From patchwork Thu Jun 26 14:07:31 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Clara Kowalsky X-Patchwork-Id: 4245 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Thu, 26 Jun 2025 16:08:07 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-il1-f185.google.com (mail-il1-f185.google.com [209.85.166.185]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 55QE820e011511 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 26 Jun 2025 16:08:03 +0200 Received: by mail-il1-f185.google.com with SMTP id e9e14a558f8ab-3df3b71b987sf9326375ab.0 for ; Thu, 26 Jun 2025 07:08:03 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1750946877; cv=pass; d=google.com; s=arc-20240605; b=FQGxyLlOpcO/SF6HietF3YUTVTuIoi0CBbkfWb/dzTmemhCtdl2O0SNLXVqWuYNEkR h/uBzbndnaAlhHuVrSn+Bl2nbc6100dc8K8lVUDwd2vx5l3G2j0toBoEagPgIRozGB5y v7VGVA4Y6g4y45kpAx6xCoNqf3lq6QL8e1NYmSY9Bc8ie3cqtiDvZIqZySvwFwvLKQPL VauTmLLI1Qx8z/Bx4k3YX8yw1xBSsTjXqs0hIQzTq9o6DkLWDLMNWk0VvipgUA5FKXz5 t0D6znXL5pj7a+8a73b9oU4kzf4tjJIHZPnhaZYLM2br/Z/T01iWKCwkPezLSVHuAFtm edSQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=prXUywDGIfZ2kaJtm9z9HlskzmsqFf3sYXTNuZOuWmo=; fh=KJushXE3GxgHzg0dVgxqrt8OCxW5+rIKK5vZyPgGZP8=; b=JngcYpl+VQwJl01za+63GMeyUV4lMOpVBsVXZYBOxNQSdaS1Hycq9N2aJ3oSbifBrn mbYokCZ9xghJ2qv/NsMYNdSIe3MP+N+QXe/QEJ6GFe2CL2jzkkq+XEk2JdQKwBPg+ijn s0WGyx+F86mc+7mQv4e9I152kXb0zN/ypwqTqQV29DB+Dnm6ty88u5wLbc7VYp2tglDI j2i2epn/rujNXmAGKUDdocAY7M3UI7BpWS4cr/LV3/JjtkNjv/uusOYuJD9r+0NRQQP8 BuHidN5IHVF1oqCR8HKAJWOnrUqca+aFaQENz1eh582ZU9zzDxB/7gBJI1BTAa/Yaa1j +MQw==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=f+xoXsV5; spf=pass (google.com: domain of fm-1047747-2025062614075501e770f355ac24705c-h6xicn@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-2025062614075501e770f355ac24705c-H6XICn@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1750946877; x=1751551677; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=prXUywDGIfZ2kaJtm9z9HlskzmsqFf3sYXTNuZOuWmo=; b=qfln5IK2+9DtFtqkZwFfw/x0BMAToWTbMa5a/zxr36wD5pElzKzZhhT0aEcWuTJOkp Lwn+sKzThbatY6y+cp7WrXDEG+2ffI1y1Y276Rjhpzn034Udk/hrZUn71Ln3xwOizM2v zI/6e7cN7vkJ15icFvG6CW2kxW9O11nuEOIRWi5legZd76RqkmNkVVC8yE5aqOp8MDJF mc7Emr0nPtRAop/VAMNRj3bgq5bQ7RpkfNOu+BxHfg8P2MdmgMNLiqc6+blbCaoSPIGe /WcBRjOUE0w4akNEB2v4xqT115Ce5LlvQPkVqJr+hShv4ouMKoM9QFzSiG2/smUlYF/B Ucyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750946877; x=1751551677; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=prXUywDGIfZ2kaJtm9z9HlskzmsqFf3sYXTNuZOuWmo=; b=aVrJ3zBCTWmQztmhH0JRPyBKUGp0VM6YHS4YHMLZQTpyJ7Ca3xqvyVzaTkmGAMjLyC vZD53CG/hA8w+qA8XAwLR0fol4BIEIUhdOOOSpc2QoccWzAqlEI6Fw2bzwQtUvL7a6zE W7t95sU5lEJkAVumVyP+EpR5gOvKGci5UKV84i/juBqhJm8s6VKQH9JGm1k4NHKaooCK UGP+lfXvjUJtPoTKldKqo/EztzZgwqSx0w9quhhIwgGOvds5gkvx7joMCzUqWSrQV+4q FRQC/lqoKAjz5ApLG28k0NSvYfU0oWFAJwCawwh8zz/5d7qQwaalPnkUimpGbskCFWKz rjaQ== X-Forwarded-Encrypted: i=2; AJvYcCWEVUcEcPcvqZ9vz4F+PCtbq/o3qgmWM7bd4L8ixPqAVhBjAhJYTEkK9/oXzI+X+UhAf9K95JI=@isar-build.org X-Gm-Message-State: AOJu0Yx7XrBAqdy57Wy2SL4OahFAuMJ/eCf+qMLcb/gOsO1N/9fzd9kw uHPjkjJL/uPd+b0zKIbSnB5UbWSIU3ETNFb4lJ2T8yumLzJ9fNDD3Plj X-Google-Smtp-Source: AGHT+IGU0HqBiPAQiFK4SioibOgQnmjl6oL6Wr+gTRZkLaWT+C0FmDPfEi0EISP3Un7SY2R4DvJ+xw== X-Received: by 2002:a05:6e02:18c9:b0:3de:25cb:42c2 with SMTP id e9e14a558f8ab-3df329c72e4mr98511875ab.18.1750946876867; Thu, 26 Jun 2025 07:07:56 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZdF+EDGfjwdbSL8+SST4dpxiSco8Mb9eyacy70nmYJuCQ== Received: by 2002:a05:6e02:4707:b0:3d1:9c39:8f7e with SMTP id e9e14a558f8ab-3df3de6ae71ls7418005ab.2.-pod-prod-07-us; Thu, 26 Jun 2025 07:07:56 -0700 (PDT) X-Received: by 2002:a05:6602:3c3:b0:86c:fdb3:2798 with SMTP id ca18e2360f4ac-8766b9828f1mr906654839f.11.1750946875888; Thu, 26 Jun 2025 07:07:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1750946875; cv=none; d=google.com; s=arc-20240605; b=dNSzvL0sbT5jxlp3pqYYqtfnyS/JnAs4T85+lo+BDylWVOoGPWGdVa1ZGnOnLxKeum VGXLGNUIZBfDBzEKvV4TASlNYL+NCox39wodeuhHEN+66vWebF/4zKsKYwPsIbZZ1XtK peDGQSUGmGMwx3pdGHusWUzV8Qfuss43H5pDq52fj4NCx084K6B0zgJmuXBvRtU+uiLW HOXTJw2SpkPlhSPu4gWI1KNxYZirKtMQ7AlXt9TYoWyBFpmQUN3BdUlHGvylxQG3f4hf wCvZ2bLeBepT2IcRdYJT9NmzGGtErxY1dqzqhN9YdyS7RalHPBVQEObKbYyn4qCKQkTN LqOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=NXz30nGZu9YLfwUm6ZLNoBmiBLTLLnSsJy7+Aj9zTCg=; fh=nuVAnAKFXZ/c71OwrdWzSuwNyXL8JbkZbL1MQ1Fe+gs=; b=E6qudU5y3U55Z9jNfUPrF6yh5hdOrvBjxPHf5YolgIE7ZA6c6HMGTncOb1c8prBBKp f/I5G4C6UJLA7tuyvBWHcCxLOssS8+bncwg/TWfE7eTNTRiphSKx7+9r5A4bYXct0ofb BsgaT4eZqCLv0TDLVf047J8dhX/W0YhclKVkGdLda4GP6zSMj34mXTcc3iUbkdASShm9 sgW/UpWj7bSv9Ix42N9Cdudzd7vdSnJH6m0fZPny6/VfSACqmdiDSZcaEEUFAcBudhEJ uYS0e7dWgbOGjlCvuxNATXd+7SCmGitPgsX3xV2Cz4jD2iZCJ2Gv3zEZo7QXGC3/LEgY uUfg==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=f+xoXsV5; spf=pass (google.com: domain of fm-1047747-2025062614075501e770f355ac24705c-h6xicn@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-2025062614075501e770f355ac24705c-H6XICn@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net. [185.136.64.228]) by gmr-mx.google.com with ESMTPS id 8926c6da1cb9f-5019e072a6asi591145173.7.2025.06.26.07.07.55 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jun 2025 07:07:55 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1047747-2025062614075501e770f355ac24705c-h6xicn@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) client-ip=185.136.64.228; Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 2025062614075501e770f355ac24705c for ; Thu, 26 Jun 2025 16:07:55 +0200 X-Patchwork-Original-From: "'Clara Kowalsky' via isar-users" From: Clara Kowalsky To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, Clara Kowalsky Subject: [PATCH v2 2/2] container_fetcher: Verify that tag and digest match Date: Thu, 26 Jun 2025 16:07:31 +0200 Message-ID: <20250626140731.2732545-2-clara.kowalsky@siemens.com> In-Reply-To: <20250626140731.2732545-1-clara.kowalsky@siemens.com> References: <20250626140731.2732545-1-clara.kowalsky@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1047747:519-21489:flowmailer X-Original-Sender: clara.kowalsky@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=f+xoXsV5; spf=pass (google.com: domain of fm-1047747-2025062614075501e770f355ac24705c-h6xicn@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-2025062614075501e770f355ac24705c-H6XICn@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Clara Kowalsky Reply-To: Clara Kowalsky Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= If a tag and digest are specified for a container image in the SRC_URI, the tag is ignored until now and the container image with the matching digest is fetched. With this change, the container image is fetched based on the specified tag and it is checked whether the digest matches. If not, an error is thrown. Signed-off-by: Clara Kowalsky --- meta/lib/container_fetcher.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py index 16467abb..08766742 100644 --- a/meta/lib/container_fetcher.py +++ b/meta/lib/container_fetcher.py @@ -11,6 +11,7 @@ from bb.fetch2 import FetchMethod from bb.fetch2 import logger from bb.fetch2 import MissingChecksumEvent from bb.fetch2 import NoChecksumError +from bb.fetch2 import ChecksumError from bb.fetch2 import runfetchcmd class Container(FetchMethod): @@ -47,6 +48,22 @@ class Container(FetchMethod): def download(self, ud, d): tarball = ud.localfile[:-len('.zst')] with tempfile.TemporaryDirectory(dir=d.getVar('DL_DIR')) as tmpdir: + # If both tag and digest are provided, verify they match + if ud.digest and not "tag" in ud.parm: + inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True) + actual_digest = json.loads(inspect_output)["Digest"] + if actual_digest != ud.digest: + messages = [] + messages.append(f"Checksum mismatch for {ud.container_name}:{ud.tag}") + messages.append("If this change is expected (e.g. you have upgraded " \ + "to a new version without updating the checksums) " \ + "then you can use these lines within the recipe:") + messages.append(f'SRC_URI = "docker://{ud.container_name};digest={actual_digest};tag={ud.tag}"') + messages.append("Otherwise you should retry the download and/or " \ + "check with upstream to determine if the container image has " \ + "become corrupted or otherwise unexpectedly modified.") + raise ChecksumError("\n".join(messages), ud.url, actual_digest) + # Take a two steps for downloading into a docker archive because # not all source may have the required Docker schema 2 manifest. runfetchcmd("skopeo copy --preserve-digests " + \