From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Fri, 27 Jun 2025 08:54:15 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-qv1-f59.google.com (mail-qv1-f59.google.com [209.85.219.59]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 55R6s5Xr015243 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 27 Jun 2025 08:54:10 +0200 Received: by mail-qv1-f59.google.com with SMTP id 6a1803df08f44-6ff810877aasf20599076d6.3 for ; Thu, 26 Jun 2025 23:54:05 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1751007234; cv=pass; d=google.com; s=arc-20240605; b=a+uhwdv+kJZgP+DDCG1Xevrx6hZV2SJ7J9Y+Mcfhzul4QXYAc4CcMci03+5PztpRqH GHKGzlJGOPF/LlIOv/8vvH41GKfzPrk9V0C2SAiYORbVBQbqPMc2wV1zndZ8qI1V2Uip XOYIuDmN7sdw/gPziiKebjEAR4ZJEbAdz+y7TcfTOj/jE71rsIT+RI6W9+g4/d69x2Cg ddF9LYFe4RKKFZoJbhtWJGsG9ofVtOjgsgDHEsPa7QWMNnOllBXKtWQcJTrz0ljRCXt3 xwBCT3DGYENmfjTsAL1DnQwPcLxKedH8YM1IhzG2gZmBSPkaW1gcWXdn1EdzXJNh9FH9 wPHw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Sf7fRmh9r39brixTlC1RNXx2NpTrGZB6NL440LG6T0g=; fh=wWoPh0PAhKVMvDEAO9kpuR4UCVDEFZyhRoNfxNC/hNk=; b=MB5W+I+gAXp255dKi5tzddOMDqsD8EwmRl5ziPuUW3UsStYScsx0A/PAd7DJzXYAgV c4g9m0RybqcVKQlGDRmqiRycomzx0tx2eRM0CqJeowcA5TPLBwfjCm5/2GOfGfTz10Fm Ba63b8TU11bLDUEKIMQuBtQqBJckpmm8i1NPKfT7Ez3mGndhlTTxtSCUZ8H0Mqeuazyn h12XRdbBLWB5RO3C44R5nR5wc5QHJ/1v16BHn76Kd4aPtbHhthXFNhxhfahplmgkHK0k 4O55Eu3wDs4Boi+V1dirJGYprcRB6WWXM5z7O0vkHoLjitQzH9Z7htl9GvWr1kc97QZX 4nTA==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=EhGcBwJS; spf=pass (google.com: domain of fm-1047747-20250627065350807ceb5273d6ad91ad-rdo9ab@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-20250627065350807ceb5273d6ad91ad-rdO9Ab@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1751007234; x=1751612034; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=Sf7fRmh9r39brixTlC1RNXx2NpTrGZB6NL440LG6T0g=; b=kgzSWOpNKMa4hHK7yORol7GFOiRBGYyPIHhTr4hWAK9lVJzSz21I2op9uQ2/Pcgp2J i38RmI7j9wbzSASk6T/f+6LwioxH+2lRA4QXGyzkjgOGH2FEsuiOMdo/5OVmdKQKwfZq prlsM7hoiTCzcHcBBjfkNxNTbA0g3GSxKZ0mlFKFqJD8Uy805AeUBuM48RCMxyhfx8Sw LwUaQXGmyG/Fb6HmqTca7cYum2Pl2JJTcnjUn1UFxhHDc8qPMRQM3U8mrEhAVp+vIu3i VNFR3nxwJS1vMysd/iHIy7SbXqeJBNUpiqb1/vRm7A3FPDOAgO3e+NwEB/rks/unU1e6 J3VA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751007234; x=1751612034; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Sf7fRmh9r39brixTlC1RNXx2NpTrGZB6NL440LG6T0g=; b=CJxeI5nb8dspfpcGuKsCqe01UR3zJsPZjdJgnB3xE7kw+rvO5GyHJC9nn6FGjauZdf VHA55rVhXV1sp1QWLnXNufO20PPikG00VsVobvQ5/AlJzaP1050/TBWIppjg+azpXNpT ASHLyV4ZbXl9oZ3IXPW+qvjgQEfGHNbWjyrpHK/k4d8/WSUvCYhS2vmVW37oESM0rqjj lMxK4WCYnfNQU5OaLR2vqFi5T2zknq0MK2huoDgwD8VyMHiZwyGHNHX+ehYEUgVGBMPd oGN8AJwOx8lmAs/SGh2A9TYE2eOaO9yF6JEDaoTd7KLZ0gVk5XiXmN2OBbpKnSoXP6RP Tzsg== X-Forwarded-Encrypted: i=2; AJvYcCUBJsqWq34VFWEt0AM49rIyxCKqgAVkvDGeuOr5H/e1Kkti8GHkTCII1RVC/Fr+3IN1Hw/Y@ilbers.de X-Gm-Message-State: AOJu0YzSrVWHO06rocdAMY8aZLLWRyH74/XnCEckeEog/j0jcJqo7vKP 7NCTzfY51TVOMtwHT0SWWHbnAR9lZDPxrj4ekn1JsTFIVpQ0Lx8o1ehf X-Google-Smtp-Source: AGHT+IGqaGtBQmOVO1rlvqLsqQOYqQkrUuBkqNwIZjlKSKaMqCE0HWOOXXCMUYJqdVBZji4tfaBNwg== X-Received: by 2002:a05:6214:3c99:b0:6f4:cfb3:9df9 with SMTP id 6a1803df08f44-7000281ff18mr36636776d6.33.1751007234560; Thu, 26 Jun 2025 23:53:54 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZdTheFkdpwajPIde116xs/+r0j8pN/SoCV3hOfI65hfUw== Received: by 2002:ad4:596c:0:b0:6fa:bf2a:9be7 with SMTP id 6a1803df08f44-6fd75028de1ls31664546d6.0.-pod-prod-06-us; Thu, 26 Jun 2025 23:53:53 -0700 (PDT) X-Received: by 2002:a05:6122:608e:b0:531:236f:1295 with SMTP id 71dfb90a1353d-5330be7697bmr1530210e0c.5.1751007233370; Thu, 26 Jun 2025 23:53:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1751007233; cv=none; d=google.com; s=arc-20240605; b=Zka/gRDmH3ODcyiBzCj0ZZRsJlp/740GL6eniJEL/xjdKkoh9LNi/BU5jlLG/9XgqV jCKBGnyy0EoIF9oWJrtfaA1P28x1Zm7H3SjSwrk3OJT6dxkwRsbvqKQf44BaNSUnvCO3 Kx/aiVoMHbU920DaZEWK2HybW2XSeD0LtgopSWrJNN1ATgUV44Io9L1dkivjiw+LZ3Yl FjYU/Aqj2BHxl8/U8Lyur33dyDOppl+HahznNOXCLqnegDhMUp5d9xyCLRwQcloLVS/E S6tiUxUDGHc7IHcucObYIzVKHDSToQ3ct64jCiZ2j+PsuBcVgw/Ra2G5j7cot8bt9SC/ FoKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=kwpJgLT+sgWnGUZBL3bEvuOPOVckDGqr5f39yMwLatQ=; fh=nuVAnAKFXZ/c71OwrdWzSuwNyXL8JbkZbL1MQ1Fe+gs=; b=Q1xR8XwuoMmW56UAKsbe09v/UlZL+3oNoDPuG6umQoWdaMxotrdka4QZIJjawHjzu9 tGGIMbd2+8sUym8+E39gL5psLNyT8rC9sw0ZmAlWfDxQOR7t95G+b0s8m8bZzsI8oIoZ MSwI9P9kmp4JbnEsY2DR7b42ydqNfe6GTmNCxDBS0tM2LJeY+ohR0ulFPbscxc2B6yNN jDpAtsao21NdHVlKP/FQxymP+L94PPwEmMXRqiLsmCFyVigApwVQa8W2DLMhzcJGlq9N tJgqb8NuM6yoNOhzZRbUG+Wbw6qqcD6PidlQtjhB8v4VQRvGJAgZbInw+pFsL827c+7m Ynnw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=EhGcBwJS; spf=pass (google.com: domain of fm-1047747-20250627065350807ceb5273d6ad91ad-rdo9ab@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-20250627065350807ceb5273d6ad91ad-rdO9Ab@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net. [185.136.64.228]) by gmr-mx.google.com with ESMTPS id 71dfb90a1353d-533090a1726si77422e0c.2.2025.06.26.23.53.52 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jun 2025 23:53:53 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1047747-20250627065350807ceb5273d6ad91ad-rdo9ab@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) client-ip=185.136.64.228; Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20250627065350807ceb5273d6ad91ad for ; Fri, 27 Jun 2025 08:53:50 +0200 From: "'Clara Kowalsky' via isar-users" To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, Clara Kowalsky Subject: [PATCH v3 2/2] container_fetcher: Verify that tag and digest match Date: Fri, 27 Jun 2025 08:53:36 +0200 Message-ID: <20250627065336.2910069-2-clara.kowalsky@siemens.com> In-Reply-To: <20250627065336.2910069-1-clara.kowalsky@siemens.com> References: <20250627065336.2910069-1-clara.kowalsky@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1047747:519-21489:flowmailer X-Original-Sender: clara.kowalsky@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=EhGcBwJS; spf=pass (google.com: domain of fm-1047747-20250627065350807ceb5273d6ad91ad-rdo9ab@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-20250627065350807ceb5273d6ad91ad-rdO9Ab@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Clara Kowalsky Reply-To: Clara Kowalsky Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: HpYaVpa7qroi If a tag and digest are specified for a container image in the SRC_URI, the tag is ignored until now and the container image with the matching digest is fetched. With this change, the container image is fetched based on the specified tag and it is checked whether the digest matches. If not, an error is thrown. Signed-off-by: Clara Kowalsky Reviewed-by: Jan Kiszka --- meta/lib/container_fetcher.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py index 16467abb..cd1a201a 100644 --- a/meta/lib/container_fetcher.py +++ b/meta/lib/container_fetcher.py @@ -11,6 +11,7 @@ from bb.fetch2 import FetchMethod from bb.fetch2 import logger from bb.fetch2 import MissingChecksumEvent from bb.fetch2 import NoChecksumError +from bb.fetch2 import ChecksumError from bb.fetch2 import runfetchcmd class Container(FetchMethod): @@ -47,6 +48,22 @@ class Container(FetchMethod): def download(self, ud, d): tarball = ud.localfile[:-len('.zst')] with tempfile.TemporaryDirectory(dir=d.getVar('DL_DIR')) as tmpdir: + # If both tag and digest are provided, verify they match + if ud.digest and "tag" in ud.parm: + inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True) + actual_digest = json.loads(inspect_output)["Digest"] + if actual_digest != ud.digest: + messages = [] + messages.append(f"Checksum mismatch for {ud.container_name}:{ud.tag}") + messages.append("If this change is expected (e.g. you have upgraded " \ + "to a new version without updating the checksums) " \ + "then you can use these lines within the recipe:") + messages.append(f'SRC_URI = "docker://{ud.container_name};digest={actual_digest};tag={ud.tag}"') + messages.append("Otherwise you should retry the download and/or " \ + "check with upstream to determine if the container image has " \ + "become corrupted or otherwise unexpectedly modified.") + raise ChecksumError("\n".join(messages), ud.url, actual_digest) + # Take a two steps for downloading into a docker archive because # not all source may have the required Docker schema 2 manifest. runfetchcmd("skopeo copy --preserve-digests " + \ -- 2.49.0 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250627065336.2910069-2-clara.kowalsky%40siemens.com.