deploy: Remove current composefs signature support

This will be re-implemented using ostree native signatures on the commit object.
ostreedev · Jun 17, 2023 · 604e4a3 · 604e4a3
1 parent 24092e3
commit 604e4a3
Showing 1 changed file with 0 additions and 28 deletions.
diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
@@ -661,8 +661,6 @@ checkout_deployment_tree (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploy
       g_autoptr (GVariant) metadata = g_variant_get_child_value (commit_variant, 0);
       g_autoptr (GVariant) metadata_composefs
           = g_variant_lookup_value (metadata, "ostree.composefs", G_VARIANT_TYPE_BYTESTRING);
-      g_autoptr (GVariant) metadata_composefs_sig
-          = g_variant_lookup_value (metadata, "ostree.composefs-sig", G_VARIANT_TYPE_BYTESTRING);
 
       /* Create a composefs image and put in deploy dir as .ostree.cfs */
       g_autoptr (OstreeComposefsTarget) target = ostree_composefs_target_new ();
@@ -695,32 +693,6 @@ checkout_deployment_tree (OstreeSysroot *sysroot, OstreeRepo *repo, OstreeDeploy
       if (!_ostree_tmpf_fsverity (repo, &tmpf, NULL, error))
         return FALSE;
 
-      if (metadata_composefs && metadata_composefs_sig)
-        {
-          g_autofree char *composefs_digest_path
-              = g_strdup_printf ("%s/.ostree.cfs.digest", checkout_target_name);
-          g_autofree char *composefs_sig_path
-              = g_strdup_printf ("%s/.ostree.cfs.sig", checkout_target_name);
-          g_autoptr (GBytes) digest = g_variant_get_data_as_bytes (metadata_composefs);
-          g_autoptr (GBytes) sig = g_variant_get_data_as_bytes (metadata_composefs_sig);
-
-          if (!glnx_file_replace_contents_at (osdeploy_dfd, composefs_digest_path,
-                                              g_bytes_get_data (digest, NULL),
-                                              g_bytes_get_size (digest), 0, cancellable, error))
-            return FALSE;
-
-          if (!glnx_file_replace_contents_at (osdeploy_dfd, composefs_sig_path,
-                                              g_bytes_get_data (sig, NULL), g_bytes_get_size (sig),
-                                              0, cancellable, error))
-            return FALSE;
-
-          /* The signature should be applied as a fs-verity signature to the digest file. However
-           * we can't do that until boot, because we can't guarantee that the public key is
-           * loaded into the keyring until we boot the new initrd. So the signature is applied
-           * in ostree-prepare-root on first boot.
-           */
-        }
-
       if (!glnx_link_tmpfile_at (&tmpf, GLNX_LINK_TMPFILE_REPLACE, osdeploy_dfd, composefs_cfs_path,
                                  error))
         return FALSE;