Red Hat SummitChapter 3. Bug fixes
In this release of Red Hat Trusted Artifact Signer (RHTAS), we fixed the following bugs. In addition to these fixes, we list the descriptions of previously known issues found in earlier versions that we fixed.
- Fixed the formatting of solution links
-
We fixed an issue with the links that appear in the solutions and descriptions text outputted from the
ec validate imagecommand. The links to additional documentation now appear as a correctly formatted URL string.
- Download size limitation for artifacts
- We removed a download size limit on Open Container Initiative (OCI) fetches for artifacts larger than 10 MB. This limitation was causing artifacts to become truncated, leading to an error when accessing larger Software Bill of Materials (SBOM) documents.
- Rekor unable to write attestations to storage
-
Rekor writes the attestation to the
/tmp/directory, and then tries to move the attestation to a persistent volume claim (PVC). The moving of the attestation file is really a "rename" operation within the code base. The "rename" operation only works for locations within the same mount point, but was failing when moving between mount points. With this release, we fixed this issue so Rekor can correctly write attestations to the PVC.
- Fulcio service crash when configured with the Kubernetes OIDC issuer
-
A missing required certificate was causing the Fulcio service to crash with a unrecoverable error when configured with the Kubernetes OpenID Connect (OIDC) issuer, for example,
https://kubernetes.default.svc. This missing certificate was preventing the Fulcio service from running, and servicing signing requests. With this release, we fixed the issue by mounting the Kubernetes API server certificate to/var/run/fulcio/ca.crt, and the Fulcio service starts successfully when configuring the Kubernetes OIDC issuer.
- Two Rekor log entries from one signature
- When configuring Rekor and Certificate Transparency log with the same tree identifier in Trillian this causes two Rekor log entries for one signature. To fix this issue, configure Rekor and Certificate Transparency log with unique tree identifier.
- Health probe for Trillian not working properly
-
A wrongly-formatted container command was not sending health probes to the
trillian-mysqlpod. This was generating error messages with the "unhealthy" or "improper" tags, even though the pod was healthy. With this release, we fixed the format of the container command, and the health probe reports the correct status.
- Deploying RHTAS on Red Hat Enterprise Linux was creating anonymous volumes
-
The Rekor manifests did not have defined volumes. This created anonymous volumes with random names, making them hard to know who they belonged to. With this release, we fixed the Rekor manifests by adding proper volume mounting. We name the volumes as follows:
redis-backfill-storageandrekor-redis-storage.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}