Skip to content

Commit

Permalink
Merge pull request containers#594 from cgwalters/backoff-sigverify
Browse files Browse the repository at this point in the history
deploy: Don't enforce container sigpolicy by default, add `--enforce-container-sigpolicy`
  • Loading branch information
cgwalters authored Jan 31, 2024
2 parents ecce09a + 34fea14 commit a5fadff
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 4 deletions.
11 changes: 10 additions & 1 deletion ci/priv-integration.sh
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,18 @@ ostree-ext-cli container image remove --repo "${sysroot}/ostree/repo" registry:"
ostree admin --sysroot="${sysroot}" undeploy 0
# Now test the new syntax which has a nicer --image that defaults to registry.
ostree-ext-cli container image deploy --transport registry --sysroot "${sysroot}" \
--stateroot "${stateroot}" --image "${image}" --no-signature-verification
--stateroot "${stateroot}" --image "${image}"
ostree admin --sysroot="${sysroot}" status
ostree admin --sysroot="${sysroot}" undeploy 0
if ostree-ext-cli container image deploy --transport registry --sysroot "${sysroot}" \
--stateroot "${stateroot}" --image "${image}" --enforce-container-sigpolicy 2>err.txt; then
echo "Deployment with enforced verification succeeded unexpectedly" 1>&2
exit 1
fi
if ! grep -Ee 'insecureAcceptAnything.*refusing usage' err.txt; then
echo "unexpected error" 1>&2
cat err.txt
fi
# Now we should prune it
ostree-ext-cli container image prune-images --sysroot "${sysroot}"
ostree-ext-cli container image list --repo "${sysroot}/ostree/repo" > out.txt
Expand Down
17 changes: 14 additions & 3 deletions lib/src/cli.rs
Original file line number Diff line number Diff line change
Expand Up @@ -358,10 +358,17 @@ pub(crate) enum ContainerImageOpts {
#[clap(long)]
transport: Option<String>,

/// Explicitly opt-out of requiring any form of signature verification.
#[clap(long)]
/// This option does nothing and is now deprecated. Signature verification enforcement
/// proved to not be viable.
///
/// If you want to still enforce it, use `--enforce-container-sigpolicy`.
#[clap(long, conflicts_with = "enforce_container_sigpolicy")]
no_signature_verification: bool,

/// Require that the containers-storage stack
#[clap(long)]
enforce_container_sigpolicy: bool,

/// Enable verification via an ostree remote
#[clap(long)]
ostree_remote: Option<String>,
Expand Down Expand Up @@ -1070,14 +1077,18 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
imgref,
image,
transport,
no_signature_verification,
mut no_signature_verification,
enforce_container_sigpolicy,
ostree_remote,
target_imgref,
no_imgref,
karg,
proxyopts,
write_commitid_to,
} => {
// As of recent releases, signature verification enforcement is
// off by default, and must be explicitly enabled.
no_signature_verification = !enforce_container_sigpolicy;
let sysroot = &if let Some(sysroot) = sysroot {
ostree::Sysroot::new(Some(&gio::File::for_path(&sysroot)))
} else {
Expand Down

0 comments on commit a5fadff

Please sign in to comment.