agent: Enable security_validate if required

If we are using the offline_fs_kbc and have created a resource json
then switch security_validate on the image_client to enable
the signature verification feature for image-rs

Fixes: #4581
Signed-off-by: stevenhorsman <steven@uk.ibm.com>

src/agent/src/image_rpc.rs

@@ -35,6 +35,7 @@ const OCICRYPT_CONFIG_PATH: &str = "/tmp/ocicrypt_config.json";
 const KATA_CC_IMAGE_WORK_DIR: &str = "/run/image/";
 const KATA_CC_PAUSE_BUNDLE: &str = "/pause_bundle";
 const CONFIG_JSON: &str = "config.json";
+const OFFLINE_FS_KBC_RESOURCE_PATH: &str = "/etc/aa-offline_fs_kbc-resources.json";
 
 // Convenience macro to obtain the scope logger
 macro_rules! sl {
@@ -273,6 +274,14 @@ impl ImageService {
 
             Self::unpack_image(&cid)?;
         } else {
+            // TODO #4888 - Create a better way to enable signature verification. This is temporary for the PoC
+            if aa_kbc_params.eq("offline_fs_kbc::null")
+                && Path::new(OFFLINE_FS_KBC_RESOURCE_PATH).exists()
+            {
+                info!(sl!(), "Enabling security_validate on image_client");
+                self.image_client.lock().await.config.security_validate = true;
+            }
+
             let bundle_path = Path::new(CONTAINER_BASE).join(&cid);
             fs::create_dir_all(&bundle_path)?;