From de628bc6d86fcea34b89b3cb3f019a78b0f40384 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Fri, 3 Jun 2022 10:44:48 -0400 Subject: [PATCH] sign: Use `replace-detached-metadata` if available Part of actually shipping chunked format, see https://github.com/coreos/fedora-coreos-config/pull/1698 Not tested. --- src/cmd-sign | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/cmd-sign b/src/cmd-sign index 35f9b3bb78..e8401dff7a 100755 --- a/src/cmd-sign +++ b/src/cmd-sign @@ -178,11 +178,19 @@ def robosign_ostree(args, s3, build, gpgkey): # We've validated the commit, now re-export the repo ostree_image = build['images']['ostree'] exported_ostree_path = os.path.join(builddir, ostree_image['path']) + exported_ostree_ref = f'oci-archive:{exported_ostree_path}:latest' # Files stored in the build directory are mode 0600 to prevent # accidental mutation. Remove the existing one because otherwise # we'll try to `open(O_TRUNC)` it and fail. os.unlink(exported_ostree_path) - subprocess.check_call(['ostree', 'container', 'export', '--repo=tmp/repo', checksum, f'oci-archive:{exported_ostree_path}:latest']) + # Detect and use the replace-detached-metadata API only if available + verb = "replace-detached-metadata" + tmp_image = 'tmp.ociarchive' + if subprocess.check_output(['ostree', 'container', 'image', '--help']).find(verb) >= 0: + subprocess.check_call(['ostree', 'container', 'image', verb, f'--src={exported_ostree_ref}', f'--dest=oci-archive:{tmp_image}:latest', metapath]) + os.rename(tmp_image, exported_ostree_path) + else: + subprocess.check_call(['ostree', 'container', 'export', '--repo=tmp/repo', checksum, exported_ostree_ref]) # Finalize the export by making it not writable. os.chmod(exported_ostree_path, 0o400) ostree_image['size'] = os.path.getsize(exported_ostree_path)