to-disk: Fix signature validation error with signed images

gursewak1997 · gursewak1997 · commit edb88ea70b28 · 2025-12-11T16:44:49.000-08:00
Copy images to local storage without signatures before bootc install
to avoid errors with images like RHEL. Creates a permissive policy.json
on the VM and uses skopeo to copy the image without signatures, then
runs bootc install on the unsigned local copy.

Signed-off-by: gursewak1997 &lt;gursmangat@gmail.com&gt;
diff --git a/crates/kit/src/to_disk.rs b/crates/kit/src/to_disk.rs
@@ -202,6 +202,17 @@ impl ToDiskOpts {
             .map_err(|e| eyre!("Failed to quote source imgref '{}': {}", source_imgref, e))?
             .to_string();
 
+        // Quote the source image name for local storage operations
+        let quoted_source_image = shlex::try_quote(&self.source_image)
+            .map_err(|e| {
+                eyre!(
+                    "Failed to quote source image '{}': {}",
+                    self.source_image,
+                    e
+                )
+            })?
+            .to_string();
+
         let install_log = self
             .additional
             .install_log
@@ -247,15 +258,31 @@ impl ToDiskOpts {
                 tty=--tty
             fi
 
-            # Execute bootc installation, having the outer podman pull from
-            # the virtiofs store on the host, as well as the inner bootc.
-            # Mount /var/tmp into inner container to avoid cross-device link errors (issue #125)
+            # Workaround for issue #126: Copy image to local storage without signatures.
+            # Write permissive policy to VM's /etc/containers/policy.json and use it for copy.
             export STORAGE_OPTS=additionalimagestore=${AIS}
+            mkdir -p /etc/containers
+            cat > /etc/containers/policy.json <<'EOF'
+{
+  "default": [{"type": "insecureAcceptAnything"}],
+  "transports": {
+    "containers-storage": {"": [{"type": "insecureAcceptAnything"}]},
+    "docker": {"": [{"type": "insecureAcceptAnything"}]}
+  }
+}
+EOF
+
+            # Copy image without signatures to avoid "Would invalidate signatures" error
+            skopeo copy --remove-signatures {SOURCE_IMGREF} containers-storage:{SOURCE_IMAGE}
+
+            # Execute bootc installation using the unsigned local copy
+            # Mount /var/tmp into inner container to avoid cross-device link errors (issue #125)
             podman run --rm -i ${tty} --privileged --pid=host --net=none -v /sys:/sys:ro \
-                 -v /var/lib/containers:/var/lib/containers -v /var/tmp:/var/tmp -v /dev:/dev -v ${AIS}:${AIS} --security-opt label=type:unconfined_t \
+                -v /var/lib/containers:/var/lib/containers -v /var/tmp:/var/tmp -v /dev:/dev -v "${AIS}:${AIS}" \
+                --security-opt label=type:unconfined_t \
                 --env=STORAGE_OPTS \
                 {INSTALL_LOG} \
-                {SOURCE_IMGREF} \
+                containers-storage:{SOURCE_IMAGE} \
                 bootc install to-disk \
                 --generic-image \
                 --skip-fetch-check \
@@ -266,6 +293,7 @@ impl ToDiskOpts {
         "#}
         .replace("{TMPFS_SIZE}", &tmpfs_size_quoted)
         .replace("{SOURCE_IMGREF}", &quoted_source_imgref)
+        .replace("{SOURCE_IMAGE}", &quoted_source_image)
         .replace("{INSTALL_LOG}", &install_log)
         .replace("{BOOTC_ARGS}", &bootc_args);
 
