search

ostreedev / ostree-rs-ext

Rust library with higher level APIs on top of the core ostree API
Apache License 2.0
74 stars 24 forks source link

Support verifying signatures for non-layered images when using layered importer #226

Open cgwalters opened 2 years ago

cgwalters commented 2 years ago

Currently we have separate APIs for "un-encapsulate an ostree commit" and "pull a possibly layered image".

The former supports GPG verification, the latter does not.

Today rpm-ostree always uses the layered path, and so we get e.g.:

[root@cosa-devsh ~]# rpm-ostree rebase --experimental ostree-remote-registry:fedora:quay.io/coreos-assembler/fcos:next-devel
Pulling manifest: ostree-remote-image:fedora:docker://quay.io/coreos-assembler/fcos:next-devel
error: Fetching manifest: Cannot currently verify layered containers via ostree remote
[root@cosa-devsh ~]#

There's a bunch of code in https://github.com/ostreedev/ostree-rs-ext/pull/123 that unifies the logic between unencapsulation and layered images. I think once that merges we can (and should) fix this.

cgwalters commented 2 years ago

Maybe a quick short term hack is: if we get ostree-remote-registry, then assume the image isn't layered.

cgwalters commented 2 years ago

Nah, that's too ugly to live. Let's try to fix this with #123