enforce-container-sigpolicy is not an available option for `bootc upgrade`

[arewm]

It is possible to enforce the container signature policy when switching and installing (via install-to-disk and install-to-filesystem) but there is no option to verify the policy when performing a bootc upgrade.

In the documentation for switch, I see

This is almost exactly the same operation as upgrade, but additionally changes the container image reference instead.

Should the upgrade path support this parameter of is the "almost exactly the same operation" different enough that the policy verification doesn't make sense?

[karelvanhecke]

Looks like bootc upgrade inherits the behavior of bootc install/switch when the --enforce-container-sigpolicy flag was set.

As you can see in the following example, bootc upgrade refuses to continue with the insecureAcceptAnything default. After changing back the default to reject, bootc upgrade will work again.

[karel@bootc-test ~]$ sudo bootc upgrade --check
ERROR Upgrading: Preparing import: Fetching manifest: containers-policy.json specifies a default of `insecureAcceptAnything`; refusing usage
[karel@bootc-test ~]$ sudoedit /etc/containers/policy.json
[karel@bootc-test ~]$ sudo bootc upgrade --check
No changes in: ostree-image-signed:docker://quay.io/karelvanhecke/bootc-test:latest