mirror of
https://github.com/flatpak/flatpak.git
synced 2026-06-26 09:17:00 -04:00
32baedaa7e
In flatpak_pull_from_oci we can be in in the system helper where we pull the mirrored OCI image into the system repo. However, to fetch the signatures in GPG signed repos, we used a remote OciImageSource created through `flatpak_remote_state_fetch_image_source`. This caused fetching some data from the registry which we don't want in the deploy method, and also fails if a token is required to access the repo. This change fetches the signatures from the mirrored OCI repo instead of pulling them from the remote OciImageSource. The signatures can come from anywhere because we verify them against the GPG key in the system repo. The important bit is the change in `flatpak_pull_from_oci` where we now pass in the local image_source to fetch the signatures from, and in the system helper, where we get the right metadata to check the signatures against (eventually ends up in `flatpak_oci_signatures_verify`).