fsverity: use _with_retry

To paper over the fork-vs-fsverity issue a bit
more.

Signed-off-by: Colin Walters <[email protected]>

Author: cgwalters

crates/lib/src/cli.rs

@@ -1227,7 +1227,8 @@ async fn run_from_opt(opt: Opt) -> Result<()> {
                 FsverityOpts::Enable { path } => {
                     let fd =
                         std::fs::File::open(&path).with_context(|| format!("Reading {path}"))?;
-                    fsverity::enable_verity_raw::<fsverity::Sha256HashValue>(&fd)?;
+                    // Note this is not robust to forks, we're not using the _maybe_copy variant
+                    fsverity::enable_verity_with_retry::<fsverity::Sha256HashValue>(&fd)?;
                     Ok(())
                 }
             },

crates/ostree-ext/src/fsverity.rs

@@ -65,7 +65,11 @@ fn enable_fsverity_in_objdir(d: &Dir) -> anyhow::Result<()> {
         let enabled =
             composefs::fsverity::measure_verity_opt::<Sha256HashValue>(f.as_fd())?.is_some();
         if !enabled {
-            composefs_fsverity::enable_verity_raw::<Sha256HashValue>(&f)?;
+            // NOTE: We're not using the _with_copy API here because for us it'd require
+            // copying all the metadata too which is mildly tedious.
+            // For main composefs we don't need to care about the per-file metadata
+            // in general which simplifies a lot.
+            composefs_fsverity::enable_verity_with_retry::<Sha256HashValue>(f.as_fd())?;
         }
     }
     Ok(())