From 0510b0c1a78d3d938f64afa997fdb31c1d53ba7b Mon Sep 17 00:00:00 2001
From: Kyle MacLeod <kyle.macleod@windriver.com>
Date: Wed, 28 Jun 2023 16:36:15 -0400
Subject: [PATCH] Support gpg-verify=false for subcloud remote ostree pull

This commit supports the developer use-case of a system controller
ostree repo configured with gpg-verify=false. In such cases, the
subcloud ostree repo instances must also be configured with
gpg-verify=false, or the ostree pull will fail.

We detect the boot parameter 'instgpg=0'. In which case we configure the
ostree repo with gpg-verify=false.  The instgpg=0 parameter is also
detected by LAT /install, which handles the LAT side of the ostree
repo configuration.

Test Plan:
PASS:
- Install subcloud with non-GPG signed ostree commits present on system
  controller. Ensure the ostree pull is successful on subcloud, with a
  successful install.
- Ensure normal subcloud installation is successful

Story: 2010611
Task: 48309

Signed-off-by: Kyle MacLeod <kyle.macleod@windriver.com>
Change-Id: I40a0823ed1fc868aa5d4fb7686f1648440664037
---
 kickstart/files/miniboot.cfg | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/kickstart/files/miniboot.cfg b/kickstart/files/miniboot.cfg
index 15df1e34..4aa48efa 100644
--- a/kickstart/files/miniboot.cfg
+++ b/kickstart/files/miniboot.cfg
@@ -2162,6 +2162,11 @@ else
             ilog "Configuring ostree for unverified SSL"
             ostree config --repo=${repo} set "remote \"${instbr}\"".tls-permissive true
         fi
+        # Check for instgpg=0 in boot arguments.
+        if grep -q 'instgpg=0' /proc/cmdline 2>/dev/null; then
+            ilog "Configuring ostree for unverified GPG (gpg-verify=false)"
+            ostree config --repo=${repo} set "remote \"${instbr}\"".gpg-verify false
+        fi
 
         ilog "Executing: ostree --repo=${repo} pull --depth=-1 --mirror ${instbr}:${instbr}"
         ostree --repo=${repo} pull --depth=-1 --mirror ${instbr}:${instbr}
@@ -2185,6 +2190,10 @@ else
                 ilog "Configuring ostree for unverified SSL"
                 ostree config --repo=${repo} set "remote \"${instbr}\"".tls-permissive true
             fi
+            if grep -q 'instgpg=0' /proc/cmdline 2>/dev/null; then
+                ilog "Configuring ostree for unverified GPG (gpg-verify=false)"
+                ostree config --repo=${repo} set "remote \"${instbr}\"".gpg-verify false
+            fi
             ilog "Executing ostree pull from ${remote_insturl}:"
             ilog "ostree --repo=${repo} pull --depth=-1 --mirror ${instbr}:${instbr}"
             ostree --repo=${repo} pull --depth=-1 --mirror ${instbr}:${instbr}