-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Roundtripping a commit via oci image looses the commitmeta which makes signed ostree break #630
Comments
This is a confusing topic, and I would probably agree this is a bug, but it was intentional in the code today. There are two different codepaths. Basically this (should) work today when using When following that path, the container metadata is discarded (manifest, config) - there is nothing else stored except the ostree commit. The fact that there was a container image involved in transport is just discarded. But when using The thing is, when using the container flow today we currently default to expecting to handle derived layers. We used to have code which tried to split the difference here...and arguably, it is a bug or at least a design misfeature that we do a merge commit in this case, breaking any ostree signatures at deployment time. This issue touches on #388 too - if we encourage people to do that, we can start to lean on using ostree signatures in encapsulated container images. However...IMO, the direction we want to go is less around making ostree-containers special; we should create an opinionated binding between signed composefs and generic OCI. I will file something about this... |
In the short term...I think we can change the |
This issue (among others) made me feel the need to do a spike on really rethinking how we do a sane container storage, which led to containers/composefs#286 FWIW |
This was moved here from coreos/rpm-ostree#4973
I created an oci image based on an automotive image that used signed composefs, when I rebased to it everything works, but on reboot the signatures fails:
[ 0.419101] ostree-prepare-root[528]: ostree-prepare-root: Error loading signatures from repo: No commitmeta for commit 24e46035399c03969d5e6f610425a9adfc7a9959507fe9c32f6ccd12b3467573
Seems the detached metadata is lost somewhere along the way, which means that the signature is not available in the deployed repo.
The text was updated successfully, but these errors were encountered: