app/deploy: Add --skip-branch-check

[jlebon]

In Fedora CoreOS, updates are driven by Zincati and we thus completely
trust the information it gives us. The branch validation rpm-ostree does
is thus not necessary. It's also harmful in the case where the node is
extremely out of date because it may not be able to GPG verify the
commit at the tip of the branch (because the GPG key isn't yet in the
tree).

See: coreos/fedora-coreos-tracker#749

[lucab]

Cleared some doubts I had out-of-band, LGTM, but leaving some room if anybody else wants to review.

[cgwalters]

I'm OK with this. However: zincati metadata is only protected via standard TLS. Basically we're weakening our story around branch hijack attacks to TLS, and not TLS + GPG.

It'd help a lot for us to add an explicit offline signing to the Cincinnati metadata too.

[jlebon]

Basically we're weakening our story around branch hijack attacks to TLS, and not TLS + GPG.

The thing is, branches are not actually super valuable for FCOS. Ultimately, we have to trust the commit hash that Zincati feeds us, because it's the update driver. Zincati isn't OSTree branch-aware and in the end the branches are more of an implementation detail. If we had coreos/zincati#498 for example, one could imagine actually doing the same thing the MCO does and pinning to commits (and then e.g. rpm-ostree upgrade would still work). Not saying we should do that, but we wouldn't be losing very much.

Note also that coreos/fedora-coreos-tracker#749 is proposing to have Zincati verify that the target commit is on the same stream, which ultimately is what we care most about from the value rpm-ostree's branch checking provided us.

It'd help a lot for us to add an explicit offline signing to the Cincinnati metadata too.

Yeah, agreed. Will file a tracker issue for this (since I can't find one already filed for it) to make sure it doesn't get lost. OK, filed coreos/fedora-coreos-tracker#826.