checkout: Only verify digest if repo requires fsverity

Fixes a regression from the previous commit; in
the case where the target repo doesn't have composefs in
signed mode there's no reason to verify the digest
at checkout time because we aren't verifying it at
boot time either.

The regression is in cases that use rpm-ostree e.g.
where as of recently we unconditionally add the composefs
digest, but for e.g. FCOS we aren't deploying with fsverity
enabled.

Closes: https://github.com/ostreedev/ostree/issues/3330
Signed-off-by: Colin Walters <walters@verbum.org>

diff --git a/src/libostree/ostree-repo-checkout.c b/src/libostree/ostree-repo-checkout.c
index 8696229b3787b37fb46d6da29a1aff1d9bd78882..2e50c30dedd7ea4aee309b4e98cd27ce20c48d83 100644 (file)
--- a/src/libostree/ostree-repo-checkout.c
+++ b/src/libostree/ostree-repo-checkout.c
@@ -1346,9 +1346,14 @@ ostree_repo_checkout_composefs (OstreeRepo *self, GVariant *options, int destina
   if (!ostree_composefs_target_write (target, tmpf.fd, &fsverity_digest, cancellable, error))
     return FALSE;
 
-  /* If the commit specified a composefs digest, verify it */
-  if (!compare_verity_digests (metadata_composefs, fsverity_digest, error))
-    return FALSE;
+  /* If the commit specified a composefs digest and the target is known to have fsverity,
+   * then double check our ouptut.
+   */
+  if (verity == OT_TRISTATE_YES)
+    {
+      if (!compare_verity_digests (metadata_composefs, fsverity_digest, error))
+        return FALSE;
+    }
 
   if (!glnx_fchmod (tmpf.fd, 0644, error))
     return FALSE;

diff --git a/tests/inst/src/composefs.rs b/tests/inst/src/composefs.rs
index eddccd1d6e3d73c3992e5d540d92f19d7115c5c9..d4fadd759a734cebb89787a8e25d19df66351a85 100644 (file)
--- a/tests/inst/src/composefs.rs
+++ b/tests/inst/src/composefs.rs
@@ -153,7 +153,7 @@ pub(crate) fn itest_composefs() -> Result<()> {
                 return Ok(());
             }
             {
-                let fstype = cmd!(sh, "stat -f / -c %T").read()?;
+                let fstype = cmd!(sh, "stat -f /sysroot -c %T").read()?;
                 if fstype.trim() == "xfs" {
                     println!("SKIP no xfs fsverity yet");
                     return Ok(());

diff --git a/tests/test-composefs.sh b/tests/test-composefs.sh
index 12813cf2a9f5b557fdf4f38b6eedbb763c0e97e3..72f81284ec35536f1dcb11554a3fbf67a75e22d9 100755 (executable)
--- a/tests/test-composefs.sh
+++ b/tests/test-composefs.sh
@@ -62,4 +62,14 @@ composefs-info dump test2-co-noverity.cfs > dump.txt
 assert_file_has_content_literal dump.txt '/baz/cow 4 100644 1 0 0 0 0.0 f6/a517d53831a40cff3886a965c70d57aa50797a8e5ea965b2c49cc575a6ff51.file - -'
 tap_ok "checkout composefs noverity"
 
+# Test with a corrupted composefs digest
+$OSTREE commit ${COMMIT_ARGS} -b test-composefs-bad-digest --tree=ref=test-composefs \
+    '--add-metadata=ostree.composefs.digest.v0=[byte 0x13, 0xae, 0xae, 0xed, 0xc0, 0x34, 0xd1, 0x39, 0xef, 0xfc, 0xd6, 0x6f, 0xe3, 0xdb, 0x08, 0xd3, 0x32, 0x8a, 0xec, 0x2f, 0x02, 0xc5
+, 0xa7, 0x8a, 0xee, 0xa6, 0x0f, 0x34, 0x6d, 0x7a, 0x22, 0x6d]'
+if $OSTREE checkout --composefs test-composefs-bad-digest test2-co.cfs 2>err.txt; then
+    fatal "checked out composefs with mismatched digest"
+fi
+assert_file_has_content_literal err.txt "doesn't match expected digest"
+tap_ok "checkout composefs bad digest"
+
 tap_end