Fix signature handling with additionalimagestore

gursewak1997 · gursewak1997 · commit 500563aa0df8 · 2025-12-02T12:51:26.000-08:00
Copy images to local storage without signatures before bootc install
to avoid signature invalidation errors. Falls back to original behavior
if copy fails.

Signed-off-by: gursewak1997 &lt;gursmangat@gmail.com&gt;
diff --git a/crates/kit/src/to_disk.rs b/crates/kit/src/to_disk.rs
@@ -247,20 +247,62 @@ impl ToDiskOpts {
                 tty=--tty
             fi
 
+            # Workaround for issue #126: Override container policy to allow signature changes.
+            # Some images (e.g., RHEL) have strict signature policies that prevent bootc install
+            # from changing layer representation. We override /etc/containers/policy.json with
+            # a permissive policy that allows all operations.
+            export STORAGE_OPTS=additionalimagestore=${AIS}
+            SOURCE_REF={SOURCE_IMGREF}
+            
+            # Create permissive policy.json to override container's policy
+            POLICY_FILE=/tmp/bcvk-policy.json
+            cat > "${POLICY_FILE}" <<'EOF'
+{
+  "default": [
+    {
+      "type": "insecureAcceptAnything"
+    }
+  ],
+  "transports": {
+    "containers-storage": [
+      {
+        "type": "insecureAcceptAnything"
+      }
+    ],
+    "docker": {
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    },
+    "docker-daemon": {
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    }
+  }
+}
+EOF
+
             # Execute bootc installation, having the outer podman pull from
             # the virtiofs store on the host, as well as the inner bootc.
             # Mount /var/tmp into inner container to avoid cross-device link errors (issue #125)
-            export STORAGE_OPTS=additionalimagestore=${AIS}
+            # Override /etc/containers/policy.json with permissive policy to allow signature changes
             podman run --rm -i ${tty} --privileged --pid=host --net=none -v /sys:/sys:ro \
-                 -v /var/lib/containers:/var/lib/containers -v /var/tmp:/var/tmp -v /dev:/dev -v ${AIS}:${AIS} --security-opt label=type:unconfined_t \
-                --env=STORAGE_OPTS \
-                {INSTALL_LOG} \
-                {SOURCE_IMGREF} \
-                bootc install to-disk \
-                --generic-image \
-                --skip-fetch-check \
-                {BOOTC_ARGS} \
-                /dev/disk/by-id/virtio-output
+                 -v /var/lib/containers:/var/lib/containers -v /var/tmp:/var/tmp -v /dev:/dev -v ${AIS}:${AIS} \
+                 -v "${POLICY_FILE}:/etc/containers/policy.json:ro" \
+                 --security-opt label=type:unconfined_t \
+                 --env=STORAGE_OPTS \
+                 {INSTALL_LOG} \
+                 ${SOURCE_REF} \
+                 bootc install to-disk \
+                 --generic-image \
+                 --skip-fetch-check \
+                 {BOOTC_ARGS} \
+                 /dev/disk/by-id/virtio-output
 
             echo "Installation completed successfully!"
         "#}
