install: Add a config knob for container sigpolicy#2116
Open
jbtrystram wants to merge 1 commit intobootc-dev:mainfrom
Open
install: Add a config knob for container sigpolicy#2116jbtrystram wants to merge 1 commit intobootc-dev:mainfrom
jbtrystram wants to merge 1 commit intobootc-dev:mainfrom
Conversation
github-actions
bot
added
area/install
jbtrystram
force-pushed
the
sigpolicy-config-knob
branch
from
27089cc to
9f8f38a
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces support for the enforce-container-sigpolicy configuration option, allowing users to enforce container image signature policies via TOML drop-in files. The changes include updating the InstallConfiguration struct, implementing the necessary merging logic, adding unit tests, and updating the relevant documentation. The reviewer suggested refactoring the configuration merging logic to use if let for better readability and to avoid redundant assignments when configuration values are absent.
Comment on lines
+1553
to
+1569
| if !config_opts.bootupd_skip_boot_uuid { | ||
| config_opts.bootupd_skip_boot_uuid = config | ||
| .bootupd | ||
| .as_ref() | ||
| .and_then(|b| b.skip_boot_uuid) | ||
| .unwrap_or(false); | ||
| } | ||
|
|
||
| if config_opts.bootloader.is_none() { | ||
| config_opts.bootloader = config.bootloader.clone(); | ||
| } | ||
|
|
||
| if !target_opts.enforce_container_sigpolicy { | ||
| target_opts.enforce_container_sigpolicy = config | ||
| .enforce_container_sigpolicy | ||
| .unwrap_or(false); | ||
| } |
Contributor
There was a problem hiding this comment.
The logic for merging boolean options from the configuration file can be made more explicit to improve readability and avoid potentially redundant assignments.
When a boolean configuration option is not present, the current implementation with unwrap_or(false) assigns false to a variable that is already known to be false inside the if !... block.
Using if let to check for the presence of the config value before assigning makes the intent clearer and avoids this no-op assignment.
if !config_opts.bootupd_skip_boot_uuid {
if let Some(skip) = config.bootupd.as_ref().and_then(|b| b.skip_boot_uuid) {
config_opts.bootupd_skip_boot_uuid = skip;
}
}
if config_opts.bootloader.is_none() {
config_opts.bootloader = config.bootloader.clone();
}
if !target_opts.enforce_container_sigpolicy {
if let Some(enforce) = config.enforce_container_sigpolicy {
target_opts.enforce_container_sigpolicy = enforce;
}
}
cgwalters
previously approved these changes
Apr 2, 2026
Collaborator
cgwalters
left a comment
cgwalters
left a comment
There was a problem hiding this comment.
Looks sane. That said I think it'd be helpful for us to
- consolidate our install tests into one thing
- add an install test case for this from a container image source config, not just a synthetic unit test
Collaborator
|
For now just missing |
Surface the `--enforce-container-sigpolicy` flag as a config file option. Fixes bootc-dev#2112 Assisted-by: OpenCode.ai <Opus 4.6> Signed-off-by: jbtrystram <jbtrystram@redhat.com>
jbtrystram
added a commit
to jbtrystram/coreos-assembler
that referenced
this pull request
Apr 8, 2026
Tell bootc to enforce that `/etc/containers/policy.json` include a default policy that verify our images signature. When moving to image-builder, this config can be moved into the container itself but as long as we are using osbuild manually we have to carry this in the buildroot. TODO: uncomment this when bootc-dev/bootc#2116 is merged and released See coreos/fedora-coreos-config#4093 (comment)
jbtrystram
added a commit
to jbtrystram/coreos-assembler
that referenced
this pull request
Apr 8, 2026
Until we are able to tune this through and install config file, let's always pass the flag at the osbuild label. This can be dropped once we have bootc-dev/bootc#2116 in bootc.
jbtrystram
added a commit
to jbtrystram/coreos-assembler
that referenced
this pull request
Apr 8, 2026
Tell bootc to enforce that `/etc/containers/policy.json` include a default policy that verify our images signature. When moving to image-builder, this config can be moved into the container itself but as long as we are using osbuild manually we have to carry this in the buildroot. TODO: uncomment this when bootc-dev/bootc#2116 is merged and released See coreos/fedora-coreos-config#4093 (comment)
jbtrystram
added a commit
to jbtrystram/coreos-assembler
that referenced
this pull request
Apr 8, 2026
Until we are able to tune this through and install config file, let's always pass the flag at the osbuild label. This can be dropped once we have bootc-dev/bootc#2116 in bootc.
jbtrystram
force-pushed
the
sigpolicy-config-knob
branch
from
9f8f38a to
33db387
Compare
jbtrystram
added a commit
to jbtrystram/coreos-assembler
that referenced
this pull request
Apr 9, 2026
Tell bootc to enforce that `/etc/containers/policy.json` include a default policy that verify our images signature. When moving to image-builder, this config can be moved into the container itself but as long as we are using osbuild manually we have to carry this in the buildroot. TODO: uncomment this when bootc-dev/bootc#2116 is merged and released See coreos/fedora-coreos-config#4093 (comment)
jbtrystram
added a commit
to jbtrystram/coreos-assembler
that referenced
this pull request
Apr 9, 2026
Until we are able to tune this through and install config file, let's always pass the flag at the osbuild label. This can be dropped once we have bootc-dev/bootc#2116 in bootc.
dustymabe
pushed a commit
to jbtrystram/coreos-assembler
that referenced
this pull request
Apr 9, 2026
Tell bootc to enforce that `/etc/containers/policy.json` include a default policy that verify our images signature. When moving to image-builder, this config can be moved into the container itself but as long as we are using osbuild manually we have to carry this in the buildroot. TODO: uncomment this when bootc-dev/bootc#2116 is merged and released See coreos/fedora-coreos-config#4093 (comment)
dustymabe
pushed a commit
to jbtrystram/coreos-assembler
that referenced
this pull request
Apr 9, 2026
Until we are able to tune this through and install config file, let's always pass the flag at the osbuild label. This can be dropped once we have bootc-dev/bootc#2116 in bootc.
dustymabe
pushed a commit
to coreos/coreos-assembler
that referenced
this pull request
Apr 9, 2026
Tell bootc to enforce that `/etc/containers/policy.json` include a default policy that verify our images signature. When moving to image-builder, this config can be moved into the container itself but as long as we are using osbuild manually we have to carry this in the buildroot. TODO: uncomment this when bootc-dev/bootc#2116 is merged and released See coreos/fedora-coreos-config#4093 (comment)
dustymabe
pushed a commit
to coreos/coreos-assembler
that referenced
this pull request
Apr 9, 2026
Until we are able to tune this through and install config file, let's always pass the flag at the osbuild label. This can be dropped once we have bootc-dev/bootc#2116 in bootc.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Surface the
--enforce-container-sigpolicyflag as a config file option.Fixes #2112
Assisted-by: OpenCode.ai <Opus 4.6>