From 32baedaa7e6d7463e9c1bed9259ff9afec001e41 Mon Sep 17 00:00:00 2001 From: Sebastian Wick Date: Thu, 11 Jun 2026 17:27:47 +0200 Subject: [PATCH] oci-registry: Check signatures from mirrored repo in the system helper In flatpak_pull_from_oci we can be in in the system helper where we pull the mirrored OCI image into the system repo. However, to fetch the signatures in GPG signed repos, we used a remote OciImageSource created through `flatpak_remote_state_fetch_image_source`. This caused fetching some data from the registry which we don't want in the deploy method, and also fails if a token is required to access the repo. This change fetches the signatures from the mirrored OCI repo instead of pulling them from the remote OciImageSource. The signatures can come from anywhere because we verify them against the GPG key in the system repo. The important bit is the change in `flatpak_pull_from_oci` where we now pass in the local image_source to fetch the signatures from, and in the system helper, where we get the right metadata to check the signatures against (eventually ends up in `flatpak_oci_signatures_verify`). --- app/flatpak-builtins-build-import-bundle.c | 2 +- common/flatpak-dir.c | 2 +- common/flatpak-oci-registry-private.h | 3 ++- common/flatpak-oci-registry.c | 16 ++++++------- system-helper/flatpak-system-helper.c | 28 ++++++++++++++-------- 5 files changed, 29 insertions(+), 22 deletions(-) diff --git a/app/flatpak-builtins-build-import-bundle.c b/app/flatpak-builtins-build-import-bundle.c index 6b06073f3..5455bb534 100644 --- a/app/flatpak-builtins-build-import-bundle.c +++ b/app/flatpak-builtins-build-import-bundle.c @@ -68,7 +68,7 @@ import_oci (OstreeRepo *repo, GFile *file, ref = flatpak_image_source_get_ref (image_source); - commit_checksum = flatpak_pull_from_oci (repo, image_source, NULL, NULL, + commit_checksum = flatpak_pull_from_oci (repo, image_source, NULL, NULL, NULL, ref, FLATPAK_PULL_FLAGS_NONE, NULL, NULL, cancellable, error); if (commit_checksum == NULL) diff --git a/common/flatpak-dir.c b/common/flatpak-dir.c index 73118e112..36d9b4314 100644 --- a/common/flatpak-dir.c +++ b/common/flatpak-dir.c @@ -6926,7 +6926,7 @@ flatpak_dir_pull_oci (FlatpakDir *self, g_info ("Pulling OCI image %s", oci_digest); - checksum = flatpak_pull_from_oci (repo, image_source, NULL, + checksum = flatpak_pull_from_oci (repo, image_source, NULL, NULL, state->remote_name, ref, flatpak_flags, oci_pull_progress_cb, progress, cancellable, error); if (checksum == NULL) diff --git a/common/flatpak-oci-registry-private.h b/common/flatpak-oci-registry-private.h index ca56eab39..451f77086 100644 --- a/common/flatpak-oci-registry-private.h +++ b/common/flatpak-oci-registry-private.h @@ -194,7 +194,8 @@ typedef void (*FlatpakOciPullProgress) (guint64 total_size, char * flatpak_pull_from_oci (OstreeRepo *repo, FlatpakImageSource *image_source, - FlatpakImageSource *opt_dst_image_source, + const char *opt_sigcheck_repository, + const char *opt_sigcheck_registry_uri, const char *remote, const char *ref, FlatpakPullFlags flags, diff --git a/common/flatpak-oci-registry.c b/common/flatpak-oci-registry.c index 0a442cd40..07b194e0c 100644 --- a/common/flatpak-oci-registry.c +++ b/common/flatpak-oci-registry.c @@ -3301,7 +3301,8 @@ flatpak_mirror_image_from_oci (FlatpakOciRegistry *dst_registry, char * flatpak_pull_from_oci (OstreeRepo *repo, FlatpakImageSource *image_source, - FlatpakImageSource *opt_dst_image_source, + const char *opt_sigcheck_repository, + const char *opt_sigcheck_registry_uri, const char *remote, const char *ref, FlatpakPullFlags flags, @@ -3334,23 +3335,20 @@ flatpak_pull_from_oci (OstreeRepo *repo, g_autoptr(GVariantBuilder) metadata_builder = g_variant_builder_new (G_VARIANT_TYPE ("a{sv}")); g_autoptr(GVariant) metadata = NULL; g_autoptr(FlatpakOciSignatures) signatures = NULL; - FlatpakOciRegistry *dst_registry = opt_dst_image_source ? - flatpak_image_source_get_registry (opt_dst_image_source) : registry; - const char *dest_oci_repository = opt_dst_image_source ? - flatpak_image_source_get_oci_repository (opt_dst_image_source) : oci_repository; + const char *sigcheck_registry_uri = opt_sigcheck_registry_uri ? opt_sigcheck_registry_uri : registry->uri; + const char *sigcheck_repository = opt_sigcheck_repository ? opt_sigcheck_repository : oci_repository; int n_layers; int i; g_assert (g_str_has_prefix (digest, "sha256:")); - signatures = load_signatures (opt_dst_image_source ? opt_dst_image_source : image_source, - cancellable, error); + signatures = load_signatures (image_source, cancellable, error); if (!signatures) return FALSE; if (!flatpak_oci_signatures_verify (signatures, repo, remote, - dst_registry->uri, - dest_oci_repository, + sigcheck_registry_uri, + sigcheck_repository, digest, error)) return FALSE; diff --git a/system-helper/flatpak-system-helper.c b/system-helper/flatpak-system-helper.c index 81c080162..f6156b70a 100644 --- a/system-helper/flatpak-system-helper.c +++ b/system-helper/flatpak-system-helper.c @@ -492,6 +492,9 @@ handle_deploy (FlatpakSystemHelper *object, const char *verified_digest; g_autofree char *upstream_url = NULL; g_autoptr(FlatpakImageSource) system_image_source = NULL; + g_autoptr(GVariant) metadata = NULL; + const char *sigcheck_repository = NULL; + g_autofree char *sigcheck_registry_uri = NULL; if (!ostree_repo_remote_get_url (flatpak_dir_get_repo (system), arg_origin, @@ -546,21 +549,26 @@ handle_deploy (FlatpakSystemHelper *object, return G_DBUS_METHOD_INVOCATION_HANDLED; } - system_image_source = - flatpak_remote_state_fetch_image_source (state, - system, - arg_ref, - verified_digest, - NULL, - NULL, &error); - if (!system_image_source) + flatpak_remote_state_lookup_ref (state, arg_ref, + NULL, NULL, + &metadata, + NULL, NULL, NULL); + + if (!g_variant_lookup (metadata, "xa.oci-repository", "s", &sigcheck_repository)) { g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED, - "Can't fetch image source: %s", error->message); + "Can't get the OCI repository from the summary"); return G_DBUS_METHOD_INVOCATION_HANDLED; } - checksum = flatpak_pull_from_oci (flatpak_dir_get_repo (system), image_source, system_image_source, + if (!ostree_repo_remote_get_url (flatpak_dir_get_repo (system), arg_origin, &sigcheck_registry_uri, NULL)) + { + g_dbus_method_invocation_return_error (invocation, G_DBUS_ERROR, G_DBUS_ERROR_FAILED, + "Can't get the OCI registry URI"); + return G_DBUS_METHOD_INVOCATION_HANDLED; + } + + checksum = flatpak_pull_from_oci (flatpak_dir_get_repo (system), image_source, sigcheck_repository, sigcheck_registry_uri, arg_origin, arg_ref, FLATPAK_PULL_FLAGS_NONE, NULL, NULL, NULL, &error); if (checksum == NULL) {