podman from Kubic repos (Ubuntu) can not sign using sigstore: Error: initializing private key: decrypt: encrypted: unexpected kdf parameters

[travier]

Issue Description

Using the latest podman from the Kubic project on Ubuntu (https://podman.io/docs/installation#ubuntu), I am unable to sign container images using sigstore keys.

I need to run Ubuntu as I'm working on sigstore signing support for the podman GitHub Actions. See:

• Issue: [FEATURE] Add support for signing and pushing signatures with sigstore redhat-actions/push-to-registry#89
• In progress pull-request: Add support for signing with Sigstore redhat-actions/push-to-registry#90
• Example repo: https://github.com/travier/cosign-test

Steps to reproduce the issue

Push and sign a container image on Ubuntu using podman from Kubic repos:

$ podman push --sign-by-sigstore-private-key key --sign-passphrase-file empty foo/bar:test quay.io/foo/bar:test --authfile foo.json

Describe the results you received

Error: initializing private key: decrypt: encrypted: unexpected kdf parameters

Describe the results you expected

The container image is pushed and signed.

podman info output

Client:       Podman Engine
Version:      4.6.2
API Version:  4.6.2
Go Version:   go1.18.1
Built:        Thu Jan  1 00:00:00 1970
OS/Arch:      linux/amd64

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

This works with podman on Fedora 39 so this looks like an issue specific to the podman build in the Kubic repos or the Ubuntu 22.04 environment available in GitHub Actions.

Additional information

Full reproducer in https://github.com/travier/cosign-test

[Luap99]

FYI containers/podman.io#240, @lsm5 wants to get rid of the kubic repo.

Any chance you can load a get a newer podman there (i.e compile from source) to make sure it is the version and not some environment issue?

[vrothberg]

Does the action need to run inside a VM or is it possible to run it inside a container? If the latter is feasible, you may use the quay.io/podman/stable image.

[travier]

I don't know if podman/buildah works in a GitHub Action as a container. Will give it a try.

[travier]

OK, it works with Fedora's podman from a container: https://github.com/travier/cosign-test/blob/main/.github/workflows/nginx.yml

Unfortunately, I can not use the official images as they don't include both podman & buildah in the same image.

[lsm5]

OK, it works with Fedora's podman from a container: https://github.com/travier/cosign-test/blob/main/.github/workflows/nginx.yml

Unfortunately, I can not use the official images as they don't include both podman & buildah in the same image.

Can a dnf install buildah in the podman container or vice versa not help with that?

[lsm5]

@travier or I guess we could publish a unified image to quay if it makes life easier. Don't know in which repo it will live though.

[travier]

Yes, I can install it in the official image but I was looking for an image that has everything in it so that the GitHub Actions run faster.

[travier]

I've made https://github.com/travier/podman-action as an example.

Edit: Hum, I should probably base it on https://github.com/containers/podman/blob/main/contrib/podmanimage/stable/Containerfile or the official image directly.

[vrothberg]

Can you elaborate on your need for buildah? Is podman-build not sufficient?

[travier]

I don't strictly need buildah, but https://github.com/redhat-actions/buildah-build relies on it. We could also make either a new GitHub Action or tweak the existing one to use podman if it doesn't find buildah.

[vrothberg]

Great idea!

[travier]

OK, I now have a fully working multi-arch setup with https://github.com/travier/podman-action & https://github.com/travier/cosign-test so we can close this one if we plan to deprecate the Kubic repo.

[travier]

or re-purpose this issue into making an image with both buildah & podman.

[vrothberg]

Thanks, @travier !

Since we got it working, I am compelled to close. I'd gently push back on an image with podman and buildah as podman includes buildah-build.

[travier]

I opened redhat-actions/buildah-build#131 to track the "use podman as a buildah fallback" approach.