diff mbox series

[1/2] container_fetcher: Fix missing checksum warning

Message ID 20250625135442.1420977-1-clara.kowalsky@siemens.com
State Superseded, archived
Headers show
Series [1/2] container_fetcher: Fix missing checksum warning | expand

Commit Message

Clara Kowalsky June 25, 2025, 1:54 p.m. UTC 
In case only a tag is specified for a container image in the SRC_URI and
no digest, a warning should be issued with the recommendation to add the
digest of the container image.
So far, the number specified in the warning would be the checksum of the
manifest.json, which is a metadata file. However, we want to show the
registry digest, which is calculated over the complete image content.
In addition, reading the manifest.json does not work at this point
anyway, as skopeo has already packed it into a Docker archive.

Signed-off-by: Clara Kowalsky <clara.kowalsky@siemens.com>
---
 meta/lib/container_fetcher.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

Comments

Jan Kiszka June 25, 2025, 3:42 p.m. UTC | #1 
On 25.06.25 15:54, Clara Kowalsky wrote:
> In case only a tag is specified for a container image in the SRC_URI and
> no digest, a warning should be issued with the recommendation to add the
> digest of the container image.
> So far, the number specified in the warning would be the checksum of the
> manifest.json, which is a metadata file. However, we want to show the
> registry digest, which is calculated over the complete image content.

Actually, we were presenting the digest of the architecture-specific
image that happened to be fetched first, not that of the manifest
describing images for all supported archs of this tag. I would recommend
to update that.

But the conclusion remains correct: We need the latter, not the former.

Jan

> In addition, reading the manifest.json does not work at this point
> anyway, as skopeo has already packed it into a Docker archive.
> 
> Signed-off-by: Clara Kowalsky <clara.kowalsky@siemens.com>
> ---
>  meta/lib/container_fetcher.py | 10 ++++++----
>  1 file changed, 6 insertions(+), 4 deletions(-)
> 
> diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py
> index 0d659154..16467abb 100644
> --- a/meta/lib/container_fetcher.py
> +++ b/meta/lib/container_fetcher.py
> @@ -6,6 +6,7 @@
>  import oe.path
>  import os
>  import tempfile
> +import json
>  from   bb.fetch2 import FetchMethod
>  from   bb.fetch2 import logger
>  from   bb.fetch2 import MissingChecksumEvent
> @@ -60,16 +61,17 @@ class Container(FetchMethod):
>          if ud.digest:
>              return
>  
> -        checksum = bb.utils.sha256_file(ud.localpath + "/manifest.json")
> -        checksum_line = f"SRC_URI = \"{ud.url};digest=sha256:{checksum}\""
> +        inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True)
> +        digest = json.loads(inspect_output)["Digest"]
>  
> +        checksum_line = f'SRC_URI = "{ud.url};digest={digest}"'
>          strict = d.getVar("BB_STRICT_CHECKSUM") or "0"
>  
>          # If strict checking enabled and neither sum defined, raise error
>          if strict == "1":
>              raise NoChecksumError(checksum_line)
>  
> -        checksum_event = {"sha256sum": checksum}
> +        checksum_event = {"sha256sum": digest}
>          bb.event.fire(MissingChecksumEvent(ud.url, **checksum_event), d)
>  
>          if strict == "ignore":
> @@ -77,7 +79,7 @@ class Container(FetchMethod):
>  
>          # Log missing digest so user can more easily add it
>          logger.warning(
> -            f"Missing checksum for '{ud.localpath}', consider using this " \
> +            f"Missing checksum for '{ud.url}', consider using this " \
>              f"SRC_URI in the recipe:\n{checksum_line}")
>  
>      def unpack(self, ud, rootdir, d):
diff mbox series

Patch

diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py
index 0d659154..16467abb 100644
--- a/meta/lib/container_fetcher.py
+++ b/meta/lib/container_fetcher.py
@@ -6,6 +6,7 @@ 
 import oe.path
 import os
 import tempfile
+import json
 from   bb.fetch2 import FetchMethod
 from   bb.fetch2 import logger
 from   bb.fetch2 import MissingChecksumEvent
@@ -60,16 +61,17 @@  class Container(FetchMethod):
         if ud.digest:
             return
 
-        checksum = bb.utils.sha256_file(ud.localpath + "/manifest.json")
-        checksum_line = f"SRC_URI = \"{ud.url};digest=sha256:{checksum}\""
+        inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True)
+        digest = json.loads(inspect_output)["Digest"]
 
+        checksum_line = f'SRC_URI = "{ud.url};digest={digest}"'
         strict = d.getVar("BB_STRICT_CHECKSUM") or "0"
 
         # If strict checking enabled and neither sum defined, raise error
         if strict == "1":
             raise NoChecksumError(checksum_line)
 
-        checksum_event = {"sha256sum": checksum}
+        checksum_event = {"sha256sum": digest}
         bb.event.fire(MissingChecksumEvent(ud.url, **checksum_event), d)
 
         if strict == "ignore":
@@ -77,7 +79,7 @@  class Container(FetchMethod):
 
         # Log missing digest so user can more easily add it
         logger.warning(
-            f"Missing checksum for '{ud.localpath}', consider using this " \
+            f"Missing checksum for '{ud.url}', consider using this " \
             f"SRC_URI in the recipe:\n{checksum_line}")
 
     def unpack(self, ud, rootdir, d):