mirror/flatpak
1
0
Fork 0
mirror of https://github.com/flatpak/flatpak.git synced 2026-06-26 09:17:00 -04:00
Code Issues Packages Projects Releases Wiki Activity

oci-registry: Check signatures from mirrored repo in the system helper

Browse Source 
In flatpak_pull_from_oci we can be in in the system helper where we pull
the mirrored OCI image into the system repo. However, to fetch the
signatures in GPG signed repos, we used a remote OciImageSource created
through `flatpak_remote_state_fetch_image_source`. This caused fetching
some data from the registry which we don't want in the deploy method,
and also fails if a token is required to access the repo.

This change fetches the signatures from the mirrored OCI repo instead of
pulling them from the remote OciImageSource. The signatures can come from
anywhere because we verify them against the GPG key in the system repo.

The important bit is the change in `flatpak_pull_from_oci` where we now
pass in the local image_source to fetch the signatures from, and in the
system helper, where we get the right metadata to check the signatures
against (eventually ends up in `flatpak_oci_signatures_verify`).
This commit is contained in:
Sebastian Wick
2026-06-11 17:27:47 +02:00
parent 1a33d1a15b
commit 32baedaa7e
5 changed files with 29 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/flatpak-builtins-build-import-bundle.c
View File

@@ -68,7 +68,7 @@ import_oci (OstreeRepo *repo, GFile *file,
ref = flatpak_image_source_get_ref (image_source);
commit_checksum = flatpak_pull_from_oci (repo, image_source, NULL, NULL,
commit_checksum = flatpak_pull_from_oci (repo, image_source, NULL, NULL, NULL,
ref, FLATPAK_PULL_FLAGS_NONE,
NULL, NULL, cancellable, error);
if (commit_checksum == NULL)

2
common/flatpak-dir.c
View File

@@ -6926,7 +6926,7 @@ flatpak_dir_pull_oci (FlatpakDir *self,
g_info ("Pulling OCI image %s", oci_digest);
checksum = flatpak_pull_from_oci (repo, image_source, NULL,
checksum = flatpak_pull_from_oci (repo, image_source, NULL, NULL,
state->remote_name, ref, flatpak_flags, oci_pull_progress_cb, progress, cancellable, error);
if (checksum == NULL)

3
common/flatpak-oci-registry-private.h
View File

@@ -194,7 +194,8 @@ typedef void (*FlatpakOciPullProgress) (guint64 total_size,
char * flatpak_pull_from_oci (OstreeRepo *repo,
FlatpakImageSource *image_source,
FlatpakImageSource *opt_dst_image_source,
const char *opt_sigcheck_repository,
const char *opt_sigcheck_registry_uri,
const char *remote,
const char *ref,
FlatpakPullFlags flags,

16
common/flatpak-oci-registry.c
View File

@@ -3301,7 +3301,8 @@ flatpak_mirror_image_from_oci (FlatpakOciRegistry *dst_registry,
char *
flatpak_pull_from_oci (OstreeRepo *repo,
FlatpakImageSource *image_source,
FlatpakImageSource *opt_dst_image_source,
const char *opt_sigcheck_repository,
const char *opt_sigcheck_registry_uri,
const char *remote,
const char *ref,
FlatpakPullFlags flags,
@@ -3334,23 +3335,20 @@ flatpak_pull_from_oci (OstreeRepo *repo,
g_autoptr(GVariantBuilder) metadata_builder = g_variant_builder_new (G_VARIANT_TYPE ("a{sv}"));
g_autoptr(GVariant) metadata = NULL;
g_autoptr(FlatpakOciSignatures) signatures = NULL;
FlatpakOciRegistry *dst_registry = opt_dst_image_source ?
flatpak_image_source_get_registry (opt_dst_image_source) : registry;
const char *dest_oci_repository = opt_dst_image_source ?
flatpak_image_source_get_oci_repository (opt_dst_image_source) : oci_repository;
const char *sigcheck_registry_uri = opt_sigcheck_registry_uri ? opt_sigcheck_registry_uri : registry->uri;
const char *sigcheck_repository = opt_sigcheck_repository ? opt_sigcheck_repository : oci_repository;
int n_layers;
int i;
g_assert (g_str_has_prefix (digest, "sha256:"));
signatures = load_signatures (opt_dst_image_source ? opt_dst_image_source : image_source,
cancellable, error);
signatures = load_signatures (image_source, cancellable, error);
if (!signatures)
return FALSE;
if (!flatpak_oci_signatures_verify (signatures, repo, remote,
dst_registry->uri,
dest_oci_repository,
sigcheck_registry_uri,
sigcheck_repository,
digest,
error))
return FALSE;

28
system-helper/flatpak-system-helper.c
View File

@@ -492,6 +492,9 @@ handle_deploy (FlatpakSystemHelper *object,
const char *verified_digest;
g_autofree char *upstream_url = NULL;
g_autoptr(FlatpakImageSource) system_image_source = NULL;
g_autoptr(GVariant) metadata = NULL;
const char *sigcheck_repository = NULL;
g_autofree char *sigcheck_registry_uri = NULL;
if (!ostree_repo_remote_get_url (flatpak_dir_get_repo (system),
arg_origin,
@@ -546,21 +549,26 @@ handle_deploy (FlatpakSystemHelper *object,
return G_DBUS_METHOD_INVOCATION_HANDLED;
}
system_image_source =
flatpak_remote_state_fetch_image_source (state,
system,
arg_ref,
verified_digest,
NULL,
NULL, &error);
if (!system_image_source)
flatpak_remote_state_lookup_ref (state, arg_ref,
NULL, NULL,
&metadata,
NULL, NULL, NULL);
if (!g_variant_lookup (metadata, "xa.oci-repository", "s", &sigcheck_repository))
{
g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED,
"Can't fetch image source: %s", error->message);
"Can't get the OCI repository from the summary");
return G_DBUS_METHOD_INVOCATION_HANDLED;
}
checksum = flatpak_pull_from_oci (flatpak_dir_get_repo (system), image_source, system_image_source,
if (!ostree_repo_remote_get_url (flatpak_dir_get_repo (system), arg_origin, &sigcheck_registry_uri, NULL))
{
g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED,
"Can't get the OCI registry URI");
return G_DBUS_METHOD_INVOCATION_HANDLED;
}
checksum = flatpak_pull_from_oci (flatpak_dir_get_repo (system), image_source, sigcheck_repository, sigcheck_registry_uri,
arg_origin, arg_ref, FLATPAK_PULL_FLAGS_NONE, NULL, NULL, NULL, &error);
if (checksum == NULL)
{