From: Colin Walters <walters@verbum.org>
Date: Mon, 21 Aug 2023 21:12:08 +0000 (-0400)
Subject: prepare-root: Fold together composefs signature cases
X-Git-Tag: archive/raspbian/2023.7-3+rpi1^2~16^2^2~40^2~1
X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/%22/%22http:/www.example.com/cgi/%22?a=commitdiff_plain;h=e952b1bf1413feb21eb0cc9e2514eb9e1895f2cf;p=ostree.git

prepare-root: Fold together composefs signature cases

Now that we don't support digest-but-not-signature verification
for composefs, the logic here was unnecessarily complicated.
With a prior prep patch that moved the composefs option
initialization up, we can just have everything related to signature
verification in a single conditonal.
---

diff --git a/src/switchroot/ostree-prepare-root.c b/src/switchroot/ostree-prepare-root.c
index 682e71ea..a75c1981 100644
--- a/src/switchroot/ostree-prepare-root.c
+++ b/src/switchroot/ostree-prepare-root.c
@@ -479,21 +479,11 @@ main (int argc, char *argv[])
 
           expected_digest = g_malloc (OSTREE_SHA256_STRING_LEN + 1);
           ot_bin2hex (expected_digest, cfs_digest_buf, g_variant_get_size (cfs_digest_v));
-        }
 
-      if (expected_digest != NULL)
-        {
           cfs_options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_VERITY;
           g_print ("composefs: Verifying digest: %s\n", expected_digest);
           cfs_options.expected_fsverity_digest = expected_digest;
         }
-      else
-        {
-          // If we're not verifying a digest, then we *must* also have signatures disabled.
-          // Or stated in reverse: if signature verification is enabled, then digest verification
-          // must also be.
-          g_assert (!composefs_config->is_signed);
-        }
 
       if (lcfs_mount_image (OSTREE_COMPOSEFS_NAME, TMP_SYSROOT, &cfs_options) == 0)
         {