Skip to main content

Podman errors and solutions

The following errors may occur during container signing.

Common errors

You cannot run Podman with sudo

The gpg-agent running as root is unable to read Software Trust Manager environment variables.

Podman cannot be configured with Sigstore

Attempting to pull an image with no signatures available will result in errors.

When the gpg-agent is managed by systemd

Execute this command before attempting to sign using ssm-scd:

systemctl --user import-environment

Considerations

To sign container images with Podman and GPG, ensure that:

  1. A valid private GPG key is required on the signing machine and corresponding public keys are required on every system that pulls the image.

  2. A web server must run somewhere that has access to the signature storage.

  3. The web server must be configured in any /etc/containers/registries.d/*.yaml file.

  4. Every image pulling system must be configured to contain the enforcing policy configuration via policy.conf.

Error not listed here?

When you encounter an error while signing a container, follow the procedure below to check the PKCS11 logs:

  1. To set the log level to TRACE, run the command:

  2. Run the signing command that failed again.

  3. To identify where your logs are located, run:

    echo %USERPROFILE%/.signingmanager/logs

  4. Copy the output of the command to navigate to the logs location.

  5. Open the smpkcs11.log file.

  6. To identify the the most recent event, scroll to the end of the logs.

  7. The last few lines should explain why the error occurred.

  8. If you are unable to resolve the error based on the information provided, contact Support and provide the log file.

Nesta secção: