to use it with transient keys. This is done like this:
* Generate a new keypair before each build
* Embed the public key in the initrd that is part of the commit.
- * Ensure the initrd has a `prepare-root.conf` with `keyfile=/path/to/key`
+ * Ensure the initrd has a `prepare-root.conf` with `[composefs] enabled=signed`, and either use `keypath` or inject `/etc/ostree/initramfs-root-binding.key`; for more see `man ostree-prepare-root`
* After committing, run `ostree --sign` with the private key.
* Throw away the private key.
const char *config_roots[] = { "/usr/lib", "/etc" };
#define PREPARE_ROOT_CONFIG_PATH "ostree/prepare-root.conf"
-#define DEFAULT_KEYPATH "/etc/ostree/initramfs-root-binding.key"
+// This key is used by default if present in the initramfs to verify
+// the signature on the target commit object. When composefs is
+// in use, the ostree commit metadata will contain the composefs image digest,
+// which can be used to fully verify the target filesystem tree.
+#define BINDING_KEYPATH "/etc/ostree/initramfs-root-binding.key"
#define SYSROOT_KEY "sysroot"
#define READONLY_KEY "readonly"
G_DEFINE_AUTOPTR_CLEANUP_FUNC (ComposefsConfig, free_composefs_config)
+// Parse the [composefs] section of the prepare-root.conf.
static ComposefsConfig *
load_composefs_config (GKeyFile *config, GError **error)
{
OT_TRISTATE_MAYBE, &ret->enabled, error))
return NULL;
- if (!ot_keyfile_get_value_with_default (config, COMPOSEFS_KEY, KEYPATH_KEY, DEFAULT_KEYPATH,
+ // Look for a key - we default to the initramfs binding path.
+ if (!ot_keyfile_get_value_with_default (config, COMPOSEFS_KEY, KEYPATH_KEY, BINDING_KEYPATH,
&ret->signature_pubkey, error))
return NULL;
projects / ostree.git / commitdiff