-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inherit container policy when doing a switch #815
Comments
This is all a bit confusing, There's a whole "observability problem" with the image signature bits here that we should definitely highlight in status in the case where we did verify a signature. Another way to say this is I'm trying to deprecate the special ostree-container signature verification; bootc should behave the same as podman. IOW if we have something like But basically I believe we were still enforcing signatures while you were switching assuming that you've configured |
Hah, yes of course, this makes total sense. Gotten so used to it being "the one where the user didn't bother to set up signing" that it ended up just turning into "disabled" in my brain. Thanks! 😄 |
Reopening after a quick discussion at kubecon. Here's the UX problem we're trying to solve: Switching between streams. Scroll down a bit to he manual examples. Typing the long sigpolicy flag gets old quickly when doing development. But if you don't use that flag the switch rebases to the target but is unsigned. We'd like for it to just only switch between signed images so we don't need to deal with the long flag. Colin seems surprised by this and thought maybe there was an issue here, so reopening. |
I noticed that doing a
bootc switch
from a signed image results in switching to an unsigned image unless you explicitly pass--enforce-container-sigpolicy
Reproducible Example:
ostree-image-signed:docker://ghcr.io/ublue-os/bluefin:40
bootc switch ghcr.io/ublue-os/bluefin:39
ostree-unverified-registry:ghcr.io/ublue-os/bluefin:39
Passing the enforce flag works as expected. The use case is that when doing testing it's common to switch a bunch. I was digging for a regression and switching between daily builds in multiple VMs, and by the time I was done all my images were unsigned.
Not sure on what the UX should look like as I would guess there are other enterprise policy features that would need to be accounted for. But it would be nice if the signing was transparent unless there was an error, so I figured if you're on a signed image you'd want to stay on a signed image.
The text was updated successfully, but these errors were encountered: