checkout: Only verify digest if repo requires fsverity

Fixes a regression from the previous commit; in the case where the target repo doesn't have composefs in signed mode there's no reason to verify the digest at checkout time because we aren't verifying it at boot time either. The regression is in cases that use rpm-ostree e.g. where as of recently we unconditionally add the composefs digest, but for e.g. FCOS we aren't deploying with fsverity enabled. Closes: ostreedev#3330 Signed-off-by: Colin Walters <walters@verbum.org>
cgwalters · Nov 4, 2024 · c0be5bf · c0be5bf
1 parent ab8a7f7
commit c0be5bf
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 3 deletions.
diff --git a/src/libostree/ostree-repo-checkout.c b/src/libostree/ostree-repo-checkout.c
@@ -1346,9 +1346,14 @@ ostree_repo_checkout_composefs (OstreeRepo *self, GVariant *options, int destina
   if (!ostree_composefs_target_write (target, tmpf.fd, &fsverity_digest, cancellable, error))
     return FALSE;
 
-  /* If the commit specified a composefs digest, verify it */
-  if (!compare_verity_digests (metadata_composefs, fsverity_digest, error))
-    return FALSE;
+  /* If the commit specified a composefs digest and the target is known to have fsverity,
+   * then double check our ouptut.
+   */
+  if (verity == OT_TRISTATE_YES)
+    {
+      if (!compare_verity_digests (metadata_composefs, fsverity_digest, error))
+        return FALSE;
+    }
 
   if (!glnx_fchmod (tmpf.fd, 0644, error))
     return FALSE;

diff --git a/tests/test-composefs.sh b/tests/test-composefs.sh
@@ -62,4 +62,14 @@ composefs-info dump test2-co-noverity.cfs > dump.txt
 assert_file_has_content_literal dump.txt '/baz/cow 4 100644 1 0 0 0 0.0 f6/a517d53831a40cff3886a965c70d57aa50797a8e5ea965b2c49cc575a6ff51.file - -'
 tap_ok "checkout composefs noverity"
 
+# Test with a corrupted composefs digest
+$OSTREE commit ${COMMIT_ARGS} -b test-composefs-bad-digest --tree=ref=test-composefs \
+    '--add-metadata=ostree.composefs.digest.v0=[byte 0x13, 0xae, 0xae, 0xed, 0xc0, 0x34, 0xd1, 0x39, 0xef, 0xfc, 0xd6, 0x6f, 0xe3, 0xdb, 0x08, 0xd3, 0x32, 0x8a, 0xec, 0x2f, 0x02, 0xc5
+, 0xa7, 0x8a, 0xee, 0xa6, 0x0f, 0x34, 0x6d, 0x7a, 0x22, 0x6d]'
+if $OSTREE checkout --composefs test-composefs-bad-digest test2-co.cfs 2>err.txt; then
+    fatal "checked out composefs with mismatched digest"
+fi
+assert_file_has_content_literal err.txt "doesn't match expected digest"
+tap_ok "checkout composefs bad digest"
+
 tap_end