composefs deploy: Store cfs signature in .ostree.cfs.sig file

In many cases, such as when using osbuild, we are not preparing the final
deployment but rather a rootfs tree that will eventually be copied to the
final location. In that case we don't want to apply the signature directly
but when the deployment is copied in place.

To make this situateion workable we also write the signature to a file
next to the composefs image file. Then whatever mechanism that does
the final copy can apply the signature.

diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
index a4853bb010e0e062ab274caa99b9c790a71ad3ec..cbb56c8798fb9dd732eb0782ba9c676ddece8ce6 100644 (file)
--- a/src/libostree/ostree-sysroot-deploy.c
+++ b/src/libostree/ostree-sysroot-deploy.c
@@ -699,10 +699,21 @@ checkout_deployment_tree (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploy
       if (!glnx_fchmod (tmpf.fd, 0644, error))
         return FALSE;
 
-      if (apply_composefs_signature && metadata_composefs_sig)
-        sig = g_variant_get_data_as_bytes (metadata_composefs_sig);
+      if (metadata_composefs_sig)
+        {
+          g_autofree char *composefs_sig_path
+              = g_strdup_printf ("%s/.ostree.cfs.sig", checkout_target_name);
+
+          sig = g_variant_get_data_as_bytes (metadata_composefs_sig);
+
+          /* Write signature to file so it can be applied later if needed */
+          if (!glnx_file_replace_contents_at (osdeploy_dfd, composefs_sig_path,
+                                              g_bytes_get_data (sig, NULL), g_bytes_get_size (sig),
+                                              0, cancellable, error))
+            return FALSE;
+        }
 
-      if (!_ostree_tmpf_fsverity (repo, &tmpf, sig, error))
+      if (!_ostree_tmpf_fsverity (repo, &tmpf, apply_composefs_signature ? sig : NULL, error))
         return FALSE;
 
       if (!glnx_link_tmpfile_at (&tmpf, GLNX_LINK_TMPFILE_REPLACE, osdeploy_dfd, composefs_cfs_path,