Support using composefs signatures also with bootc commits
When using bootc, if you convert a signed ostree commit into an OCI
image `rpm-ostree compose container-encapsulate` you end up with a new
commit that isn't signed. However, the base commit object, and its
commitmeta are still in the image and will end up the repo, and
since https://github.com/bootc-dev/bootc/pull/1600 the base commit
id is available as the parent commit.
So, we change ostree-prepare-root to fall back to using the base
commit+commitmeta to find the expected composefs digest if the main
commit is not signed.
Note: This will only work with ostree-only commits. If you have any
layered data, then the content will change, and the composefs digest
in the base commit will not match the deployed one. This is expected
with such sealed commits though. If you want to layer, either disable
sealing, or create a new sealed ostree commit for the new image.
projects / ostree.git / commit