gitea: Registry: Error response from daemon: missing signature key after upgrade to 1.21.0

Description

Since the upgrade to 1.21.0 the docker image build succeed but the docker pull fails with

docker pull gitea.sikorski.cloud/rogersik/ansible:development
Error response from daemon: missing signature key

I suspect this is because of 1.21.0 because before the upgrade I din’t have this problem. I can’t

  • Gitea 1.21.0
  • using Act Runner on Kubernetes (with root rights)
  • Minio as S3 storage

Test build locally with docker client

$ docker build . -t gitea.sikorski.cloud/rogersik/ansible:development
failed to fetch metadata: fork/exec /home/rsikorski/.docker/cli-plugins/docker-buildx: no such file or directory

DEPRECATED: The legacy builder is deprecated and will be removed in a future release.
            Install the buildx component to build images with BuildKit:
            https://docs.docker.com/go/buildx/

Sending build context to Docker daemon   10.1MB
Step 1/7 : FROM python:3.11-alpine3.18
 ---> 270f1e4a1f16

## shortened ##

Successfully built fa533b1a9606
Successfully tagged gitea.sikorski.cloud/rogersik/ansible:development
[rsikorski@ALIENWARE Ansible (feature/gitea-workflow-update)]$ docker push gitea.sikorski.cloud/rogersik/ansible:development
The push refers to repository [gitea.sikorski.cloud/rogersik/ansible]
fc95f885118b: Pushed 
23e5afdd0f5b: Pushed 
83a9d089d007: Pushed 
086ab54fdc47: Pushed 
d85eefc84d77: Pushed 
880f9dc6c21c: Pushed 
47818e695d36: Pushed 
a4aa75b591c8: Pushed 
e9e9555ceaa8: Pushed 
6f25d7d19389: Pushed 
cc2447e1835a: Layer already exists 
development: digest: sha256:5648a9fde44c7a13075e23e77c7d0ca56db8d43ad727857d8f5f08a4abb867d4 size: 2621
[rsikorski@ALIENWARE Ansible (feature/gitea-workflow-update)]$ docker push gitea.sikorski.cloud/rogersik/ansible:development
The push refers to repository [gitea.sikorski.cloud/rogersik/ansible]
fc95f885118b: Layer already exists 
23e5afdd0f5b: Layer already exists 
83a9d089d007: Layer already exists 
086ab54fdc47: Layer already exists 
d85eefc84d77: Layer already exists 
880f9dc6c21c: Layer already exists 
47818e695d36: Layer already exists 
a4aa75b591c8: Layer already exists 
e9e9555ceaa8: Layer already exists 
6f25d7d19389: Layer already exists 
cc2447e1835a: Layer already exists 
development: digest: sha256:5648a9fde44c7a13075e23e77c7d0ca56db8d43ad727857d8f5f08a4abb867d4 size: 2621
[rsikorski@ALIENWARE Ansible (feature/gitea-workflow-update)]$ docker push gitea.sikorski.cloud/rogersik/ansible:development
The push refers to repository [gitea.sikorski.cloud/rogersik/ansible]
fc95f885118b: Layer already exists 
23e5afdd0f5b: Layer already exists 
83a9d089d007: Layer already exists 
086ab54fdc47: Layer already exists 
d85eefc84d77: Layer already exists 
880f9dc6c21c: Layer already exists 
47818e695d36: Layer already exists 
a4aa75b591c8: Layer already exists 
e9e9555ceaa8: Layer already exists 
6f25d7d19389: Layer already exists 
cc2447e1835a: Layer already exists 
development: digest: sha256:5648a9fde44c7a13075e23e77c7d0ca56db8d43ad727857d8f5f08a4abb867d4 size: 2621

[rsikorski@ALIENWARE Ansible (feature/gitea-workflow-update)]$ docker pull gitea.sikorski.cloud/rogersik/ansible:development
Error response from daemon: missing signature key

I builded the image now on three different ways

  • Gitea Act Runner: Kaniko
  • Gitea Act Runner: Docker root
  • locally on Ubuntu

I deleted the :development image and rebuild it the same error happens. When using an unused tag example test1 same error.

When downloading a ready image like alpine:latest

docker pull alpine:latest
docker tag alpine:latest gitea.sikorski.cloud/rogersik/ansible:development
docker push gitea.sikorski.cloud/rogersik/ansible:development
docker pull gitea.sikorski.cloud/rogersik/ansible:development
Error response from daemon: missing signature key

Gitea Version

1.21.0

Can you reproduce the bug on the Gitea demo site?

No

Log Gist

No response

Screenshots

No response

Git Version

1.21.0

Operating System

Ubuntu 22.04 / K3s

How are you running Gitea?

Gitea with the official docker container running on K3S.

Database

PostgreSQL

About this issue

  • Original URL
  • State: open
  • Created 7 months ago
  • Reactions: 2
  • Comments: 21 (6 by maintainers)

Most upvoted comments

Further testing; after disabling SERVE_DIRECT for packages I am now able to use the registry again as normal.

+2
EternalDeiwos on Nov 27, 2023

What I find odd here is I am getting the expected 307 that redirects to my S3 storage containing the image layers… and the error message is complaining about a missing signature key. I don’t think this is authentication related but rather a server-side problem.

That said, I’ll play with the auth and see if I can at least rule it out as related.

+1
EternalDeiwos on Nov 26, 2023
Read more comments on GitHub
← gitea: Recent Gitea 1.16 (stable) breaks build on Fedora 35 because the go.mod was changed to require Go1.17
gitea: Regression: login via LDAP not possible: '(LDAP Result Code 2 "Protocol Error": )' →