cgwalters
commented
1 month ago This is all a bit confusing, ostree-unverified-registry doesn't mean that signatures are disabled. It just means that we didn't enforce that /etc/containers/policy.json didn't have a default fallback to insecureAcceptAnything.
There's a whole "observability problem" with the image signature bits here that we should definitely highlight in status in the case where we did verify a signature.
Another way to say this is I'm trying to deprecate the special ostree-container signature verification; bootc should behave the same as podman. IOW if we have something like bootc switch --enforce-signature or so, then podman pull --enforce-signature should exist too.
But basically I believe we were still enforcing signatures while you were switching assuming that you've configured /etc/containers/policy.json - does that make sense?
castrojo
I noticed that doing a
bootc switchfrom a signed image results in switching to an unsigned image unless you explicitly pass--enforce-container-sigpolicyReproducible Example:
ostree-image-signed:docker://ghcr.io/ublue-os/bluefin:40bootc switch ghcr.io/ublue-os/bluefin:39ostree-unverified-registry:ghcr.io/ublue-os/bluefin:39Passing the enforce flag works as expected. The use case is that when doing testing it's common to switch a bunch. I was digging for a regression and switching between daily builds in multiple VMs, and by the time I was done all my images were unsigned.
Not sure on what the UX should look like as I would guess there are other enterprise policy features that would need to be accounted for. But it would be nice if the signing was transparent unless there was an error, so I figured if you're on a signed image you'd want to stay on a signed image.