kind: ClusterImagePolicy
metadata:
name: openshift
spec:
policy:
rootOfTrust:
policyType: PublicKey
publicKey:
keyData: ...
scopes:
- quay.io/openshift-release-dev/ocp-release
- quay.io/openshift-release-dev/ocp-v4.0-art-dev
...
If you are running a disconnected cluster and the signature is missing from your mirror, you’ll see the following:
- Install: The
bootstrapnode hangs and does not install as the signature is not verified. - Upgrade: The
ClusterImagePolicyenforces signature verification. If the signatures are missing from your mirror, the Cluster Version Operator (CVO) will be blocked, preventing node updates.
In order to continue, you may do one of the following:
- Use
oc mirror --v2to mirror your content. This feature automatically honors signatures … see Mirroring images for a disconnected installation using the oc-mirror plugin - If you are currently using
oc adm release mirror, you can copy thesigfile for the release payload:
$ oc image mirror quay.io/openshift-release-dev/ocp-release:${RELEASE_DIGEST}.sig registry.example.com/openshift/whatever:${RELEASE_DIGEST}.sig
You repeat for each image listed in the release.txt
RELEASE_DIGEST:: Specifies your digest image with the : character replaced by a - character. For example: sha256:884e1ff5effeaa04467fab9725900e7f0ed1daa89a7734644f14783014cebdee becomes sha256-884e1ff5effeaa04467fab9725900e7f0ed1daa89a7734644f14783014cebdee.sig.
You must switch to using oc mirror --v2.
Good luck with your disconnected clusters, and ensure image signatures are present in your local mirror using one of the mirroring methods.
Note: you can use this with your application / deliverable for enhanced security.
References
- Red Hat OpenShift Docs: Chapter 12. Manage secure signatures with sigstore
- Red Hat Developer: How to verify container signatures in disconnected OpenShift
- Red Hat Developer: Verify Cosign bring-your-own PKI signature on OpenShift
- IBM Power Blog Mirroring for OpenShift on IBM Power in Disconnected Environments
- IBM Power Blog OpenShift 4.21.0 ClusterImagePolicy Feature enforces signature verification

Leave a Reply