ostree-ext: surface libostree signature verification text #1028
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Haven't added any tests to this. Didn't really look at the testing setup in this repo yet. |
jlebon
force-pushed
the
pr/verify-text
branch
from
a863413 to
b02de17
Compare
The `install` and `switch` verbs supported passing an OSTree remote to use to verify the embedded OSTree commit. This option in fact did not function correctly and no verification was actually performace. While it's possible someone was using this feature, it seems quite unlikely since the UX is more geared towards native OCI signatures. As a result, we have decided not to file a CVE for this. And in fact, since we're planning to keep moving away from ostree, instead of fixing this bug, just completely rip out support for passing and OSTree remote. Note this is distinct from the ostree-ext code, which still does support signature verification of the embedded OSTree commit. E.g. Fedora CoreOS is planning to make use of that until it can move to proper OCI signatures. While we're here, drop the negation around the container sigpolicy to make it easier to follow the logic. Signed-off-by: Jonathan Lebon <[email protected]>
Signed-off-by: Jonathan Lebon <[email protected]>
We don't actually mutate anything in `self` in this function. Signed-off-by: Jonathan Lebon <[email protected]>
Right now when using OSTree remote verification, there's no indication that the OSTree commit was successfully verified. Capture the return string from `OstreeRepo.signature_verify_commit_data` and return it as part of the public `LayeredImageState` object. We could return a more structured signature object here, but this is sufficient for our purposes for now and saves clients from having to regenerate similar looking text. In the `ostree container` CLI, print this verification text. Signed-off-by: Jonathan Lebon <[email protected]>
jlebon
force-pushed
the
pr/verify-text
branch
from
b02de17 to
fdde8c6
Compare
This was referenced Jan 14, 2025
Merged
cgwalters
approved these changes
Jan 14, 2025
cgwalters
reviewed
Jan 14, 2025
| @@ -111,10 +111,6 @@ pub(crate) struct SwitchOpts { | |||
| #[clap(long)] | |||
| pub(crate) enforce_container_sigpolicy: bool, | |||
|
|
|||
| /// Enable verification via an ostree remote | |||
| #[clap(long)] | |||
| pub(crate) ostree_remote: Option<String>, | |||
There was a problem hiding this comment.
Technically we claimed public CLI/API stability but I can't find any users of this on public source code, and I can't imagine there are any private ones.
To be clear: Everyone should use container signing, not ostree commit signatures.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Right now when using OSTree remote verification, there's no indication
that the OSTree commit was successfully verified.
Capture the return string from
OstreeRepo.signature_verify_commit_dataand return it as part of the public
LayeredImageStateobject.We could return a more structured signature object here, but this is
sufficient for our purposes for now and saves clients from having to
regenerate similar looking text.
In the
ostree containerCLI, print this verification text.