sign: Add support for ociarchive

[cgwalters]

Part of: coreos/fedora-coreos-tracker#812

We need to support signing ostree-native container images in
addition to our custom "ostree-archive-in-tar". To keep both
paths aligned, first export the archive (whether tar or ostree-container)
to an unpacked tmp/repo.

This repo then takes the place of the previous temporary repo where
we added a dummy remote to use to verify the signature generated.

Use public OSTree APIs to read/write commit metadata instead
of doing it by hand. But in the tar case, we keep the optimization of just
reflinking and appending to the archive.

[cgwalters]

I've only "compile" tested this. I may try adding a test path which mocks up the signature. But the strongest verification would look like this:

• Build and upload a coreos-assembler from this PR
• Do a production run of rawhide pointed at that image (verifying old signing path)
• Re-do [rawhide] Switch to ostree-format: "oci" fedora-coreos-config#1097
• Do another production run of rawhide pointed at that image (verifying new signing path)

[cgwalters]

Alternatively there is the --stg support; who/what has access to that?

[jlebon]

LGTM overall though agreed we should test this before merging.

Alternatively there is the --stg support; who/what has access to that?

I have access to this (@dustymabe also does) but honestly it might still be easier to go the cosa rebuild route. You can just push it to a branch and add a Quay trigger. If you'd like to go the local way, I can send you the credentials for stage. The fedmsg.toml to use will look like this one: https://github.com/coreos/fedora-coreos-pipeline/blob/main/configs/fedmsg.toml, but the URL and TLS bits pointing at stage. And I think it'd be coreos.stg:, not coreos:... It's been a while since I've touched this stuff. Definitely an area that needs better documentation.

[jlebon]

Minor: would be nicer to have this be the last operation as before. (I.e. right before build.write()). Fine as is though since in practice a failure here just fails the whole build anyway.

[cgwalters]

I pushed quay.io/cgwalters/coreos-assembler:sign-container with the code from this PR.

[jlebon]

16:04:45  Sending org.fedoraproject.prod.coreos.build.request.ostree-sign with body {'build_id': '36.20210913.91.1', 'basearch': 'x86_64', 'commit_object': 's3://fcos-builds/prod/streams/rawhide/builds/tmp-x86_64/ostree-commit-object', 'checksum': 'sha256:0a760e70f18c2863bcccbd5361debce9580ec60e825573e2470e0f8cb7ad45f8', 'stream': 'rawhide', 'request_id': '78e3e6c1-7590-4101-80f4-8d92a190c099'}
16:04:47  Waiting for a response to the sent request
16:05:19  0 metadata, 0 content objects imported; 0 bytes content written
16:05:19  Verifying OSTree signature
16:05:19  Traceback (most recent call last):
16:05:19    File "/usr/lib/coreos-assembler/cmd-sign", line 273, in <module>
16:05:19      sys.exit(main())
16:05:19    File "/usr/lib/coreos-assembler/cmd-sign", line 42, in main
16:05:19      args.func(args)
16:05:19    File "/usr/lib/coreos-assembler/cmd-sign", line 95, in cmd_robosignatory
16:05:19      robosign_ostree(args, s3, build, gpgkey)
16:05:19    File "/usr/lib/coreos-assembler/cmd-sign", line 149, in robosign_ostree
16:05:19      repo.write_commit_detached_metadata(checksum, commitmeta_data, None)
16:05:19  gi.repository.GLib.Error: g-io-error-quark: Bad file descriptor (0)

[cgwalters]

Should be fixed - will watch for the quay rebuild

[cgwalters]

quay.io/cgwalters/coreos-assembler@sha256:0eaadb6d9a4e8c075ff46bb6f64754ff01fce5224709c8d7ef6abe2effac360a

[jlebon]

Started https://jenkins-fedora-coreos.apps.ocp.ci.centos.org/job/fedora-coreos/job/fedora-coreos-fedora-coreos-pipeline/2686 with it.

[jlebon]

21:04:14  Verifying OSTree signature
21:04:14  Valid signature from Fedora <fedora-36-primary@fedoraproject.org> (53DED2CB922D8B8D9E63FD18999F7CBF38AB71F4)
21:04:14  Traceback (most recent call last):
21:04:14    File "/usr/lib/coreos-assembler/cmd-sign", line 274, in <module>
21:04:14      sys.exit(main())
21:04:14    File "/usr/lib/coreos-assembler/cmd-sign", line 42, in main
21:04:14      args.func(args)
21:04:14    File "/usr/lib/coreos-assembler/cmd-sign", line 95, in cmd_robosignatory
21:04:14      robosign_ostree(args, s3, build, gpgkey)
21:04:14    File "/usr/lib/coreos-assembler/cmd-sign", line 189, in robosign_ostree
21:04:14      with tarfile.open(tmp_tar, 'a:') as t:
21:04:14    File "/usr/lib64/python3.9/tarfile.py", line 1629, in open
21:04:14      return func(name, filemode, fileobj, **kwargs)
21:04:14    File "/usr/lib64/python3.9/tarfile.py", line 1659, in taropen
21:04:14      return cls(name, mode, fileobj, **kwargs)
21:04:14    File "/usr/lib64/python3.9/tarfile.py", line 1474, in __init__
21:04:14      fileobj = bltn_open(name, self._mode)
21:04:14  PermissionError: [Errno 13] Permission denied: 'tmp/cosa-signrw2wv9if/fedora-coreos-36.20210914.91.0-ostree.x86_64.tar'

[cgwalters]

OK whee, another one liner.

Glad we're doing this!

[cgwalters]

quay.io/cgwalters/coreos-assembler@sha256:4849f86668014272a5ceb258d0371bd6c8aef4a76fa74d03e1c5551ea283001e

[jlebon]

https://jenkins-fedora-coreos.apps.ocp.ci.centos.org/job/fedora-coreos/job/fedora-coreos-fedora-coreos-pipeline/2690/

[jlebon]

jenkins-fedora-coreos.apps.ocp.ci.centos.org/job/fedora-coreos/job/fedora-coreos-fedora-coreos-pipeline/2690

This one is still going, but it did go past OSTree signing successfully already, so I think we're good to go!

CI looks like a flake. We should dig into it, but restarted it for now.

[jlebon]

Filed coreos/fedora-coreos-tracker#961 for the flake.