Skip to content

cmd-build: Enable composeFS signing #3813

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

cmd-build: Enable composeFS signing #3813

wants to merge 1 commit into from

Conversation

jbtrystram
Copy link
Contributor

This is a first draft trying to implement a signed composeFS build following the steps in https://ostreedev.github.io/ostree/composefs/#signatures

Right now the ostree container image deploy step fails with :
error: Reading composefs config: Loading composefs config: Invalid tri-state value: signed

@jbtrystram
cmd-build: Enable composeFS signing
5d4bd60 
This is a first draft trying to implement a signed composeFS build
following the steps in https://ostreedev.github.io/ostree/composefs/#signatures

Right now the `ostree container image deploy` step  fails
with :
`error: Reading composefs config: Loading composefs config: Invalid tri-state value: signed`
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented May 29, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@jbtrystram

This comment was marked as off-topic.

Sign in to view
jbtrystram
jbtrystram commented May 29, 2024
View reviewed changes
src/cmdlib.sh
PUBKEY="$(openssl pkey -outform DER -pubout -in ${TMPDIR}/${key_file} | tail -c 32 | base64)"

## write the pubkey in overrides
echo $PUBKEY > ${workdir}/overrides/rootfs/etc/ostree/initramfs-root-binding.key
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should probably be

Suggested change
echo $PUBKEY > ${workdir}/overrides/rootfs/etc/ostree/initramfs-root-binding.key
mkdir -p ${workdir}/overrides/initramfs/etc/ostree
echo $PUBKEY > ${workdir}/overrides/initramfs/etc/ostree/initramfs-root-binding.key

This was referenced May 29, 2024
Closed
Closed
@cgwalters
Copy link
Member

I think this would make sense to do after rebasing FCOS on bootc i.e. after coreos/fedora-coreos-tracker#1726 as that would help drive code and build system sharing more. I filed https://gitlab.com/fedora/bootc/tracker/-/issues/14 specifically related to this.

@jlebon
Copy link
Member

jlebon commented May 29, 2024

See also discussions in https://gitlab.com/fedora/bootc/tracker/-/issues/2.

@jbtrystram
Copy link
Contributor Author

jbtrystram commented Jun 18, 2024
edited
Loading

edit : mistake on my side: I forgot to pop a git stash entry and was building with composeFS enabled on but not signed. I am unable to get the needed rpm-ostree change in a cosa container to make the build complete

After building rpm-ostree manually with a an ostree-rs-ext fix i was able to build and boot fedora coreOS rawhide with the composeFS signed.

I also set composefs: true in cosa's src/image-defaults for good measure, but I am not sure it's needed, as my previous experiments worked without.

Some further notes :
the resulted deployed system don't use the signature still :

  • I can mount /dev/vda4 /sysroot --options remount,rw and change files just fine.
  • Running ostree config set ex-integrity.composefs signed results in error: opening repo: Invalid tri-state value: signed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
do-not-merge/work-in-progress
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jbtrystram @cgwalters @jlebon