cli: drop support for verifying ostree remotes

The `install` and `switch` verbs supported passing an OSTree remote to
use to verify the embedded OSTree commit. This option in fact did not
function correctly and no verification was actually performace.

While it's possible someone was using this feature, it seems quite
unlikely since the UX is more geared towards native OCI signatures. As a
result, we have decided not to file a CVE for this.

And in fact, since we're planning to keep moving away from ostree,
instead of fixing this bug, just completely rip out support for passing
and OSTree remote.

Note this is distinct from the ostree-ext code, which still does support
signature verification of the embedded OSTree commit. E.g. Fedora
CoreOS is planning to make use of that until it can move to proper OCI
signatures.

While we're here, drop the negation around the container sigpolicy to
make it easier to follow the logic.

Signed-off-by: Jonathan Lebon <[email protected]>

Author: jlebon

lib/src/cli.rs

@@ -28,7 +28,7 @@ use crate::lints;
 use crate::progress_jsonl::{ProgressWriter, RawProgressFd};
 use crate::spec::Host;
 use crate::spec::ImageReference;
-use crate::utils::sigpolicy_from_opts;
+use crate::utils::sigpolicy_from_opt;
 
 /// Shared progress options
 #[derive(Debug, Parser, PartialEq, Eq)]
@@ -111,10 +111,6 @@ pub(crate) struct SwitchOpts {
     #[clap(long)]
     pub(crate) enforce_container_sigpolicy: bool,
 
-    /// Enable verification via an ostree remote
-    #[clap(long)]
-    pub(crate) ostree_remote: Option<String>,
-
     /// Don't create a new deployment, but directly mutate the booted state.
     /// This is hidden because it's not something we generally expect to be done,
     /// but this can be used in e.g. Anaconda %post to fixup
@@ -795,10 +791,7 @@ async fn switch(opts: SwitchOpts) -> Result<()> {
         transport,
         name: opts.target.to_string(),
     };
-    let sigverify = sigpolicy_from_opts(
-        !opts.enforce_container_sigpolicy,
-        opts.ostree_remote.as_deref(),
-    );
+    let sigverify = sigpolicy_from_opt(opts.enforce_container_sigpolicy);
     let target = ostree_container::OstreeImageReference { sigverify, imgref };
     let target = ImageReference::from(target);
     let prog: ProgressWriter = opts.progress.try_into()?;

lib/src/install.rs

@@ -57,7 +57,7 @@ use crate::progress_jsonl::ProgressWriter;
 use crate::spec::ImageReference;
 use crate::store::Storage;
 use crate::task::Task;
-use crate::utils::{open_dir_noxdev, sigpolicy_from_opts};
+use crate::utils::{open_dir_noxdev, sigpolicy_from_opt};
 
 /// The toplevel boot directory
 const BOOT: &str = "boot";
@@ -112,10 +112,6 @@ pub(crate) struct InstallTargetOpts {
     #[serde(default)]
     pub(crate) enforce_container_sigpolicy: bool,
 
-    /// Enable verification via an ostree remote
-    #[clap(long)]
-    pub(crate) target_ostree_remote: Option<String>,
-
     /// By default, the accessiblity of the target image will be verified (just the manifest will be fetched).
     /// Specifying this option suppresses the check; use this when you know the issues it might find
     /// are addressed.
@@ -1216,10 +1212,7 @@ async fn prepare_install(
             "Use of --target-no-signature-verification flag which is enabled by default"
         );
     }
-    let target_sigverify = sigpolicy_from_opts(
-        !target_opts.enforce_container_sigpolicy,
-        target_opts.target_ostree_remote.as_deref(),
-    );
+    let target_sigverify = sigpolicy_from_opt(target_opts.enforce_container_sigpolicy);
     let target_imgname = target_opts
         .target_imgref
         .as_deref()

lib/src/utils.rs

@@ -172,16 +172,10 @@ pub(crate) fn spawn_editor(tmpf: &tempfile::NamedTempFile) -> Result<()> {
 }
 
 /// Convert a combination of values (likely from CLI parsing) into a signature source
-pub(crate) fn sigpolicy_from_opts(
-    disable_verification: bool,
-    ostree_remote: Option<&str>,
-) -> SignatureSource {
-    if disable_verification {
-        SignatureSource::ContainerPolicyAllowInsecure
-    } else if let Some(remote) = ostree_remote {
-        SignatureSource::OstreeRemote(remote.to_owned())
-    } else {
-        SignatureSource::ContainerPolicy
+pub(crate) fn sigpolicy_from_opt(enforce_container_verification: bool) -> SignatureSource {
+    match enforce_container_verification {
+        true => SignatureSource::ContainerPolicy,
+        false => SignatureSource::ContainerPolicyAllowInsecure,
     }
 }
 
@@ -273,20 +267,9 @@ mod tests {
 
     #[test]
     fn test_sigpolicy_from_opts() {
+        assert_eq!(sigpolicy_from_opt(true), SignatureSource::ContainerPolicy);
         assert_eq!(
-            sigpolicy_from_opts(false, None),
-            SignatureSource::ContainerPolicy
-        );
-        assert_eq!(
-            sigpolicy_from_opts(true, None),
-            SignatureSource::ContainerPolicyAllowInsecure
-        );
-        assert_eq!(
-            sigpolicy_from_opts(false, Some("foo")),
-            SignatureSource::OstreeRemote("foo".to_owned())
-        );
-        assert_eq!(
-            sigpolicy_from_opts(true, Some("foo")),
+            sigpolicy_from_opt(false),
             SignatureSource::ContainerPolicyAllowInsecure
         );
     }