From e952b1bf1413feb21eb0cc9e2514eb9e1895f2cf Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Mon, 21 Aug 2023 17:12:08 -0400 Subject: [PATCH] prepare-root: Fold together composefs signature cases Now that we don't support digest-but-not-signature verification for composefs, the logic here was unnecessarily complicated. With a prior prep patch that moved the composefs option initialization up, we can just have everything related to signature verification in a single conditonal. --- src/switchroot/ostree-prepare-root.c | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/src/switchroot/ostree-prepare-root.c b/src/switchroot/ostree-prepare-root.c index 682e71ea..a75c1981 100644 --- a/src/switchroot/ostree-prepare-root.c +++ b/src/switchroot/ostree-prepare-root.c @@ -479,21 +479,11 @@ main (int argc, char *argv[]) expected_digest = g_malloc (OSTREE_SHA256_STRING_LEN + 1); ot_bin2hex (expected_digest, cfs_digest_buf, g_variant_get_size (cfs_digest_v)); - } - if (expected_digest != NULL) - { cfs_options.flags |= LCFS_MOUNT_FLAGS_REQUIRE_VERITY; g_print ("composefs: Verifying digest: %s\n", expected_digest); cfs_options.expected_fsverity_digest = expected_digest; } - else - { - // If we're not verifying a digest, then we *must* also have signatures disabled. - // Or stated in reverse: if signature verification is enabled, then digest verification - // must also be. - g_assert (!composefs_config->is_signed); - } if (lcfs_mount_image (OSTREE_COMPOSEFS_NAME, TMP_SYSROOT, &cfs_options) == 0) { -- 2.30.2