search

ostreedev / ostree

Operating system and container binary deployment and upgrades
https://ostreedev.github.io/ostree/
Other
1.31k stars 300 forks source link

checkout: Only verify digest if repo requires fsverity #3331

Closed cgwalters closed 3 weeks ago

cgwalters commented 3 weeks ago

Fixes a regression from the previous commit; in the case where the target repo doesn't have composefs in signed mode there's no reason to verify the digest at checkout time because we aren't verifying it at boot time either.

The regression is in cases that use rpm-ostree e.g. where as of recently we unconditionally add the composefs digest, but for e.g. FCOS we aren't deploying with fsverity enabled.

Closes: https://github.com/ostreedev/ostree/issues/3330

cgwalters commented 3 weeks ago

For the record apparently the reason this got through FCOS CI is because https://github.com/ostreedev/ostree/pull/3326 landed literally just before the switch to f41 where composefs is enabled by default there.

But CI on this PR should run through with composefs enabled for FCOS.

cgwalters commented 3 weeks ago

Some of the test failures here are unrelated to this PR, it just also happens to be the first one after the FCOS default switch.

I put one test update in https://github.com/ostreedev/ostree/pull/3332