From patchwork Wed Jun 25 13:54:42 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Clara Kowalsky <clara.kowalsky@siemens.com>
X-Patchwork-Id: 4237
Return-Path: <isar-users+bncBDV6HZVFSUIRBMP757BAMGQESYW4VMQ@googlegroups.com>
Received: from shymkent.ilbers.de ([unix socket])
	 by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA;
	 Wed, 25 Jun 2025 15:55:12 +0200
X-Sieve: CMU Sieve 2.4
Received: from mail-il1-f184.google.com (mail-il1-f184.google.com
 [209.85.166.184])
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id
 55PDt3eX005695
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <iupwgm@isar-build.org>; Wed, 25 Jun 2025 15:55:04 +0200
Received: by mail-il1-f184.google.com with SMTP id
 e9e14a558f8ab-3df33827a8csf14038885ab.1
        for <iupwgm@isar-build.org>; Wed, 25 Jun 2025 06:55:04 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1750859697; cv=pass;
        d=google.com; s=arc-20240605;
        b=Q2gaMotH1VtQmmHzKqZcHZxOB/Ye8M8tYBNqHHKy1w59wUQRz67Vb+xluO3U7RH2KI
         DufRc3ZIhdmY1dy6iGK1peoxPlOSKdLKQo9lbai3TO9g8Q6Vj6WIlZi/yTAsEEOksqZe
         0k5rN2rsVK83hsLzgWCHzVwF+Ja4+YOkn/0BzYK9MursFgnDwcP9YNOUv7EiKXMYvzCV
         KU3oSzJL9V3GGiA67Je06c3QpXjvncaO/JoIwPKioaL85B5rWZWLcQGnY5y6+Mz2lFBk
         Jc/B0Zzkz/8skI9vLfKfzPMZV++tO2mngp19iKZLav2YTMk7/4ErRPOfmyfumsijr6gN
         cxQQ==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=6gnTTsKlSq/CfPsVEGlU120RuyYrtt8bK4IV/HNZ488=;
        fh=Pf3USFQBrMo4zZmTv2nUnq22nWlzYdl/xOLslctQy7Y=;
        b=l14X76BSfuvYeLjUVO8Z+zGJxaEC7YK61RMDmORM/WD84Zp1GgtmaIHHDk0bdUWzF+
         vjKUZah1Hc/rlstWv7uwE3w8285tgf4XS7ZQHHi0Vd4/J1/m+276iEqxgbYOlLvgEcjG
         UbA9Ul+KiY14jndh3RfmOjqIhu8FOwbZ0msyYvrsQlL2eZHl3Vuj7oPFQ6+j1MbrxNrn
         s0HceaW3F4At+Qo/rptW96OxoolQNAmtPEjSscn3gZ/0oDjlz4lgd56w4i3ZUrFXu2CS
         vAwWOp+R/Qm9FKUl40QK0Mjt1FlKPhlDBVHYR4pckxe8CK9rRyuzgFOMCgeCbmGrl0j2
         3SBA==;
        darn=isar-build.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm2 header.b=qGrkeWyH;
       spf=pass (google.com: domain of
 fm-1047747-202506251354530552f4bb1df1c7a36c-_mwou8@rts-flowmailer.siemens.com
 designates 185.136.64.227 as permitted sender)
 smtp.mailfrom=fm-1047747-202506251354530552f4bb1df1c7a36c-_MwOU8@rts-flowmailer.siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1750859697; x=1751464497;
 darn=isar-build.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender:feedback-id
         :mime-version:references:in-reply-to:message-id:date:subject:cc:to
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=6gnTTsKlSq/CfPsVEGlU120RuyYrtt8bK4IV/HNZ488=;
        b=epswBk1ppnfFJE6hjSttKQ5tYBPJtU4akDOgNEPUGUeIluuhPG0uSL90UJNYEidbKL
         gu+88/LBNF5MsYW1fox0MSNzxkRwFFhq7plmHXnvQPS8eEk7H0HtibC2pAqqJIZochij
         6Hos/Wd+jdbAs6iRNCaKiklOwlCz6ZKMJlrDGhzb3aC4MeDwz93hFSKATO9OZLuAz+hN
         LexJBWAYtjqkyTKQi+UThlw7nk+K/dGHINMrl5JEMwNnXAzfhYu/QCEhIXHhCufZGk5a
         wmm3PeS6LQhl0AuWbup38GyeLe2ZUn8Uc7zP+CKM6Lxg2VScI/H8idOvCNcUs0GPpDzo
         c82g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1750859697; x=1751464497;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender:feedback-id
         :mime-version:references:in-reply-to:message-id:date:subject:cc:to
         :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=6gnTTsKlSq/CfPsVEGlU120RuyYrtt8bK4IV/HNZ488=;
        b=Goy6SH9ptKn9r+y6qKhS59Uufzbid1eoNvqdOBkYb/dxAu2c8KP81Jj/RtDgYdix1F
         3IJpaO3tTLXP2jdk5/xOo0/IOvRVnXLS92To9oTNRiZMsLJOvo7SPYiH6qdkYyArfFhy
         0twzEB8/34tSk/kKUMJFTBOwO8rbYq9BFrU1MIz6BJ1bmEIvqPD5uIHiow0ekKyPbzmw
         708Hydvi7A/R/3M0IwrJhLn7eisrJ2HtaGLw3qeYcqylZENnaS8Vc9uyUMxgfXZ4oRYD
         Xso0AbvNwMqU7avijY9WE1iOEZO3WtoyakIOlWi7JqounY2QzHj8sEuS+cfvG90oh9o3
         El6g==
X-Forwarded-Encrypted: i=2;
 AJvYcCUVSEgnnojdO0fjl5h01qBD77w4RmlXZUGdWfRzlrXmdjFhWeN4Va6WEnqvJbo25aJi+iO4cAw=@isar-build.org
X-Gm-Message-State: AOJu0YyCoje4ZXy/yB21UqATNaMl263/AFEzppcj6FpValwC2MPAelg/
	Gi26jGFg8R8N0jVVFpBaNSX/RXTUNNGcqWDZ5qh41cObt49yg2r3ct5Z
X-Google-Smtp-Source: 
 AGHT+IHy5QQ9Vk/K6Ix/2WpHUQ0Q1X1JLsjs/HpXZFNCU+IiXKYacAytHJcgDIbJjqds61gg7n3pPQ==
X-Received: by 2002:a05:6e02:154c:b0:3de:14d4:a755 with SMTP id
 e9e14a558f8ab-3df32a1ff86mr43459465ab.21.1750859697401;
        Wed, 25 Jun 2025 06:54:57 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com;
 h=AZMbMZfh1tvwPJkXotkNn8kN1rh6wmWkQeieT6WSSsOB9GSReg==
Received: by 2002:a05:6e02:461c:b0:3df:1573:75e4 with SMTP id
 e9e14a558f8ab-3df15737e4fls25153685ab.2.-pod-prod-08-us; Wed, 25 Jun 2025
 06:54:56 -0700 (PDT)
X-Received: by 2002:a05:6602:7186:b0:873:4807:816e with SMTP id
 ca18e2360f4ac-8766bb749c7mr404846539f.13.1750859696400;
        Wed, 25 Jun 2025 06:54:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1750859696; cv=none;
        d=google.com; s=arc-20240605;
        b=UGc2qgV/wFXu4rOfjyE4SxMTODuFIyUnCuVzP64k2V35xxc+h/3L5Fe4Xzewu8BPb4
         LBkfkKsdcVKkbaYCPwDVC/nSplO609LBFwnYWtEX0ZjPYCfFfPCmXU5NbjNU4G+6vMYh
         Um/xJ1lSd6e3jTuVJA2s/sl7gejsxmdqMenqsMyGM7N36rhnxyuh/d3LOCyDud9sM2tI
         i8CX8pHlFTL1zM8CVlFoO6xfr1FHbI3zfstWcqcUcsOYVZIPnohPvpFekeByZ8Yu3nC5
         ESpiOtZVlTr+NCYNAU7LVIDbxQLu909hLLhFa/mO0XldcSuRhhUmldOkTB5MnrWAyU5f
         IpSQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=feedback-id:content-transfer-encoding:mime-version:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature;
        bh=41fcspiH4ngsvTHRRVwlFzExXvLAyATseg0+A2BNap8=;
        fh=nuVAnAKFXZ/c71OwrdWzSuwNyXL8JbkZbL1MQ1Fe+gs=;
        b=CGNNdJ2ZrE5DIz5ZkkEXBPjlZYv4WQZX6n6NKQu7DjuBgNjLxSOYjnbvhGGULgcgdG
         oyMn9i9devAM/g3edk/hIVGuHbRBuCrnWoYyZnajunqhQuq/mek0FNsWSqgrc0kqpSix
         Qd2F1mqSHUJJfObyhn2OSpcRc7EI7bl9tnyod7Nz+tkXFJQhcGarC1xT0cMurfhNMsEj
         i3IPLW1ijYobkT9xui5vCOuxIaOHbLTgytQXObMDagkod9xsyR7voKEiZxz6EN9H+yed
         rrgJIeteiSUvjb3LTbHQ8/K+A+uSjqcqHGOdAM621uv1WGiaY0Rw/zu22CxkF0y3opOX
         RgYQ==;
        dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm2 header.b=qGrkeWyH;
       spf=pass (google.com: domain of
 fm-1047747-202506251354530552f4bb1df1c7a36c-_mwou8@rts-flowmailer.siemens.com
 designates 185.136.64.227 as permitted sender)
 smtp.mailfrom=fm-1047747-202506251354530552f4bb1df1c7a36c-_MwOU8@rts-flowmailer.siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
Received: from mta-64-227.siemens.flowmailer.net
 (mta-64-227.siemens.flowmailer.net. [185.136.64.227])
        by gmr-mx.google.com with ESMTPS id
 8926c6da1cb9f-5019e0516acsi2394173.5.2025.06.25.06.54.56
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 25 Jun 2025 06:54:56 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 fm-1047747-202506251354530552f4bb1df1c7a36c-_mwou8@rts-flowmailer.siemens.com
 designates 185.136.64.227 as permitted sender) client-ip=185.136.64.227;
Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id
 202506251354530552f4bb1df1c7a36c
        for <isar-users@googlegroups.com>;
        Wed, 25 Jun 2025 15:54:53 +0200
X-Patchwork-Original-From: "'Clara Kowalsky' via isar-users"
 <isar-users@googlegroups.com>
From: Clara Kowalsky <clara.kowalsky@siemens.com>
To: isar-users@googlegroups.com
Cc: jan.kiszka@siemens.com, Clara Kowalsky <clara.kowalsky@siemens.com>
Subject: [PATCH 2/2] container_fetcher: Verify that tag and digest match
Date: Wed, 25 Jun 2025 15:54:42 +0200
Message-ID: <20250625135442.1420977-2-clara.kowalsky@siemens.com>
In-Reply-To: <20250625135442.1420977-1-clara.kowalsky@siemens.com>
References: <20250625135442.1420977-1-clara.kowalsky@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-1047747:519-21489:flowmailer
X-Original-Sender: clara.kowalsky@siemens.com
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@siemens.com header.s=fm2 header.b=qGrkeWyH;       spf=pass
 (google.com: domain of
 fm-1047747-202506251354530552f4bb1df1c7a36c-_mwou8@rts-flowmailer.siemens.com
 designates 185.136.64.227 as permitted sender)
 smtp.mailfrom=fm-1047747-202506251354530552f4bb1df1c7a36c-_MwOU8@rts-flowmailer.siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
X-Original-From: Clara Kowalsky <clara.kowalsky@siemens.com>
Reply-To: Clara Kowalsky <clara.kowalsky@siemens.com>
Precedence: list
Mailing-list: list isar-users@googlegroups.com;
 contact isar-users+owners@googlegroups.com
List-ID: <isar-users.googlegroups.com>
X-Spam-Checked-In-Group: isar-users@googlegroups.com
X-Google-Group-Id: 914930254986
List-Post: <https://groups.google.com/group/isar-users/post>,
 <mailto:isar-users@googlegroups.com>
List-Help: <https://groups.google.com/support/>,
 <mailto:isar-users+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/isar-users
List-Subscribe: <https://groups.google.com/group/isar-users/subscribe>,
 <mailto:isar-users+subscribe@googlegroups.com>
List-Unsubscribe: 
 <mailto:googlegroups-manage+914930254986+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/isar-users/subscribe>
X-Spam-Status: No, score=-1.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_RNBL,
	RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no
	version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=

If a tag and digest are specified for a container image in the SRC_URI,
the tag is ignored until now and the container image with the matching
digest is fetched.
With this change, the container image is fetched based on the specified
tag and it is checked whether the digest matches. If not, an error is
thrown.

Signed-off-by: Clara Kowalsky <clara.kowalsky@siemens.com>
---
 meta/lib/container_fetcher.py | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py
index 16467abb..75366988 100644
--- a/meta/lib/container_fetcher.py
+++ b/meta/lib/container_fetcher.py
@@ -11,6 +11,7 @@ from   bb.fetch2 import FetchMethod
 from   bb.fetch2 import logger
 from   bb.fetch2 import MissingChecksumEvent
 from   bb.fetch2 import NoChecksumError
+from   bb.fetch2 import ChecksumError
 from   bb.fetch2 import runfetchcmd
 
 class Container(FetchMethod):
@@ -47,6 +48,22 @@ class Container(FetchMethod):
     def download(self, ud, d):
         tarball = ud.localfile[:-len('.zst')]
         with tempfile.TemporaryDirectory(dir=d.getVar('DL_DIR')) as tmpdir:
+            # If both tag and digest are provided, verify they match
+            if ud.digest and ud.tag != "latest":
+                inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True)
+                actual_digest = json.loads(inspect_output)["Digest"]
+                if actual_digest != ud.digest:
+                    messages = []
+                    messages.append(f"Checksum mismatch for {ud.container_name}:{ud.tag}")
+                    messages.append("If this change is expected (e.g. you have upgraded " \
+                                "to a new version without updating the checksums) " \
+                                "then you can use these lines within the recipe:")
+                    messages.append(f'SRC_URI = "docker://{ud.container_name};digest={actual_digest};tag={ud.tag}"')
+                    messages.append("Otherwise you should retry the download and/or " \
+                                "check with upstream to determine if the container image has " \
+                                "become corrupted or otherwise unexpectedly modified.")
+                    raise ChecksumError("\n".join(messages), ud.url, actual_digest)
+
             # Take a two steps for downloading into a docker archive because
             # not all source may have the required Docker schema 2 manifest.
             runfetchcmd("skopeo copy --preserve-digests " + \