osbuild/bootc: hard-code container sigpolicy flag

Until we are able to tune this through and install config file, let's
always pass the flag at the osbuild label.

This can be dropped once we have bootc-dev/bootc#2116
in bootc.

Author: jbtrystram

build.sh

@@ -193,27 +193,27 @@ write_archive_info() {
 }
 
 patch_osbuild() {
-    return # No patches at this time
-    ### Add a few patches that either haven't made it into a release or
-    ### that will be obsoleted with other work that will be done soon.
-    ###
-    ### To make it easier to apply patches we'll move around the osbuild
-    ### code on the system first:
-    ##rmdir /usr/lib/osbuild/osbuild
-    ##python_lib_dir=$(ls -d /usr/lib/python*)
-    ##mv "${python_lib_dir}/site-packages/osbuild" /usr/lib/osbuild/
-    ##mkdir -p /usr/lib/osbuild/tools
-    ##mv /usr/bin/osbuild-mpp /usr/lib/osbuild/tools/
-    ### Now all the software is under the /usr/lib/osbuild dir and we can patch
-    ### shellcheck disable=SC2002
-    ##cat \
-    ##    /usr/lib/coreos-assembler/foo.patch \
-    ##        | patch -d /usr/lib/osbuild -p1
-    ### And then move the files back; supermin appliance creation will need it back
-    ### in the places delivered by the RPM.
-    ##mv /usr/lib/osbuild/tools/osbuild-mpp /usr/bin/osbuild-mpp
-    ##mv /usr/lib/osbuild/osbuild "${python_lib_dir}/site-packages/osbuild"
-    ##mkdir -p /usr/lib/osbuild/osbuild
+    #return # No patches at this time
+    # Add a few patches that either haven't made it into a release or
+    # that will be obsoleted with other work that will be done soon.
+    #
+    # To make it easier to apply patches we'll move around the osbuild
+    # code on the system first:
+    rmdir /usr/lib/osbuild/osbuild
+    python_lib_dir=$(ls -d /usr/lib/python*)
+    mv "${python_lib_dir}/site-packages/osbuild" /usr/lib/osbuild/
+    mkdir -p /usr/lib/osbuild/tools
+    mv /usr/bin/osbuild-mpp /usr/lib/osbuild/tools/
+    # Now all the software is under the /usr/lib/osbuild dir and we can patch
+    # shellcheck disable=SC2002
+    cat \
+        /usr/lib/coreos-assembler/0001-bootc-install-to-fs-hardcode-enforce-container-sigpo.patch \
+            | patch -d /usr/lib/osbuild -p1
+    # And then move the files back; supermin appliance creation will need it back
+    # in the places delivered by the RPM.
+    mv /usr/lib/osbuild/tools/osbuild-mpp /usr/bin/osbuild-mpp
+    mv /usr/lib/osbuild/osbuild "${python_lib_dir}/site-packages/osbuild"
+    mkdir -p /usr/lib/osbuild/osbuild
 }
 
 fixup_file_permissions() {

src/0001-bootc-install-to-fs-hardcode-enforce-container-sigpo.patch

@@ -0,0 +1,32 @@
+From 02145c49309b35e98e539f44745873b81858bad8 Mon Sep 17 00:00:00 2001
+From: jbtrystram <jbtrystram@redhat.com>
+Date: Wed, 8 Apr 2026 12:00:38 +0200
+Subject: [PATCH] bootc-install-to-fs: hardcode `enforce-container-sigpolicy`
+ flag
+
+Until this can be tuned through an install-config flag, let's hardcode
+this at the osbuild stage level and carry this patch only in COSA.
+---
+ stages/org.osbuild.bootc.install-to-filesystem | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/stages/org.osbuild.bootc.install-to-filesystem b/stages/org.osbuild.bootc.install-to-filesystem
+index fc5f6cd7..5aa8f934 100755
+--- a/stages/org.osbuild.bootc.install-to-filesystem
++++ b/stages/org.osbuild.bootc.install-to-filesystem
+@@ -65,6 +65,12 @@ def main(options, inputs, paths):
+         if options.get("bootupd-skip-boot-uuid", False):
+             pargs.extend(["--bootupd-skip-boot-uuid"])
+ 
++        # XXX: This is a temporary hack to have bootc
++        # enforcing sigpolicy until it can be done through
++        # an install config knob
++        # See https://github.com/bootc-dev/bootc/pull/2116
++        pargs.extend(["--enforce-container-sigpolicy"])
++
+         # add target and go
+         pargs.append(dst)
+         subprocess.run(pargs, env=env, check=True)
+-- 
+2.53.0
+