From 021895968970175725029c4bf06e3ce71441f95f Mon Sep 17 00:00:00 2001 From: Alexander Larsson Date: Mon, 29 May 2023 12:25:55 +0200 Subject: [PATCH] composefs deploy: Store cfs signature in .ostree.cfs.sig file In many cases, such as when using osbuild, we are not preparing the final deployment but rather a rootfs tree that will eventually be copied to the final location. In that case we don't want to apply the signature directly but when the deployment is copied in place. To make this situateion workable we also write the signature to a file next to the composefs image file. Then whatever mechanism that does the final copy can apply the signature. --- src/libostree/ostree-sysroot-deploy.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c index d6597043d8..6b7afaa35f 100644 --- a/src/libostree/ostree-sysroot-deploy.c +++ b/src/libostree/ostree-sysroot-deploy.c @@ -699,10 +699,21 @@ checkout_deployment_tree (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploy if (!glnx_fchmod (tmpf.fd, 0644, error)) return FALSE; - if (apply_composefs_signature && metadata_composefs_sig) - sig = g_variant_get_data_as_bytes (metadata_composefs_sig); + if (metadata_composefs_sig) + { + g_autofree char *composefs_sig_path + = g_strdup_printf ("%s/.ostree.cfs.sig", checkout_target_name); + + sig = g_variant_get_data_as_bytes (metadata_composefs_sig); + + /* Write signature to file so it can be applied later if needed */ + if (!glnx_file_replace_contents_at (osdeploy_dfd, composefs_sig_path, + g_bytes_get_data (sig, NULL), g_bytes_get_size (sig), + 0, cancellable, error)) + return FALSE; + } - if (!_ostree_tmpf_fsverity (repo, &tmpf, sig, error)) + if (!_ostree_tmpf_fsverity (repo, &tmpf, apply_composefs_signature ? sig : NULL, error)) return FALSE; if (!glnx_link_tmpfile_at (&tmpf, GLNX_LINK_TMPFILE_REPLACE, osdeploy_dfd, composefs_cfs_path,