Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Composefs deploy config change broke signed builds if public key is missing #3188

Closed
alexlarsson opened this issue Feb 21, 2024 · 1 comment · Fixed by #3189
Closed

Composefs deploy config change broke signed builds if public key is missing #3188

alexlarsson opened this issue Feb 21, 2024 · 1 comment · Fixed by #3189

Comments

@alexlarsson
Copy link
Member

The change in #3165 broke the automotive builds, because
during the initial deploy, the root-binding key is not in the buildroot. So I get:

error: Deploying tree: Initializing deployment: Checking out deployment tree: Reading composefs config: Loading composefs config: Reading public key file '/etc/ostree/initramfs-root-binding.key': Failed to open file “/etc/ostree/initramfs-root-binding.key”: No such file or directory

The reason for this is that otcore_load_composefs_config() hard-fails if the config says it is supposed to be signed, but the signature is not there.

I think the call to otcore_load_composefs_config() from deploy needs to be less enforcing.

@alexlarsson
Copy link
Member Author

Hmm, so i think the real problem is not that the initramfs-root-binding.key is missing, it is that it reads the config files from the deploy dir, but the keys from the real root.

alexlarsson added a commit to alexlarsson/ostree that referenced this issue Feb 21, 2024
…ssing keys

When we load the configuration during deploy we don't need to actually
use the keys, so avoid loading them. This fixes an issue we had where
this broke the initial deploy becasue of a failure to load the key. In
our case it fails because the code looks for the config file in the
deploy dir, but then for the binding key in the real root.

However, even if it were to look for the key in the deploy dir I don't
think it necessarily has to be in the rootfs, it could be only in the
initrd.

This fixes ostreedev#3188
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant