From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 25 Jun 2025 15:55:18 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-il1-f186.google.com (mail-il1-f186.google.com [209.85.166.186]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 55PDt39f005704 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 25 Jun 2025 15:55:04 +0200 Received: by mail-il1-f186.google.com with SMTP id e9e14a558f8ab-3df33827a8csf14038905ab.1 for ; Wed, 25 Jun 2025 06:55:04 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1750859697; cv=pass; d=google.com; s=arc-20240605; b=YU0dwg7kOpGSafPDWmovuKVOgT1BuQ8ViYXLzjI+AD8B7qihHAhDtSRCAcx4w9QEyU 3UWDzI/wplH6LyVPPoLXtUwPCqrRbURVPTVoUIfgokySXmrhI6cRNKnLXZaM0gPhV8SF rbCkMLwg8uS2euAe1o2FSnzEa3WDvY51CV+ukWPk0jpEIVC4OSuvyzjq+PRJ3sMXywMx IrcUsAIe8YHSg6nLcqktHnMH7k5EQ1KliaaRulYnwYQ+AKShvkQRvz7fTxG+5+vEZ/Kv RVkaUocpW41DBy7rHhadDC781IN5hi+9t8SR7kM03RVgkyOdo4eBw9TeRQxU+L+MaRaJ tSdw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=6gnTTsKlSq/CfPsVEGlU120RuyYrtt8bK4IV/HNZ488=; fh=ePcqNapjhidkRPLejwsRK6A6PTknoHDNuFzMIw52irs=; b=H1WV5m8G7g+gqNs5mrY0lV6K/jacKmdXN6F+zp3x2lTsYntQNVbQaStyiE8JCELXoG 2Ln3lzpDeVNvS109shxe3thYl9J81jwwdM6psCQwNQ9e1swA6Xtke23w52ht/1dxGTKp EJs712QDKI8fEM4USZlqA3kT/0qQ2a4QipF5Ja+bS0tJxM2i3bLrZXyuUeW7qmHc73H3 +Kysj/vrm72YBQCblBNioqlrpjKCo7X3C3b6KV+D2cfwOAX90JfWaD6+gnKnYfAKGN0w moFWVAFtnVF0p/UrSMH1GTuTKClxtHL+6lXOsEtcAWW4fKyQpHLp3dqfewUf1pQ2NlAB UWrw==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=qGrkeWyH; spf=pass (google.com: domain of fm-1047747-202506251354530552f4bb1df1c7a36c-_mwou8@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1047747-202506251354530552f4bb1df1c7a36c-_MwOU8@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1750859697; x=1751464497; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=6gnTTsKlSq/CfPsVEGlU120RuyYrtt8bK4IV/HNZ488=; b=HLPghmMLjH54Qls0pzwQgZv4I+8ZyNVDNRl/HjVjJvrasUcpVLYzKNV7hv5YlxNP2v egvH5nzpNVTOxO5DdNU+USEnMvpzhaH+RvCg+QI5ojsyPRCxXc0oJozQWtwktyEOhgx1 9z5lj58Q8quL88jPF9vjACQkpWm8taMbbmWKjXcFGaVz9pUrDN+bhNS4sthVBKd5046J NBwxZhAQT8K021vNGRd22wJqOiVfSv9brk2okJoXUivbHUmx9XQHRjnxLkZUtmtF2Py2 8f9M1AWvBRpz0Yzsz2kBlT109qS7ddWGM46SUB5YSBZFh3D/EXMIffJT9e+JX+1nnU2f O68g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750859697; x=1751464497; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=6gnTTsKlSq/CfPsVEGlU120RuyYrtt8bK4IV/HNZ488=; b=dasBHsWiRlqBEWtjEGdw2AZ5cpZ1df0OjYtKOHOKfm6Rs1+8t0jpRNNROHscKPGa4A +BZ+e5Oms3AY51vus1uOLOl6PVKLykz3gna9DPvU7rx25RaC67zynUOR83G+eOjyzsyq WsyVyRWa0J2OUi4w72n6iGoCxnojb1eONFo5o4rB/FZPhbzT03i/bzrCdl78IaifdD6f m2xAv5B7ygIuY5ZrAXzvRgSpAyJD8+1fMtNDDbzQqbH41opSCx9Zi7qoOHyUpbxHQtat y9Q+DyTR/uS94eEhK7y98Kt8MiAp+gMZrRSCwObAhC331DBWdrpYceu/rg65O7GgaWUt AFlQ== X-Forwarded-Encrypted: i=2; AJvYcCWSIsMd2krB8nQZ1fCgNIs+5jiHuK7Avj+sZWnWPSmqxM0W4hFc7+a6e5nqw6ePDx3pZa1z@ilbers.de X-Gm-Message-State: AOJu0YyQ0M6u21rtVGbzy9/OW9P9WiEAN54ZJXigQrJXCk3n8ETjJIi0 tfyOkNiKf31cKlUKkFW8ilrAnxl/c9CMY2NfyIQ61nGqBrNPYBd8i3Hp X-Google-Smtp-Source: AGHT+IHy5QQ9Vk/K6Ix/2WpHUQ0Q1X1JLsjs/HpXZFNCU+IiXKYacAytHJcgDIbJjqds61gg7n3pPQ== X-Received: by 2002:a05:6e02:154c:b0:3de:14d4:a755 with SMTP id e9e14a558f8ab-3df32a1ff86mr43459465ab.21.1750859697401; Wed, 25 Jun 2025 06:54:57 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZfh1tvwPJkXotkNn8kN1rh6wmWkQeieT6WSSsOB9GSReg== Received: by 2002:a05:6e02:461c:b0:3df:1573:75e4 with SMTP id e9e14a558f8ab-3df15737e4fls25153685ab.2.-pod-prod-08-us; Wed, 25 Jun 2025 06:54:56 -0700 (PDT) X-Received: by 2002:a05:6602:7186:b0:873:4807:816e with SMTP id ca18e2360f4ac-8766bb749c7mr404846539f.13.1750859696400; Wed, 25 Jun 2025 06:54:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1750859696; cv=none; d=google.com; s=arc-20240605; b=UGc2qgV/wFXu4rOfjyE4SxMTODuFIyUnCuVzP64k2V35xxc+h/3L5Fe4Xzewu8BPb4 LBkfkKsdcVKkbaYCPwDVC/nSplO609LBFwnYWtEX0ZjPYCfFfPCmXU5NbjNU4G+6vMYh Um/xJ1lSd6e3jTuVJA2s/sl7gejsxmdqMenqsMyGM7N36rhnxyuh/d3LOCyDud9sM2tI i8CX8pHlFTL1zM8CVlFoO6xfr1FHbI3zfstWcqcUcsOYVZIPnohPvpFekeByZ8Yu3nC5 ESpiOtZVlTr+NCYNAU7LVIDbxQLu909hLLhFa/mO0XldcSuRhhUmldOkTB5MnrWAyU5f IpSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=41fcspiH4ngsvTHRRVwlFzExXvLAyATseg0+A2BNap8=; fh=nuVAnAKFXZ/c71OwrdWzSuwNyXL8JbkZbL1MQ1Fe+gs=; b=CGNNdJ2ZrE5DIz5ZkkEXBPjlZYv4WQZX6n6NKQu7DjuBgNjLxSOYjnbvhGGULgcgdG oyMn9i9devAM/g3edk/hIVGuHbRBuCrnWoYyZnajunqhQuq/mek0FNsWSqgrc0kqpSix Qd2F1mqSHUJJfObyhn2OSpcRc7EI7bl9tnyod7Nz+tkXFJQhcGarC1xT0cMurfhNMsEj i3IPLW1ijYobkT9xui5vCOuxIaOHbLTgytQXObMDagkod9xsyR7voKEiZxz6EN9H+yed rrgJIeteiSUvjb3LTbHQ8/K+A+uSjqcqHGOdAM621uv1WGiaY0Rw/zu22CxkF0y3opOX RgYQ==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=qGrkeWyH; spf=pass (google.com: domain of fm-1047747-202506251354530552f4bb1df1c7a36c-_mwou8@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1047747-202506251354530552f4bb1df1c7a36c-_MwOU8@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net. [185.136.64.227]) by gmr-mx.google.com with ESMTPS id 8926c6da1cb9f-5019e0516acsi2394173.5.2025.06.25.06.54.56 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Jun 2025 06:54:56 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1047747-202506251354530552f4bb1df1c7a36c-_mwou8@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) client-ip=185.136.64.227; Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202506251354530552f4bb1df1c7a36c for ; Wed, 25 Jun 2025 15:54:53 +0200 From: "'Clara Kowalsky' via isar-users" To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, Clara Kowalsky Subject: [PATCH 2/2] container_fetcher: Verify that tag and digest match Date: Wed, 25 Jun 2025 15:54:42 +0200 Message-ID: <20250625135442.1420977-2-clara.kowalsky@siemens.com> In-Reply-To: <20250625135442.1420977-1-clara.kowalsky@siemens.com> References: <20250625135442.1420977-1-clara.kowalsky@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1047747:519-21489:flowmailer X-Original-Sender: clara.kowalsky@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=qGrkeWyH; spf=pass (google.com: domain of fm-1047747-202506251354530552f4bb1df1c7a36c-_mwou8@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1047747-202506251354530552f4bb1df1c7a36c-_MwOU8@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Clara Kowalsky Reply-To: Clara Kowalsky Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: EAld0o/KZnLv If a tag and digest are specified for a container image in the SRC_URI, the tag is ignored until now and the container image with the matching digest is fetched. With this change, the container image is fetched based on the specified tag and it is checked whether the digest matches. If not, an error is thrown. Signed-off-by: Clara Kowalsky --- meta/lib/container_fetcher.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py index 16467abb..75366988 100644 --- a/meta/lib/container_fetcher.py +++ b/meta/lib/container_fetcher.py @@ -11,6 +11,7 @@ from bb.fetch2 import FetchMethod from bb.fetch2 import logger from bb.fetch2 import MissingChecksumEvent from bb.fetch2 import NoChecksumError +from bb.fetch2 import ChecksumError from bb.fetch2 import runfetchcmd class Container(FetchMethod): @@ -47,6 +48,22 @@ class Container(FetchMethod): def download(self, ud, d): tarball = ud.localfile[:-len('.zst')] with tempfile.TemporaryDirectory(dir=d.getVar('DL_DIR')) as tmpdir: + # If both tag and digest are provided, verify they match + if ud.digest and ud.tag != "latest": + inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True) + actual_digest = json.loads(inspect_output)["Digest"] + if actual_digest != ud.digest: + messages = [] + messages.append(f"Checksum mismatch for {ud.container_name}:{ud.tag}") + messages.append("If this change is expected (e.g. you have upgraded " \ + "to a new version without updating the checksums) " \ + "then you can use these lines within the recipe:") + messages.append(f'SRC_URI = "docker://{ud.container_name};digest={actual_digest};tag={ud.tag}"') + messages.append("Otherwise you should retry the download and/or " \ + "check with upstream to determine if the container image has " \ + "become corrupted or otherwise unexpectedly modified.") + raise ChecksumError("\n".join(messages), ud.url, actual_digest) + # Take a two steps for downloading into a docker archive because # not all source may have the required Docker schema 2 manifest. runfetchcmd("skopeo copy --preserve-digests " + \ -- 2.49.0 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250625135442.1420977-2-clara.kowalsky%40siemens.com.