composefs deploy: Store cfs signature in .ostree.cfs.sig file

In many cases, such as when using osbuild, we are not preparing the final deployment but rather a rootfs tree that will eventually be copied to the final location. In that case we don't want to apply the signature directly but when the deployment is copied in place. To make this situateion workable we also write the signature to a file next to the composefs image file. Then whatever mechanism that does the final copy can apply the signature.
ostreedev · May 29, 2023 · 0218959 · 0218959
1 parent fa78974
commit 0218959
Showing 1 changed file with 14 additions and 3 deletions.
diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
@@ -699,10 +699,21 @@ checkout_deployment_tree (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploy
       if (!glnx_fchmod (tmpf.fd, 0644, error))
         return FALSE;
 
-      if (apply_composefs_signature && metadata_composefs_sig)
-        sig = g_variant_get_data_as_bytes (metadata_composefs_sig);
+      if (metadata_composefs_sig)
+        {
+          g_autofree char *composefs_sig_path
+              = g_strdup_printf ("%s/.ostree.cfs.sig", checkout_target_name);
+
+          sig = g_variant_get_data_as_bytes (metadata_composefs_sig);
+
+          /* Write signature to file so it can be applied later if needed */
+          if (!glnx_file_replace_contents_at (osdeploy_dfd, composefs_sig_path,
+                                              g_bytes_get_data (sig, NULL), g_bytes_get_size (sig),
+                                              0, cancellable, error))
+            return FALSE;
+        }
 
-      if (!_ostree_tmpf_fsverity (repo, &tmpf, sig, error))
+      if (!_ostree_tmpf_fsverity (repo, &tmpf, apply_composefs_signature ? sig : NULL, error))
         return FALSE;
 
       if (!glnx_link_tmpfile_at (&tmpf, GLNX_LINK_TMPFILE_REPLACE, osdeploy_dfd, composefs_cfs_path,