Fix signature handling with additionalimagestore

gursewak1997 · gursewak1997 · commit 0b832939c430 · 2025-12-01T15:04:02.000-08:00
Copy images to local storage without signatures before bootc install
to avoid signature invalidation errors. Falls back to original behavior
if copy fails.

Signed-off-by: gursewak1997 &lt;gursmangat@gmail.com&gt;
diff --git a/crates/kit/src/to_disk.rs b/crates/kit/src/to_disk.rs
@@ -247,15 +247,56 @@ impl ToDiskOpts {
                 tty=--tty
             fi
 
+            # Workaround for issue #126: If image has signatures, copy from additionalimagestore
+            # to local storage without signatures, since bootc install requires changing layer
+            # representation which invalidates signatures.
+            export STORAGE_OPTS=additionalimagestore=${AIS}
+            SOURCE_REF={SOURCE_IMGREF}
+            LOCAL_IMGREF="containers-storage:bcvk-temp-install:latest"
+            
+            # Check if image has signatures - only do copy if signatures are present
+            # Note: If skopeo inspect fails, we assume no signatures to avoid false positives
+            # but this means we might miss signatures if inspect fails for other reasons
+            HAS_SIGNATURES=0
+            if skopeo inspect --storage-opt "additionalimagestore=${AIS}" "${SOURCE_REF}" 2>/dev/null | \
+               grep -q '"Signatures"'; then
+                HAS_SIGNATURES=1
+            fi
+            
+            if [ ${HAS_SIGNATURES} -eq 1 ]; then
+                # Image has signatures - must copy to local storage without signatures
+                # If copy fails, we cannot proceed as bootc install will fail with signature error
+                SIG_POLICY=$(mktemp)
+                trap 'rm -f -- "${SIG_POLICY}"' EXIT
+                cat > "${SIG_POLICY}" <<'EOF'
+{"default":[{"type":"insecureAcceptAnything"}],"transports":{"containers-storage":[{"type":"insecureAcceptAnything"}]}}
+EOF
+                if ! skopeo copy --signature-policy "${SIG_POLICY}" --remove-signatures \
+                    --storage-opt "additionalimagestore=${AIS}" \
+                    "${SOURCE_REF}" "${LOCAL_IMGREF}"; then
+                    echo "Error: Failed to copy signed image to local storage. This is required to proceed."
+                    rm -f "${SIG_POLICY}"
+                    trap - EXIT
+                    exit 1
+                fi
+                unset STORAGE_OPTS
+                PODMAN_ENV=""
+                rm -f "${SIG_POLICY}"
+                trap - EXIT
+            else
+                # No signatures, use original reference directly
+                LOCAL_IMGREF=${SOURCE_REF}
+                PODMAN_ENV="--env=STORAGE_OPTS"
+            fi
+
             # Execute bootc installation, having the outer podman pull from
             # the virtiofs store on the host, as well as the inner bootc.
             # Mount /var/tmp into inner container to avoid cross-device link errors (issue #125)
-            export STORAGE_OPTS=additionalimagestore=${AIS}
             podman run --rm -i ${tty} --privileged --pid=host --net=none -v /sys:/sys:ro \
                  -v /var/lib/containers:/var/lib/containers -v /var/tmp:/var/tmp -v /dev:/dev -v ${AIS}:${AIS} --security-opt label=type:unconfined_t \
-                --env=STORAGE_OPTS \
+                ${PODMAN_ENV} \
                 {INSTALL_LOG} \
-                {SOURCE_IMGREF} \
+                ${LOCAL_IMGREF} \
                 bootc install to-disk \
                 --generic-image \
                 --skip-fetch-check \
