sysroot-deploy: Require fsverity when composefs.enabled=verity

diff --git a/docs/composefs.md b/docs/composefs.md
index 8ae570effec7023f79eb02b7231b9b984dd62416..513fdb2193497de48df481817108817bd5e59204 100644 (file)
--- a/docs/composefs.md
+++ b/docs/composefs.md
@@ -47,11 +47,6 @@ before the content of a file in the mounted composefs is read,
 the integrity of its backing OSTree object in `/ostree/repo/objects` is validated by the digest stored in `.ostree.cfs`.
 This can ensure the integrity of the "backing store".
 
-The digests in `.ostree.cfs` are read from fsverity digests of OSTree objects when deploying.
-It is necessary to ensure all OSTree objects referenced have digests stored in `.ostree.cfs`.
-This can be achieved when [committing](#injecting-composefs-digests),
-or you have to set `ex-integrity.fsverity` to `true` for the OSTree repo.
-
 ### Injecting composefs digests
 
 When generating an OSTree commit, there is a CLI switch `--generate-composefs-metadata`

diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
index 43f380f68c311725c3c92d4eefaf66e193b510f4..45dc75a5bfd9531b2990acc42d399048e49d4ecc 100644 (file)
--- a/src/libostree/ostree-sysroot-deploy.c
+++ b/src/libostree/ostree-sysroot-deploy.c
@@ -680,7 +680,7 @@ checkout_deployment_tree (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploy
       g_auto (GVariantBuilder) cfs_checkout_opts_builder
           = G_VARIANT_BUILDER_INIT (G_VARIANT_TYPE_VARDICT);
       guint32 composefs_requested = 1;
-      if (composefs_config->is_signed)
+      if (composefs_config->require_verity)
         composefs_requested = 2;
       g_variant_builder_add (&cfs_checkout_opts_builder, "{sv}", "verity",
                              g_variant_new_uint32 (composefs_requested));