ostree-ext: surface libostree signature verification text

Right now when using OSTree remote verification, there's no indication
that the OSTree commit was successfully verified.

Capture the return string from `OstreeRepo.signature_verify_commit_data`
and return it as part of the public `LayeredImageState` object.

We could return a more structured signature object here, but this is
sufficient for our purposes for now and saves clients from having to
regenerate similar looking text.

In the `ostree container` CLI, print this verification text.

Signed-off-by: Jonathan Lebon <[email protected]>

Author: jlebon

ostree-ext/src/cli.rs

@@ -896,6 +896,9 @@ async fn container_store(
     {
         eprintln!("{msg}")
     }
+    if let Some(ref text) = import.verify_text {
+        println!("{text}");
+    }
     println!("Wrote: {} => {}", imgref, import.merge_commit);
     Ok(())
 }

ostree-ext/src/container/store.rs

@@ -127,6 +127,10 @@ pub struct LayeredImageState {
     pub configuration: ImageConfiguration,
     /// Metadata for (cached, previously fetched) updates to the image, if any.
     pub cached_update: Option<CachedImageUpdate>,
+    /// The signature verification text from libostree for the base commit;
+    /// in the future we should probably instead just proxy a signature object
+    /// instead, but this is sufficient for now.
+    pub verify_text: Option<String>,
 }
 
 impl LayeredImageState {
@@ -230,6 +234,8 @@ pub struct PreparedImport {
     pub ostree_commit_layer: Option<ManifestLayerState>,
     /// Any further non-ostree (derived) layers.
     pub layers: Vec<ManifestLayerState>,
+    /// OSTree remote signature verification text, if enabled.
+    pub verify_text: Option<String>,
 }
 
 impl PreparedImport {
@@ -635,6 +641,7 @@ impl ImageImporter {
             ostree_layers: component_layers,
             ostree_commit_layer: commit_layer,
             layers: remaining_layers,
+            verify_text: None,
         };
         Ok(Box::new(imp))
     }
@@ -804,17 +811,19 @@ impl ImageImporter {
                     let blob = super::unencapsulate::decompressor(&media_type, blob)?;
                     let mut archive = tar::Archive::new(blob);
                     importer.import_commit(&mut archive, Some(cancellable))?;
-                    let commit = importer.finish_import_commit();
+                    let (commit, verify_text) = importer.finish_import_commit();
                     if write_refs {
                         repo.transaction_set_ref(None, &target_ref, Some(commit.as_str()));
                         tracing::debug!("Wrote {} => {}", target_ref, commit);
                     }
                     repo.mark_commit_partial(&commit, false)?;
                     txn.commit(Some(cancellable))?;
-                    Ok::<_, anyhow::Error>(commit)
+                    Ok::<_, anyhow::Error>((commit, verify_text))
                 });
-            let commit = super::unencapsulate::join_fetch(import_task, driver).await?;
+            let (commit, verify_text) =
+                super::unencapsulate::join_fetch(import_task, driver).await?;
             commit_layer.commit = Some(commit);
+            import.verify_text = verify_text;
             if let Some(p) = self.layer_progress.as_ref() {
                 p.send(ImportProgress::OstreeChunkCompleted(
                     commit_layer.layer.clone(),
@@ -977,7 +986,7 @@ impl ImageImporter {
             .unwrap_or_else(|| chrono::offset::Utc::now().timestamp() as u64);
         // Destructure to transfer ownership to thread
         let repo = self.repo;
-        let state = crate::tokio_util::spawn_blocking_cancellable_flatten(
+        let mut state = crate::tokio_util::spawn_blocking_cancellable_flatten(
             move |cancellable| -> Result<Box<LayeredImageState>> {
                 use rustix::fd::AsRawFd;
 
@@ -1090,6 +1099,8 @@ impl ImageImporter {
             },
         )
         .await?;
+        // We can at least avoid re-verifying the base commit.
+        state.verify_text = import.verify_text;
         Ok(state)
     }
 }
@@ -1220,6 +1231,8 @@ pub fn query_image_commit(repo: &ostree::Repo, commit: &str) -> Result<Box<Layer
         manifest,
         configuration,
         cached_update,
+        // we can't cross-reference with a remote here
+        verify_text: None,
     });
     tracing::debug!("Wrote merge commit {}", state.merge_commit);
     Ok(state)

ostree-ext/src/tar/import.rs

@@ -47,6 +47,7 @@ enum ImporterMode {
 pub(crate) struct Importer {
     repo: ostree::Repo,
     remote: Option<String>,
+    verify_text: Option<String>,
     // Cache of xattrs, keyed by their content checksum.
     xattrs: HashMap<String, glib::Variant>,
     // Reusable buffer for xattrs references. It maps a file checksum (.0)
@@ -165,6 +166,7 @@ impl Importer {
         Self {
             repo: repo.clone(),
             remote,
+            verify_text: None,
             buf: vec![0u8; 16384],
             xattrs: Default::default(),
             next_xattrs: None,
@@ -179,6 +181,7 @@ impl Importer {
         Self {
             repo: repo.clone(),
             remote: None,
+            verify_text: None,
             buf: vec![0u8; 16384],
             xattrs: Default::default(),
             next_xattrs: None,
@@ -676,14 +679,17 @@ impl Importer {
 
             // Now that we have both the commit and detached metadata in memory, verify that
             // the signatures in the detached metadata correctly sign the commit.
-            self.repo
-                .signature_verify_commit_data(
-                    remote,
-                    &commit.data_as_bytes(),
-                    &commitmeta.data_as_bytes(),
-                    ostree::RepoVerifyFlags::empty(),
-                )
-                .context("Verifying ostree commit in tar stream")?;
+            self.verify_text = Some(
+                self.repo
+                    .signature_verify_commit_data(
+                        remote,
+                        &commit.data_as_bytes(),
+                        &commitmeta.data_as_bytes(),
+                        ostree::RepoVerifyFlags::empty(),
+                    )
+                    .context("Verifying ostree commit in tar stream")?
+                    .into(),
+            );
 
             self.repo.mark_commit_partial(&checksum, true)?;
 
@@ -738,10 +744,10 @@ impl Importer {
         Ok(())
     }
 
-    pub(crate) fn finish_import_commit(self) -> String {
+    pub(crate) fn finish_import_commit(self) -> (String, Option<String>) {
         tracing::debug!("Import stats: {:?}", self.stats);
         match self.data {
-            ImporterMode::Commit(c) => c.unwrap(),
+            ImporterMode::Commit(c) => (c.unwrap(), self.verify_text),
             ImporterMode::ObjectSet(_) => unreachable!(),
         }
     }
@@ -821,7 +827,7 @@ pub async fn import_tar(
         let txn = repo.auto_transaction(Some(cancellable))?;
         let mut importer = Importer::new_for_commit(&repo, options.remote);
         importer.import_commit(&mut archive, Some(cancellable))?;
-        let checksum = importer.finish_import_commit();
+        let (checksum, _) = importer.finish_import_commit();
         txn.commit(Some(cancellable))?;
         repo.mark_commit_partial(&checksum, false)?;
         Ok::<_, anyhow::Error>(checksum)