Creating importer: failed to invoke method OpenImage

My image is built here: https://github.com/pboling/galtzo/actions

➜  ujust update
note: automatic updates (stage) are enabled
Pulling manifest: ostree-image-signed:docker://ghcr.io/pboling/galtzo:latest
error: Creating importer: failed to invoke method OpenImage: failed to invoke method OpenImage: cryptographic signature verification failed: invalid signature when validating ASN.1 encoded signature

➜  ujust update
note: automatic updates (stage) are enabled
Pulling manifest: ostree-image-signed:docker://ghcr.io/pboling/galtzo:latest
error: Creating importer: failed to invoke method OpenImage: failed to invoke method OpenImage: cryptographic signature verification failed: invalid signature when validating ASN.1 encoded signature

Initially I was trying to update my signing key, just to know how it was done, in case I needed to do it at some point. But ever since attempting it the images that get built are not able to be verified, and so ujust update refuses to upgrade my system, giving the error above. I have tried updating the key several times now, with the same result. I am following the instructions here: https://github.com/ublue-os/image-template?tab=readme-ov-file#container-signing I have the following version of cosign installed, as of the latest attempt:

➜  cosign version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    2.5.3
GitCommit:     488ef8ceed5ab5d77379e9077a124a0d0df41d06
GitTreeState:  "clean"
BuildDate:     2025-07-17T19:56:47Z
GoVersion:     go1.24.5
Compiler:      gc
Platform:      linux/amd64

➜  cosign version
  ______   ______        _______. __    _______ .__   __.
 /      | /  __  \      /       ||  |  /  _____||  \ |  |
|  ,----'|  |  |  |    |   (----`|  | |  |  __  |   \|  |
|  |     |  |  |  |     \   \    |  | |  | |_ | |  . `  |
|  `----.|  `--'  | .----)   |   |  | |  |__| | |  |\   |
 \______| \______/  |_______/    |__|  \______| |__| \__|
cosign: A tool for Container Signing, Verification and Storage in an OCI registry.

GitVersion:    2.5.3
GitCommit:     488ef8ceed5ab5d77379e9077a124a0d0df41d06
GitTreeState:  "clean"
BuildDate:     2025-07-17T19:56:47Z
GoVersion:     go1.24.5
Compiler:      gc
Platform:      linux/amd64

I have the following version of gh installed:

➜  gh version
gh version 2.74.2
https://github.com/cli/cli/releases/tag/v2.74.2

➜  gh version
gh version 2.74.2
https://github.com/cli/cli/releases/tag/v2.74.2

I don't know what else to try.

GitHub

Workflow runs · pboling/galtzo

My Fedora Silverblue Spin: aurora-dx-hwe:latest + NordVPN + 1Password + Ruby build deps - Workflow runs · pboling/galtzo

GitHub

GitHub - ublue-os/image-template: Build your own custom Universal B...

Build your own custom Universal Blue Image! Contribute to ublue-os/image-template development by creating an account on GitHub.

3 Replies

Peter BolingOP•2mo ago

When I verify the cosign.pub in the repo against the image:

➜  cosign verify --key cosign.pub ghcr.io/pboling/galtzo
setting TUF refresh period to 24h0m0s

Verification for ghcr.io/pboling/galtzo:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"ghcr.io/pboling/galtzo"}...

➜  cosign verify --key cosign.pub ghcr.io/pboling/galtzo
setting TUF refresh period to 24h0m0s

Verification for ghcr.io/pboling/galtzo:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The signatures were verified against the specified public key

[{"critical":{"identity":{"docker-reference":"ghcr.io/pboling/galtzo"}...

It works! But it is unable to verify the image when updating for some reason.

fiftydinar•2mo ago

Can you check if there is any diff between /usr/etc/containers/policy.json & /etc/containers/policy.json? If there is a difference, then copy the /usr/etc/ version to /etc/ and test if it fixes the issue.

Peter BolingOP•4w ago

@fiftydinar Hi, sorry for the delayed response, I was hiking in the mountains.

✗  diff /usr/etc/containers/policy.json /etc/containers/policy.json

✗  diff /usr/etc/containers/policy.json /etc/containers/policy.json

There is no difference between the files. They are identical. However, the time stamp on the /usr/etc/ one is strange.

➜  ls -la /usr/etc/containers/policy.json /etc/containers/policy.json
-rw-r--r--. 1 root root 2239 Jun 27 18:12 /etc/containers/policy.json
-rw-r--r--. 1 root root 2239 Jan  1  1970 /usr/etc/containers/policy.json

➜  ls -la /usr/etc/containers/policy.json /etc/containers/policy.json
-rw-r--r--. 1 root root 2239 Jun 27 18:12 /etc/containers/policy.json
-rw-r--r--. 1 root root 2239 Jan  1  1970 /usr/etc/containers/policy.json

Oh, could it be because I set my timezone to UTC? Relatedly, in settings in the time zone config, there are no time zones to choose. I had to set it via the CLI. I know verification can depend on time synchronization, so now I'm guessing that is it. I really hate the way u-blue (or Fedora?) handles timezone... it seems to just not. Doesn't seem to be related to time zone 😦 I think I'm going to start over with my spin. @fiftydinar I resolved this by starting a new blue-build, with the same config, but kept the signing key that was auto-generated, and then rebasing to the new image. All good here!

Gaming

Programming

Creating importer: failed to invoke method OpenImage

Did you find this page helpful?