From 8049ad70d023b6012d5696f4a62925b0b0be8a11 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miguel=20Mart=C3=ADn?= <mmartinv@redhat.com>
Date: Fri, 18 Oct 2024 16:33:03 +0200
Subject: [PATCH] feat: remove signatures in container deployments by default

Make `skopeo copy` to remove the signatures of signed containers
by default to avoid build failures until [1] is implemented.

Depends: osbuild/osbuild#1906
Resolves: osbuild/bootc-image-builder#681

[1] https://github.com/containers/image/issues/2599

Co-authored-by: Michael Vogt <mvogt@redhat.com>
---
 pkg/manifest/build.go                      |  4 +++-
 pkg/osbuild/container_deploy_stage.go      |  3 ++-
 pkg/osbuild/container_deploy_stage_test.go | 12 ++++++++++++
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/pkg/manifest/build.go b/pkg/manifest/build.go
index eca633d44a..715771ba8a 100644
--- a/pkg/manifest/build.go
+++ b/pkg/manifest/build.go
@@ -236,7 +236,9 @@ func (p *BuildrootFromContainer) serialize() osbuild.Pipeline {
 	pipeline.Runner = p.runner.String()
 
 	image := osbuild.NewContainersInputForSingleSource(p.containerSpecs[0])
-	stage, err := osbuild.NewContainerDeployStage(image, &osbuild.ContainerDeployOptions{})
+	// Make skopeo copy to remove the signatures of signed containers by default to workaround
+	// build failures until https://github.com/containers/image/issues/2599 is implemented
+	stage, err := osbuild.NewContainerDeployStage(image, &osbuild.ContainerDeployOptions{RemoveSignatures: true})
 	if err != nil {
 		panic(err)
 	}
diff --git a/pkg/osbuild/container_deploy_stage.go b/pkg/osbuild/container_deploy_stage.go
index be7606b2f9..5d4d1dc1b8 100644
--- a/pkg/osbuild/container_deploy_stage.go
+++ b/pkg/osbuild/container_deploy_stage.go
@@ -9,7 +9,8 @@ type ContainerDeployInputs struct {
 func (ContainerDeployInputs) isStageInputs() {}
 
 type ContainerDeployOptions struct {
-	Exclude []string `json:"exclude,omitempty"`
+	Exclude          []string `json:"exclude,omitempty"`
+	RemoveSignatures bool     `json:"remove-signatures,omitempty"`
 }
 
 func (ContainerDeployOptions) isStageOptions() {}
diff --git a/pkg/osbuild/container_deploy_stage_test.go b/pkg/osbuild/container_deploy_stage_test.go
index 3dc0a0d1f9..5abcccae9d 100644
--- a/pkg/osbuild/container_deploy_stage_test.go
+++ b/pkg/osbuild/container_deploy_stage_test.go
@@ -70,6 +70,18 @@ func TestContainersDeployStageOptionsJson(t *testing.T) {
 	assert.Equal(t, string(json), expectedJson)
 }
 
+func TestContainersDeployStageOptionsJsonRemoveSignatures(t *testing.T) {
+	expectedJson := `{
+        "remove-signatures": true
+}`
+	cdi := osbuild.ContainerDeployOptions{
+		RemoveSignatures: true,
+	}
+	json, err := json.MarshalIndent(cdi, "", "        ")
+	require.Nil(t, err)
+	assert.Equal(t, string(json), expectedJson)
+}
+
 func TestContainersDeployStageEmptyOptionsJson(t *testing.T) {
 	expectedJson := `{}`
 	cdi := osbuild.ContainerDeployOptions{}