Fix signature handling with additionalimagestore

gursewak1997 · gursewak1997 · commit ea1cb154fe53 · 2025-12-03T12:24:38.000-08:00
Copy images to local storage without signatures before bootc install
to avoid signature invalidation errors. Falls back to original behavior
if copy fails.

Signed-off-by: gursewak1997 &lt;gursmangat@gmail.com&gt;
diff --git a/crates/kit/src/to_disk.rs b/crates/kit/src/to_disk.rs
@@ -247,12 +247,59 @@ impl ToDiskOpts {
                 tty=--tty
             fi
 
+            # Workaround for issue #126: Override container policy to allow signature changes.
+            # Some images (e.g., RHEL) have strict signature policies that prevent bootc install
+            # from changing layer representation. We override /etc/containers/policy.json with
+            # a permissive policy that allows all operations.
+            export STORAGE_OPTS=additionalimagestore=${AIS}
+            SOURCE_REF={SOURCE_IMGREF}
+            
+            # Create permissive policy.json (use /var/tmp since it's mounted into podman container)
+            # Mount directory to /etc/containers so podman creates it if it doesn't exist
+            POLICY_DIR=/var/tmp/bcvk-policy-dir
+            mkdir -p "${POLICY_DIR}"
+            trap 'rm -rf -- "${POLICY_DIR}"' EXIT
+            cat > "${POLICY_DIR}/policy.json" <<'EOF'
+{
+  "default": [
+    {
+      "type": "insecureAcceptAnything"
+    }
+  ],
+  "transports": {
+    "containers-storage": {
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    },
+    "docker": {
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    },
+    "docker-daemon": {
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    }
+  }
+}
+EOF
+
             # Execute bootc installation, having the outer podman pull from
             # the virtiofs store on the host, as well as the inner bootc.
             # Mount /var/tmp into inner container to avoid cross-device link errors (issue #125)
-            export STORAGE_OPTS=additionalimagestore=${AIS}
+            # Override /etc/containers/policy.json with permissive policy (mount directory so podman creates it if needed)
             podman run --rm -i ${tty} --privileged --pid=host --net=none -v /sys:/sys:ro \
-                 -v /var/lib/containers:/var/lib/containers -v /var/tmp:/var/tmp -v /dev:/dev -v ${AIS}:${AIS} --security-opt label=type:unconfined_t \
+                -v /var/lib/containers:/var/lib/containers -v /var/tmp:/var/tmp -v /dev:/dev -v "${AIS}:${AIS}" \
+                -v "${POLICY_DIR}:/etc/containers:ro" \
+                --security-opt label=type:unconfined_t \
                 --env=STORAGE_OPTS \
                 {INSTALL_LOG} \
                 {SOURCE_IMGREF} \
