From f9aca0be46343ebe65b7aec47c649c4008f308b2 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Wed, 31 Jan 2024 12:00:27 -0500 Subject: [PATCH] deploy: Don't enforce container sigpolicy by default, add `--enforce-container-sigpolicy` This mirrors the change done in https://github.com/containers/bootc/pull/230/commits/20d2d6cdc1bb2ddf7f8a6884ad83efaa708b4c65 Basically our attempts to enforce this didn't really work out. --- ci/priv-integration.sh | 7 ++++++- lib/src/cli.rs | 17 ++++++++++++++--- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/ci/priv-integration.sh b/ci/priv-integration.sh index 96aa682a..cf78b45e 100755 --- a/ci/priv-integration.sh +++ b/ci/priv-integration.sh @@ -39,9 +39,14 @@ ostree-ext-cli container image remove --repo "${sysroot}/ostree/repo" registry:" ostree admin --sysroot="${sysroot}" undeploy 0 # Now test the new syntax which has a nicer --image that defaults to registry. ostree-ext-cli container image deploy --transport registry --sysroot "${sysroot}" \ - --stateroot "${stateroot}" --image "${image}" --no-signature-verification + --stateroot "${stateroot}" --image "${image}" ostree admin --sysroot="${sysroot}" status ostree admin --sysroot="${sysroot}" undeploy 0 +if ostree-ext-cli container image deploy --transport registry --sysroot "${sysroot}" \ + --stateroot "${stateroot}" --image "${image}" --enforce-container-sigpolicy 2>err.txt; then + echo "Deployment with enforced verification succeeded unexpectedly" 1>&2 + exit 1 +fi # Now we should prune it ostree-ext-cli container image prune-images --sysroot "${sysroot}" ostree-ext-cli container image list --repo "${sysroot}/ostree/repo" > out.txt diff --git a/lib/src/cli.rs b/lib/src/cli.rs index 2a62d4c5..dd10278b 100644 --- a/lib/src/cli.rs +++ b/lib/src/cli.rs @@ -358,10 +358,17 @@ pub(crate) enum ContainerImageOpts { #[clap(long)] transport: Option, - /// Explicitly opt-out of requiring any form of signature verification. - #[clap(long)] + /// This option does nothing and is now deprecated. Signature verification enforcement + /// proved to not be viable. + /// + /// If you want to still enforce it, use `--enforce-signature-verification`. + #[clap(long, conflicts_with = "enforce-signature-verification")] no_signature_verification: bool, + /// Require that the containers-storage stack + #[clap(long)] + enforce_container_sigpolicy: bool, + /// Enable verification via an ostree remote #[clap(long)] ostree_remote: Option, @@ -1070,7 +1077,8 @@ async fn run_from_opt(opt: Opt) -> Result<()> { imgref, image, transport, - no_signature_verification, + mut no_signature_verification, + enforce_container_sigpolicy, ostree_remote, target_imgref, no_imgref, @@ -1078,6 +1086,9 @@ async fn run_from_opt(opt: Opt) -> Result<()> { proxyopts, write_commitid_to, } => { + // As of recent releases, signature verification enforcement is + // of by default, and must be explicitly enabled. + no_signature_verification = !enforce_container_sigpolicy; let sysroot = &if let Some(sysroot) = sysroot { ostree::Sysroot::new(Some(&gio::File::for_path(&sysroot))) } else {