From: Alexander Larsson Date: Mon, 29 May 2023 10:25:55 +0000 (+0200) Subject: composefs deploy: Store cfs signature in .ostree.cfs.sig file X-Git-Tag: archive/raspbian/2023.7-3+rpi1~1^2~9^2~1^2~29^2~7 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=3fcebe454ed78df378b656af2013e43c648dbe46;p=ostree.git composefs deploy: Store cfs signature in .ostree.cfs.sig file In many cases, such as when using osbuild, we are not preparing the final deployment but rather a rootfs tree that will eventually be copied to the final location. In that case we don't want to apply the signature directly but when the deployment is copied in place. To make this situateion workable we also write the signature to a file next to the composefs image file. Then whatever mechanism that does the final copy can apply the signature. --- diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c index a4853bb0..cbb56c87 100644 --- a/src/libostree/ostree-sysroot-deploy.c +++ b/src/libostree/ostree-sysroot-deploy.c @@ -699,10 +699,21 @@ checkout_deployment_tree (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploy if (!glnx_fchmod (tmpf.fd, 0644, error)) return FALSE; - if (apply_composefs_signature && metadata_composefs_sig) - sig = g_variant_get_data_as_bytes (metadata_composefs_sig); + if (metadata_composefs_sig) + { + g_autofree char *composefs_sig_path + = g_strdup_printf ("%s/.ostree.cfs.sig", checkout_target_name); + + sig = g_variant_get_data_as_bytes (metadata_composefs_sig); + + /* Write signature to file so it can be applied later if needed */ + if (!glnx_file_replace_contents_at (osdeploy_dfd, composefs_sig_path, + g_bytes_get_data (sig, NULL), g_bytes_get_size (sig), + 0, cancellable, error)) + return FALSE; + } - if (!_ostree_tmpf_fsverity (repo, &tmpf, sig, error)) + if (!_ostree_tmpf_fsverity (repo, &tmpf, apply_composefs_signature ? sig : NULL, error)) return FALSE; if (!glnx_link_tmpfile_at (&tmpf, GLNX_LINK_TMPFILE_REPLACE, osdeploy_dfd, composefs_cfs_path,