Skip to content

Fix various things around signatures and their use in rust #3527

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Sep 26, 2025
Merged

Fix various things around signatures and their use in rust #3527

merged 4 commits into from
Sep 26, 2025
+104 −28

Conversation

@alexlarsson
Copy link
Member

@alexlarsson alexlarsson commented Sep 26, 2025

I'm working on some changes in rpm-ostree (will link later) that uses the signature support and the composefs digest. This is a set of changes that:

  • Fixes a double free in ostree_sign_set_sk()
  • Annotates (for binding) return value of ostree_blob_reader_read_blob as nullable
  • Adds Ostree.BlobReader to rust bindings
  • Adds GLib.VariantDict to rust bindings, allowing ostree_repo_commit_add_composefs_metadata() to be callable
  • Regenerates rust binding and bumps version to 0.20.5 so the above is usable.

@github-actions github-actions bot added the area/rust-bindings Relates to the Rust bindings for the C library label Sep 26, 2025
@alexlarsson
ostree-sign.ed25519/spki: Fix double free in set_sk()
4e42790 
When the gvariant is G_VARIANT_TYPE_BYTESTRING we need to duplicate
the data we get from g_variant_get_fixed_array(), otherwise we will
double-free it when we later free sign->secret_key.
@alexlarsson
gir: Add (nullable) to ostree_blob_reader_read_blob return value
ee822b0 
This adds api docs to ostree_blob_reader_read_blob() so that we
can mark the return value as nullable. This is needed, because
this function can return NULL without setting error, and this
needs to be handled in bindings (such as the rust ones).
@alexlarsson
rust-binding: Extend bindings to support composefs and signing
9ff946f 
This adds GLib.VariantDict, which is needed for
ostree_repo_commit_add_composefs_metadata(), and OSTree.BlobReader
which are needed for ostree_sign_read_sk().

With these we can sign ostree commits with composefs digests in them.
@alexlarsson
rust: Regenerate and release 0.20.5
3d4a8a5 
This adds the new bindings for signing and composefs use.
gemini-code-assist[bot]
gemini-code-assist bot reviewed Sep 26, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a memory safety fix for signature handling and updates the Rust bindings. The changes in ostree_sign_ed25519.c and ostree_sign-spki.c address a potential use-after-free vulnerability by copying secret key data. The Rust bindings are regenerated to expose Ostree.BlobReader and GLib.VariantDict, and to correctly handle the nullable return from ostree_blob_reader_read_blob. My review of the changes did not identify any issues.

alexlarsson added a commit to alexlarsson/rpm-ostree that referenced this pull request Sep 26, 2025
@alexlarsson
Add --sign-commit option to build-chunked-oci
caa9a2a 
This adds a new --sign-commit CLI option to `rpm-ostree experimental
compose build-chunked-oci` which signs the embedded ostree commit.

With this, it is possible (with some care) to layer a signed bootc
image that uses old-school signed ostree/composefs support.

Note, this relies on the double free fix for ostree_sign_set_sk() in
ostreedev/ostree#3527 to work.
@alexlarsson alexlarsson mentioned this pull request Sep 26, 2025
Merged
alexlarsson added a commit to alexlarsson/rpm-ostree that referenced this pull request Sep 26, 2025
@alexlarsson
Add --sign-commit option to build-chunked-oci
1795522 
This adds a new --sign-commit CLI option to `rpm-ostree experimental
compose build-chunked-oci` which signs the embedded ostree commit.

With this, it is possible (with some care) to layer a signed bootc
image that uses old-school signed ostree/composefs support.

Note, this relies on the double free fix for ostree_sign_set_sk() in
ostreedev/ostree#3527 to work.
@cgwalters cgwalters merged commit b3fbab5 into ostreedev:main Sep 26, 2025
24 of 26 checks passed
@alexlarsson
Copy link
Member Author

alexlarsson commented Sep 29, 2025

@cgwalters How do we get 0.20.5 rust bindings released?

@cgwalters
Copy link
Member

cgwalters commented Sep 29, 2025

#3529

alexlarsson added a commit to alexlarsson/rpm-ostree that referenced this pull request Oct 3, 2025
@alexlarsson
Add --sign-commit option to build-chunked-oci
6b7271f 
This adds a new --sign-commit CLI option to `rpm-ostree experimental
compose build-chunked-oci` which signs the embedded ostree commit.

With this, it is possible (with some care) to layer a signed bootc
image that uses old-school signed ostree/composefs support.

Note, this relies on the double free fix for ostree_sign_set_sk() in
ostreedev/ostree#3527 to work.
alexlarsson added a commit to alexlarsson/rpm-ostree that referenced this pull request Oct 3, 2025
@alexlarsson
Add --sign-commit option to build-chunked-oci
8f366b0 
This adds a new --sign-commit CLI option to `rpm-ostree experimental
compose build-chunked-oci` which signs the embedded ostree commit.

With this, it is possible (with some care) to layer a signed bootc
image that uses old-school signed ostree/composefs support.

Note, this relies on the double free fix for ostree_sign_set_sk() in
ostreedev/ostree#3527 to work.
alexlarsson added a commit to alexlarsson/rpm-ostree that referenced this pull request Oct 15, 2025
@alexlarsson
Add --sign-commit option to build-chunked-oci
0b7f573 
This adds a new --sign-commit CLI option to `rpm-ostree experimental
compose build-chunked-oci` which signs the embedded ostree commit.

With this, it is possible (with some care) to layer a signed bootc
image that uses old-school signed ostree/composefs support.

Note, this relies on the double free fix for ostree_sign_set_sk() in
ostreedev/ostree#3527 to work.
alexlarsson added a commit to alexlarsson/rpm-ostree that referenced this pull request Oct 15, 2025
@alexlarsson
Add --sign-commit option to build-chunked-oci
cd8e639 
This adds a new --sign-commit CLI option to `rpm-ostree experimental
compose build-chunked-oci` which signs the embedded ostree commit.

With this, it is possible (with some care) to layer a signed bootc
image that uses old-school signed ostree/composefs support.

Note, this relies on the double free fix for ostree_sign_set_sk() in
ostreedev/ostree#3527 to work.
alexlarsson added a commit to alexlarsson/rpm-ostree that referenced this pull request Oct 15, 2025
@alexlarsson
Add --sign-commit option to build-chunked-oci
3dfcbad 
This adds a new --sign-commit CLI option to `rpm-ostree experimental
compose build-chunked-oci` which signs the embedded ostree commit.

With this, it is possible (with some care) to layer a signed bootc
image that uses old-school signed ostree/composefs support.

Note, this relies on the double free fix for ostree_sign_set_sk() in
ostreedev/ostree#3527 to work.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cgwalters cgwalters cgwalters approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area/rust-bindings Relates to the Rust bindings for the C library

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alexlarsson @cgwalters