Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

daemon/upgrader: Print OSTree signature verification text when pulling OCI #5223

Merged
merged 1 commit into from
Jan 17, 2025
Merged

daemon/upgrader: Print OSTree signature verification text when pulling OCI #5223

merged 1 commit into from
Jan 17, 2025
+6 −0

Conversation

jlebon
Copy link
Member

@jlebon jlebon commented Jan 14, 2025

If using OSTree remote signature verification for an OCI pull, print the verification text we get from ostree-ext.

Requires: containers/bootc#1028

@jlebon
Copy link
Member Author

jlebon commented Jan 14, 2025

So with this, here's the output:

root@cosa-devsh:~# rpm-ostree rebase ostree-remote-image:fedora:registry:quay.io/fedora/fedora-coreos:stable
Pulling manifest: ostree-remote-image:fedora:docker://quay.io/fedora/fedora-coreos:stable
Importing: ostree-remote-image:fedora:docker://quay.io/fedora/fedora-coreos:stable (digest: sha256:25942210e013c7db9352c907b82d934bd908985272cb34e3808bced81130e177)
ostree chunk layers needed: 51 (787.1 MB)
[0/51] Fetching ostree chunk 9e9d4c4cc91e472a458 (54.2 MB)... done
[1/51] Fetching ostree chunk 981a071da17cf24618e (40.8 MB)... done
[2/51] Fetching ostree chunk 7b283136d6c1b3e2dea (33.9 MB)... done
[3/51] Fetching ostree chunk 66f5f9ec234fa2ac0d5 (66.4 MB)... done
[4/51] Fetching ostree chunk ec37ae0cf72911d288a (19.9 MB)... done
[5/51] Fetching ostree chunk d23f7c135afb8b7423d (39.7 MB)... done
[6/51] Fetching ostree chunk 11581772b3aaf319ec5 (41.3 MB)... done
[7/51] Fetching ostree chunk be7b499d203798de8b2 (39.8 MB)... done
[8/51] Fetching ostree chunk 10d062e6c4069170d34 (15.2 MB)... done
[9/51] Fetching ostree chunk 4a1e5f87235782fa25b (9.6 MB)... done
[10/51] Fetching ostree chunk 2fedcee3c17093ba948 (11.0 MB)... done
[11/51] Fetching ostree chunk a99f70cd5870b25d34d (9.9 MB)... done
[12/51] Fetching ostree chunk f61345b26d5d91fd4df (18.0 MB)... done
[13/51] Fetching ostree chunk c2b4d238e054df8bef6 (8.5 MB)... done
[14/51] Fetching ostree chunk c6b543b5bd072118399 (25.2 MB)... done
[15/51] Fetching ostree chunk bee67bcc7f7e7caea51 (9.9 MB)... done
[16/51] Fetching ostree chunk 8e9b61c66198d266e92 (7.4 MB)... done
[17/51] Fetching ostree chunk 177fa0b4628246345ef (6.2 MB)... done
[18/51] Fetching ostree chunk 3e034a46b70ead2b0fd (6.4 MB)... done
[19/51] Fetching ostree chunk 1d882695d0bb059113b (6.2 MB)... done
[20/51] Fetching ostree chunk 42a2f0607bdceff8aa4 (5.0 MB)... done
[21/51] Fetching ostree chunk 0afc7955e85f72dc8b3 (2.8 MB)... done
[22/51] Fetching ostree chunk 4d2e00ce2c308667cbb (4.5 MB)... done
[23/51] Fetching ostree chunk d5ccb07383f56b42bdc (4.2 MB)... done
[24/51] Fetching ostree chunk 423d272a819dfbc9820 (4.2 MB)... done
[25/51] Fetching ostree chunk 41573c7486d4f68eaf4 (4.7 MB)... done
[26/51] Fetching ostree chunk 2398fec23e673bd68ea (3.6 MB)... done
[27/51] Fetching ostree chunk 0da29f758dcf5f845a4 (4.5 MB)... done
[28/51] Fetching ostree chunk bbeddd4f3a0815ddcf9 (2.8 MB)... done
[29/51] Fetching ostree chunk 38aae7ce78189dc88d0 (6.6 MB)... done
[30/51] Fetching ostree chunk 76b969f0ef1f873900f (1.6 MB)... done
[31/51] Fetching ostree chunk c4ba5cf6dde283dcb9a (1.6 MB)... done
[32/51] Fetching ostree chunk 4ad53bb8d3153fb0523 (52.6 MB)... done
[33/51] Fetching ostree chunk 536897a1b4510bf135d (3.0 MB)... done
[34/51] Fetching ostree chunk 7f86d19513703ee5045 (1.9 MB)... done
[35/51] Fetching ostree chunk a68182105c7d7693035 (1.6 MB)... done
[36/51] Fetching ostree chunk bcef03f646cac961e4d (3.2 MB)... done
[37/51] Fetching ostree chunk d334c6f8d570e7947c8 (2.2 MB)... done
[38/51] Fetching ostree chunk 68711e6f461df83b150 (2.5 MB)... done
[39/51] Fetching ostree chunk 682f071824b5de28547 (14.4 MB)... done
[40/51] Fetching ostree chunk b3aaa205f4c5833bdef (13.8 MB)... done
[41/51] Fetching ostree chunk 6580790efdfca373d49 (23.5 MB)... done
[42/51] Fetching ostree chunk 6f3b57b54ca4fedfda9 (13.8 MB)... done
[43/51] Fetching ostree chunk b6eada928e1914db0a5 (6.0 MB)... done
[44/51] Fetching ostree chunk 44d026ee0357d0875f0 (5.0 MB)... done
[45/51] Fetching ostree chunk 8a55e07a520c0445435 (5.1 MB)... done
[46/51] Fetching ostree chunk dc612381e4ed8dc5568 (3.1 MB)... done
[47/51] Fetching ostree chunk d6636f94bd5d61df2a2 (7.2 MB)... done
[48/51] Fetching ostree chunk c21cee7e0f36fdadcef (111.2 MB)... done
[49/51] Fetching ostree chunk 9dad063a624b62064bf (2.3 kB)... done
[50/51] Fetching ostree chunk 2edeb970420a3dce571 (1.5 MB)... done
GPG: Signature made Mon Jan  6 19:36:17 2025 using RSA key ID D0622462E99D6AD1
GPG: Good signature from "Fedora <[email protected]>"

Staging deployment... done
Downgraded:
...
Changes queued for next boot. Run "systemctl reboot" to start a reboot

@jlebon jlebon mentioned this pull request Jan 14, 2025
Open
@cgwalters
Copy link
Member

There's another big piece of tech debt here which is until just today, ostree-ext was archived and I hadn't been publishing new crates. The idea is we'd switch over to bootc on the client side.

But anyways I think in the short term we probably need to cut this repo over to pulling ostree-ext via git from bootc, right?

Presumably that's how you tested this, by adding a crates.io override?

@jlebon
Copy link
Member Author

jlebon commented Jan 15, 2025

Note this doesn't change the output of rpm-ostree status. It still won't show a signature there. The reason is that we're still just deploying a merge commit here, not the actual encapsulated commit. In the FCOS case, we don't want to unencapsulate because we still want that link to the OCI remote.

rpm-ostree could automatically follow through to the OSTree base commit mentioned in the merge commit's metadata, but then presenting it as if the merge commit was signed seems misleading. Any commit could have metadata saying it's a merge of base commit X.

So instead we print the verification at pull time, since we have to trust that the configured OCI remote is valid anyway.

@jlebon
Copy link
Member Author

jlebon commented Jan 15, 2025

rpm-ostree could automatically follow through to the OSTree base commit mentioned in the merge commit's metadata, but then presenting it as if the merge commit was signed seems misleading.

I mean, we definitely could do this, but we'd have to get the presentation right. But this IMO is good enough until we get to proper OCI signing.

@cgwalters
Copy link
Member

But anyways I think in the short term we probably need to cut this repo over to pulling ostree-ext via git from bootc, right?

➡️ #5227

@cgwalters cgwalters marked this pull request as draft January 16, 2025 18:50
@cgwalters
Copy link
Member

Marking draft as this depends on #5227 (mind rebasing?)

@jlebon
Copy link
Member Author

jlebon commented Jan 16, 2025

Rebased!

@cgwalters
Copy link
Member

clang format

@jlebon
daemon/upgrader: Print OSTree signature verification text when pullin…
f1fc6a3 
…g OCI

If using OSTree remote signature verification for an OCI pull, print the
verification text we get from ostree-ext.
@jlebon jlebon marked this pull request as ready for review January 17, 2025 01:18
@cgwalters cgwalters merged commit 7b68040 into coreos:main Jan 17, 2025
16 checks passed
@jmarrero jmarrero mentioned this pull request Jan 23, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cgwalters cgwalters cgwalters approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jlebon @cgwalters