Re: [PATCH v2 2/2] container_fetcher: Verify that tag and digest match

["'Clara Kowalsky' via isar-users" <isar-users@googlegroups.com>]

On 26.06.25 18:00, Jan Kiszka wrote:
> On 26.06.25 16:07, Clara Kowalsky wrote:
>> If a tag and digest are specified for a container image in the SRC_URI,
>> the tag is ignored until now and the container image with the matching
>> digest is fetched.
>> With this change, the container image is fetched based on the specified
>> tag and it is checked whether the digest matches. If not, an error is
>> thrown.
>>
>> Signed-off-by: Clara Kowalsky <clara.kowalsky@siemens.com>
>> ---
>>   meta/lib/container_fetcher.py | 17 +++++++++++++++++
>>   1 file changed, 17 insertions(+)
>>
>> diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py
>> index 16467abb..08766742 100644
>> --- a/meta/lib/container_fetcher.py
>> +++ b/meta/lib/container_fetcher.py
>> @@ -11,6 +11,7 @@ from   bb.fetch2 import FetchMethod
>>   from   bb.fetch2 import logger
>>   from   bb.fetch2 import MissingChecksumEvent
>>   from   bb.fetch2 import NoChecksumError
>> +from   bb.fetch2 import ChecksumError
>>   from   bb.fetch2 import runfetchcmd
>>   
>>   class Container(FetchMethod):
>> @@ -47,6 +48,22 @@ class Container(FetchMethod):
>>       def download(self, ud, d):
>>           tarball = ud.localfile[:-len('.zst')]
>>           with tempfile.TemporaryDirectory(dir=d.getVar('DL_DIR')) as tmpdir:
>> +            # If both tag and digest are provided, verify they match
>> +            if ud.digest and not "tag" in ud.parm:
> 
> Hmm, I'm confused by my own suggestion right now: Did you test that
> again? Don't we rather need
> 
> if ud.digest and "tag" in ud.parm:
> 
> ?

Forgot to fully test this.. Yes, the v2 is not working. With "if 
ud.digest and not "tag" in ud.parm:", we only enter this case if no tag 
is specified in the SRC_URI, which is not what we want. The digest is 
then compared to the digest of "latest"...

Tested with "if ud.digest and "tag" in ud.parm:": This is correct, it 
means we have a tag and a digest explicitly specified in the SRC_URI and 
then we want to do the "skopeo inspect" to check for a mismatch.
Sending v3 with this change + Reviewed-By.

BR,
Clara

> 
>> +                inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True)
>> +                actual_digest = json.loads(inspect_output)["Digest"]
>> +                if actual_digest != ud.digest:
>> +                    messages = []
>> +                    messages.append(f"Checksum mismatch for {ud.container_name}:{ud.tag}")
>> +                    messages.append("If this change is expected (e.g. you have upgraded " \
>> +                                "to a new version without updating the checksums) " \
>> +                                "then you can use these lines within the recipe:")
>> +                    messages.append(f'SRC_URI = "docker://{ud.container_name};digest={actual_digest};tag={ud.tag}"')
>> +                    messages.append("Otherwise you should retry the download and/or " \
>> +                                "check with upstream to determine if the container image has " \
>> +                                "become corrupted or otherwise unexpectedly modified.")
>> +                    raise ChecksumError("\n".join(messages), ud.url, actual_digest)
>> +
>>               # Take a two steps for downloading into a docker archive because
>>               # not all source may have the required Docker schema 2 manifest.
>>               runfetchcmd("skopeo copy --preserve-digests " + \
> 
> Jan
> 

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/953efeec-e0a3-41a9-a849-e5cc55bed601%40siemens.com.