Handling access to authenticated remote repositories
There is no default concept of an “ostree server”; ostree expects to talk to a generic webserver, so any tool and technique applicable for generic HTTP can also apply to fetching content via OSTree’s builtin HTTP client.
Using mutual TLS
The tls-client-cert-path and tls-client-key-path expose the underlying HTTP code for mutual TLS.
Each device can be provisioned with a secret key which grants it access to the webserver.
Using basic authentication
The client supports HTTP basic authentication, but this has well-known management drawbacks.
Using cookies
Since this pull request ostree supports adding cookies to a remote configuration. This can be used with e.g. Amazon CloudFront.