install/57629: mkimage images don't have trust anchors configured (armv7.img, arm64.img, ...)

[campbell+netbsd%mumble.net@localhost]

>Number:         57629
>Category:       install
>Synopsis:       mkimage images don't have trust anchors configured (armv7.img, arm64.img, ...)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    install-manager
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Mon Sep 25 20:35:01 +0000 2023
>Originator:     Taylor R Campbell
>Release:        current, netbsd-10
>Organization:
The NetBSD Foundification Nonauthority
>Environment:
>Description:
Nothing in the mkimage process -- either image creation or initial boot -- causes postinstall or certctl to generate the hashed directory of certificates.
>How-To-Repeat:
code inspection
>Fix:
Yes, please!

1. Can't do certctl rehash at build time because we don't have openssl as a tool.
2. Would strongly prefer not to do certctl rehash unconditionally at boot time because I don't want to create new reasons to require /etc to be writable during normal boot.
3. Everyone would probably prefer not to do `postinstall check' unconditionally at boot time (as a way to test whether we need to do `postinstall fix' or `certctl rehash') because it's fairly expensive -- it rehashes into a temporary directory to see whether anything changed, which is somewhat computationally expensive.
4. For reliability, I would like to avoid writing logic for a `certctl check' or something (other than what `postinstall check' already does) because there's a lot of edge cases to get right and I'd really rather defer that to mtree(8) like `postinstall check' does.