v2 does not generate usable release signatures

[germanovm]

Version

$ oc-mirror version
oc-mirror version v2.0.0

What happened?

The mirroring works fine, I can even deploy the cincinatti operator with the graph, all is ok.
But I cannot upgrade my cluster because it does not recognize the release signatures.

What did you expect to happen?

The tool generates config-maps with signatures I can apply to the cluster, otherwise I can't use the mirror for upgrades via OSUS:

• lastTransitionTime: "2024-09-04T05:23:39Z"
  message: 'Retrieving payload failed version="4.16.10" image="mirror.example.com:50000/openshift-release-dev/ocp-release@sha256:793bac91943944692d72a61c47a3102edb70fb2948cdf54019f06376a87298ad"
  failure=The update cannot be verified: unable to verify sha256:793bac91943944692d72a61c47a3102edb70fb2948cdf54019f06376a87298ad
  against keyrings: verifier-public-key-redhat'
  reason: RetrievePayload
  status: "False"
  type: ReleaseAccepted

How to reproduce it (as minimally and precisely as possible)?

1. Mirror with graph for disconnected cluster
2. Install cincinatti-operator
3. Configure CVO to use cincinatti-operator
4. Try to upgrade the cluster

Anything else we need to know?

The tool seems to generate the signatures

/shift/registry/workspace/working-dir/signatures# ls -l
total 24
-rwxr-xr-x. 1 root root 896 Sep  3 16:41 0d365611e78c5306975753975419851183536354273a6340021f9b1cdd2a34c3
-rwxr-xr-x. 1 root root 894 Sep  5 10:57 115bba6836b9feffb81ad9101791619edd5f19d333580b7f62bd6721eeda82d2
-rwxr-xr-x. 1 root root 896 Sep  3 16:41 24ea553ce2e79fab0ff9cf2917d26433cffb3da954583921926034b9d5d309bd
-rwxr-xr-x. 1 root root 896 Sep  3 16:41 5f1f16ecdc6429bafb437515a2bb131e367b3d98650599d735a2894cb0d0cddf
-rw-r--r--. 1 root root 899 Sep  5 10:57 793bac91943944692d72a61c47a3102edb70fb2948cdf54019f06376a87298ad
-rwxr-xr-x. 1 root root 899 Sep  3 16:41 ac78ebf77f95ab8ff52847ecd22592b545415e1ff6c7ff7f66bf81f158ae4f5e

But there are binary files that I cannot apply, V1 used to generate a nice config-map for these.

[sherine-k]

Hello @germanovm
We're working on generating the signature configmaps in #924

[rectacoda]

Hello.

We have tested oc-mirror 4.18.0-202410011141.p0.g227a9c4 on stable-4.17 OCP channel
There are 2 files generated for the same signature, 1 json and 1 yaml, but the metadata.mane is missing on both so it can't be applied as is
Also it seems only one of these 2 files is necessary

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[gpow81]

I am very confused - is this solved or not according to this thread? Because I am having same issue using oc-mirrror downloaded directly from redhat just a couple of days ago

[sherine-k]

Hi @gpow81
Can you be more specific? Behavior experienced vs expected? version of oc-mirror used, etc.
#924 and probably a couple of other PRs worked on creating a configmap that can be applied to the cluster, and that provides the signatures for ocp releases that were mirrored.
This work hasn't yet been delivered in an official release yet, but is supposed to be part of the 4.18 release of OpenShift.