Composefs deploy config change broke signed builds if public key is missing #3188
Comments
|
Hmm, so i think the real problem is not that the initramfs-root-binding.key is missing, it is that it reads the config files from the deploy dir, but the keys from the real root. |
alexlarsson
added a commit
to alexlarsson/ostree
that referenced
this issue
Feb 21, 2024
…ssing keys When we load the configuration during deploy we don't need to actually use the keys, so avoid loading them. This fixes an issue we had where this broke the initial deploy becasue of a failure to load the key. In our case it fails because the code looks for the config file in the deploy dir, but then for the binding key in the real root. However, even if it were to look for the key in the deploy dir I don't think it necessarily has to be in the rootfs, it could be only in the initrd. This fixes ostreedev#3188
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The change in #3165 broke the automotive builds, because
during the initial deploy, the root-binding key is not in the buildroot. So I get:
The reason for this is that otcore_load_composefs_config() hard-fails if the config says it is supposed to be signed, but the signature is not there.
I think the call to otcore_load_composefs_config() from deploy needs to be less enforcing.
The text was updated successfully, but these errors were encountered: