From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Thu, 26 Jun 2025 16:08:11 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-il1-f184.google.com (mail-il1-f184.google.com [209.85.166.184]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 55QE82jc011517 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 26 Jun 2025 16:08:03 +0200 Received: by mail-il1-f184.google.com with SMTP id e9e14a558f8ab-3de3b5b7703sf6517895ab.1 for ; Thu, 26 Jun 2025 07:08:03 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1750946877; cv=pass; d=google.com; s=arc-20240605; b=W4nL7uyMaSIY0QHYr0A/nvQR8LvC8/7+e5CHMLP/e7P1zjI7TUV8D5oqbWpEBjUgzm iKR8YPm1WMo61NfMVK1eKLucEfKSDXt+BJJLXN12ttweXGxLRCQSW8EWwurE03N9pZXD qld05EaBl3PfXCU7Yke0tMg7fKDiQt2RcJLtG0x+9dq6cgMYfZXzs3ht8i4DYB4M77rR 0aGSgSP3qdr27y9OxDxKxP4yUaDiAtrP2ZY5NznkjH8w3maWqfIo7SmtUZBHJiE5wUXn OWn78NnXswrhMGhSmmWm5otp8B5yjhulnqtAq64vnh8auerhCszPyUoMChnnshBImlUS Cg0A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=prXUywDGIfZ2kaJtm9z9HlskzmsqFf3sYXTNuZOuWmo=; fh=MiToHTbKt/dZuddD494AAiHSzrHVwBWHRbLz8yNKKYw=; b=fzz2dWdYIEstlTgpFtU6pJKawjnU4q7FEypE+9IsZxpO0CUu/E7CwvZSrFjdUyVlgx Nu06RJLDtHXUFrOlwYr33u+yk93t5Q59L5TVohS7Zxpja8FnoliX4lwnShIPYJpWF1nd uRm7U7gnORzmMuAfrFX0g+o8jg4t8+NLc1cYoPEzvhgHlc6A/MVmIJ9oWYxiSWO/A0W0 VbkBicK4a8pAGXcubuyhd6fhXMxeZhhxojP6k3qT0qQFp3mT04q24GbxT7ocJ2UV73HS OpUFkOsJNDne+V2xefySatwBOoQHjiOhjZ2mSyafMvA5LeoD95HfyIdlYEYskW1N089f EIWw==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=f+xoXsV5; spf=pass (google.com: domain of fm-1047747-2025062614075501e770f355ac24705c-h6xicn@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-2025062614075501e770f355ac24705c-H6XICn@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1750946877; x=1751551677; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=prXUywDGIfZ2kaJtm9z9HlskzmsqFf3sYXTNuZOuWmo=; b=ZqdMnDLI70DrXUHaRbOscWk0emz4DzmIQ9+SBIcZwND+Zig4THktV7VAcM4i3aP5Cr 0xgID+rAaLSVRhItYi06vkdisuzSDfbpuB88lMd8b9tOLuvh70cG7r7dbYkxlizmJ0pV z64vglFMv5BpILCYR1/7cNnRLuHczjJ904vueug8xv4ea/Xic/JaDnaHo5tvhNick5Jp 8ABWOETPJuECJLliTuBJhaHPYIgg4nbz682b1wFUYpJfkELASlgV64VfdKqVabIliTlP 0wWF/PYK+yilVE6RDC80oLBh9IZ3pS3J3+qwL/Sshaj2501kjb61iqDmmOwIr2kMZHLT dGbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750946877; x=1751551677; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=prXUywDGIfZ2kaJtm9z9HlskzmsqFf3sYXTNuZOuWmo=; b=oOce10+Bl47v6zTsqKFAlzWPNRsJuKZHYOpB+ixHQetxjOmAJW4DRlFp2j/+sJBokx gAX775FR+qTeeT/G4mzdGXySvzXc6BQtXkNzJlvsDzwiOga/wAUC0d/pxbEtv77DHnku b379taUYhMF8SFiTtUfa69HSI2n+YRveDAnN8pxv2bg2j8njQKRI4TMHLASFqb1xCB68 FgxruUkdYxn5jJvgclBL/lripDOfhJ0rgX9Sl9homAIHuP5m9Di7uECaPmnXnvHcCWg8 nIkLMXO4Sjnbhroa9o4WeN1/pg3OQFS6iPvFJdYOFP5iLlpiPFI0lM+3iSjl/pA875KE wx9Q== X-Forwarded-Encrypted: i=2; AJvYcCWWvBr5LezRuVnvTuk0quxFBElXtc99smSZTnZf5M5HMOqPprzAl7fhFYGxWP0F0j6u3aVq@ilbers.de X-Gm-Message-State: AOJu0YySGAr21BnxJlG29sUbgWuvveBgqw9z2fBlzUOTZYIZfXcbSGyM xDFhlFR99V09lDqHTYDsEptVd8ubV+Fn7hGn88axZslb20WVREtd5mx/ X-Google-Smtp-Source: AGHT+IGU0HqBiPAQiFK4SioibOgQnmjl6oL6Wr+gTRZkLaWT+C0FmDPfEi0EISP3Un7SY2R4DvJ+xw== X-Received: by 2002:a05:6e02:18c9:b0:3de:25cb:42c2 with SMTP id e9e14a558f8ab-3df329c72e4mr98511875ab.18.1750946876867; Thu, 26 Jun 2025 07:07:56 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZdF+EDGfjwdbSL8+SST4dpxiSco8Mb9eyacy70nmYJuCQ== Received: by 2002:a05:6e02:4707:b0:3d1:9c39:8f7e with SMTP id e9e14a558f8ab-3df3de6ae71ls7418005ab.2.-pod-prod-07-us; Thu, 26 Jun 2025 07:07:56 -0700 (PDT) X-Received: by 2002:a05:6602:3c3:b0:86c:fdb3:2798 with SMTP id ca18e2360f4ac-8766b9828f1mr906654839f.11.1750946875888; Thu, 26 Jun 2025 07:07:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1750946875; cv=none; d=google.com; s=arc-20240605; b=dNSzvL0sbT5jxlp3pqYYqtfnyS/JnAs4T85+lo+BDylWVOoGPWGdVa1ZGnOnLxKeum VGXLGNUIZBfDBzEKvV4TASlNYL+NCox39wodeuhHEN+66vWebF/4zKsKYwPsIbZZ1XtK peDGQSUGmGMwx3pdGHusWUzV8Qfuss43H5pDq52fj4NCx084K6B0zgJmuXBvRtU+uiLW HOXTJw2SpkPlhSPu4gWI1KNxYZirKtMQ7AlXt9TYoWyBFpmQUN3BdUlHGvylxQG3f4hf wCvZ2bLeBepT2IcRdYJT9NmzGGtErxY1dqzqhN9YdyS7RalHPBVQEObKbYyn4qCKQkTN LqOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=NXz30nGZu9YLfwUm6ZLNoBmiBLTLLnSsJy7+Aj9zTCg=; fh=nuVAnAKFXZ/c71OwrdWzSuwNyXL8JbkZbL1MQ1Fe+gs=; b=E6qudU5y3U55Z9jNfUPrF6yh5hdOrvBjxPHf5YolgIE7ZA6c6HMGTncOb1c8prBBKp f/I5G4C6UJLA7tuyvBWHcCxLOssS8+bncwg/TWfE7eTNTRiphSKx7+9r5A4bYXct0ofb BsgaT4eZqCLv0TDLVf047J8dhX/W0YhclKVkGdLda4GP6zSMj34mXTcc3iUbkdASShm9 sgW/UpWj7bSv9Ix42N9Cdudzd7vdSnJH6m0fZPny6/VfSACqmdiDSZcaEEUFAcBudhEJ uYS0e7dWgbOGjlCvuxNATXd+7SCmGitPgsX3xV2Cz4jD2iZCJ2Gv3zEZo7QXGC3/LEgY uUfg==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=f+xoXsV5; spf=pass (google.com: domain of fm-1047747-2025062614075501e770f355ac24705c-h6xicn@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-2025062614075501e770f355ac24705c-H6XICn@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net. [185.136.64.228]) by gmr-mx.google.com with ESMTPS id 8926c6da1cb9f-5019e072a6asi591145173.7.2025.06.26.07.07.55 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jun 2025 07:07:55 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1047747-2025062614075501e770f355ac24705c-h6xicn@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) client-ip=185.136.64.228; Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 2025062614075501e770f355ac24705c for ; Thu, 26 Jun 2025 16:07:55 +0200 From: "'Clara Kowalsky' via isar-users" To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, Clara Kowalsky Subject: [PATCH v2 2/2] container_fetcher: Verify that tag and digest match Date: Thu, 26 Jun 2025 16:07:31 +0200 Message-ID: <20250626140731.2732545-2-clara.kowalsky@siemens.com> In-Reply-To: <20250626140731.2732545-1-clara.kowalsky@siemens.com> References: <20250626140731.2732545-1-clara.kowalsky@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1047747:519-21489:flowmailer X-Original-Sender: clara.kowalsky@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=f+xoXsV5; spf=pass (google.com: domain of fm-1047747-2025062614075501e770f355ac24705c-h6xicn@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-2025062614075501e770f355ac24705c-H6XICn@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Clara Kowalsky Reply-To: Clara Kowalsky Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: avXslqdRgezR If a tag and digest are specified for a container image in the SRC_URI, the tag is ignored until now and the container image with the matching digest is fetched. With this change, the container image is fetched based on the specified tag and it is checked whether the digest matches. If not, an error is thrown. Signed-off-by: Clara Kowalsky --- meta/lib/container_fetcher.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py index 16467abb..08766742 100644 --- a/meta/lib/container_fetcher.py +++ b/meta/lib/container_fetcher.py @@ -11,6 +11,7 @@ from bb.fetch2 import FetchMethod from bb.fetch2 import logger from bb.fetch2 import MissingChecksumEvent from bb.fetch2 import NoChecksumError +from bb.fetch2 import ChecksumError from bb.fetch2 import runfetchcmd class Container(FetchMethod): @@ -47,6 +48,22 @@ class Container(FetchMethod): def download(self, ud, d): tarball = ud.localfile[:-len('.zst')] with tempfile.TemporaryDirectory(dir=d.getVar('DL_DIR')) as tmpdir: + # If both tag and digest are provided, verify they match + if ud.digest and not "tag" in ud.parm: + inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True) + actual_digest = json.loads(inspect_output)["Digest"] + if actual_digest != ud.digest: + messages = [] + messages.append(f"Checksum mismatch for {ud.container_name}:{ud.tag}") + messages.append("If this change is expected (e.g. you have upgraded " \ + "to a new version without updating the checksums) " \ + "then you can use these lines within the recipe:") + messages.append(f'SRC_URI = "docker://{ud.container_name};digest={actual_digest};tag={ud.tag}"') + messages.append("Otherwise you should retry the download and/or " \ + "check with upstream to determine if the container image has " \ + "become corrupted or otherwise unexpectedly modified.") + raise ChecksumError("\n".join(messages), ud.url, actual_digest) + # Take a two steps for downloading into a docker archive because # not all source may have the required Docker schema 2 manifest. runfetchcmd("skopeo copy --preserve-digests " + \ -- 2.49.0 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250626140731.2732545-2-clara.kowalsky%40siemens.com.