sources/ostree: verify signature on local pull

Instead of verifying the gpg signature when pull from the actual remote source into the local cache, verify the commit when it is being pulled from the local cache into the output directory. This ensures that the signatures are checked against the provided keys even when the commit was already in the cache and at that time the key might have been different. NB: ostree expects the signature to be present on the remote at the *target* repository, i.e. in our case the output repository. The keys are therefore attached to a temporary remote that is created at the output repository with the same name/id that is used for the actual remote.
2020-04-15 14:27:08 +02:00 · 2020-04-15 14:27:08 +02:00 · b8b6619d39
commit b8b6619d39
parent e1b2803ae0
1 changed files with 16 additions and 7 deletions
--- a/sources/org.osbuild.ostree
+++ b/sources/org.osbuild.ostree
@ -36,32 +36,41 @@ def main(options, checksums, cache, output):
        gpg = remote.get("gpgkeys", [])
        uid = str(uuid.uuid4())

-        extra_args = []
-        if not gpg:
-            extra_args += ["--no-gpg-verify"]
-
        ostree("remote", "add",
               "--no-gpg-verify",
-               *extra_args,
               uid, url,
               repo=repo_cache)

+        # this temporary remote is needed to verify
+        # the commit signatures via gpg below
+        ostree("remote", "add",
+               uid, repo_cache,
+               repo=repo_out)
+
        for key in gpg:
            ostree("remote", "gpg-import", "--stdin", uid,
-                   repo=repo_cache, _input=key)
+                   repo=repo_out, _input=key)

        # Transfer the commit: remote → cache
        print(f"pulling {commit}", file=sys.stderr)
        ostree("pull", uid, commit, repo=repo_cache)

        # Transfer the commit: cache → output
+        verify_args = []
+        if gpg:
+            verify_args = ["--gpg-verify", "--remote", uid]
+
        ostree("pull-local", repo_cache, commit,
+               *verify_args,
               repo=repo_out)

-        # Remove the temporary remote again
+        # Remove the temporary remotes again
        ostree("remote", "delete", uid,
               repo=repo_cache)

+        ostree("remote", "delete", uid,
+               repo=repo_out)
+
    json.dump({}, sys.stdout)
    return 0