From patchwork Fri Jun 27 06:53:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Clara Kowalsky X-Patchwork-Id: 4248 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Fri, 27 Jun 2025 08:54:12 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-qv1-f61.google.com (mail-qv1-f61.google.com [209.85.219.61]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 55R6s0Vg015251 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 27 Jun 2025 08:54:01 +0200 Received: by mail-qv1-f61.google.com with SMTP id 6a1803df08f44-6fac216872csf42407166d6.2 for ; Thu, 26 Jun 2025 23:54:01 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1751007234; cv=pass; d=google.com; s=arc-20240605; b=Dcp8RDDneVN3zHWcm+0g66b67zBQNFVUY/b0zu8IrjtAWMHu58GZaURZLlzkXqvspX 4qTCzfYxfU3cHoBFUGpW75J2IkRfE4yBZShzDm3i3GfgGovk/idAKeAUEVbgplHnsg/c dYQSrSOsayveP6uCj64Tmhpj1rm/SDRvnshQwqUI8tiemszf/Co9gt2QchCQiUv7/yLb R5yE46TArbmVyk660NPbsBKz6I6gaJDvoc4CCDTtAXAanUXdku0oXd61ccJlGwLAdafL SXRGi4aY4uMUhT5mFWtZpRTHBCztsQlbZ6rmK4OH6SAmVwiFbJTk0KXN6Jcl+uxIv1y1 CyeA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Sf7fRmh9r39brixTlC1RNXx2NpTrGZB6NL440LG6T0g=; fh=8XOyrawfQfKGdYI9yde/Tsvvh7Tr12HfOfO5h8RsDVc=; b=lfCyvipuUnTi0zV2ZuSVT/KXyNEJY/uW8Xl8exBOwFp9clORCIBZdc05mtYljU5bHX NOZ6tNNTGCJP0H+SyRnMiRMJk+nawxNZZ4VIpBRVZGhq+A0CFf3b4YPOisjvgQDBY9Xu dBy9C78amcYE8Mcb/+64hkjnwq9m5GE2GB8fXIKbHz93+KflevdbVRY/hfM6mdBqmh94 sDejg9ZB9uGTtws2bw+BnYOU0lKUq4wdSEV8qTnbs8st9qnnHeW5tFaNPRj2/M8ACSvb 78wlof1Jf9Jl3wKU8yMpPCreYFNgQlpgN7mo7GdSziKvRq65q26nqUJf3/PgGS9U67Jn dcKQ==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=EhGcBwJS; spf=pass (google.com: domain of fm-1047747-20250627065350807ceb5273d6ad91ad-rdo9ab@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-20250627065350807ceb5273d6ad91ad-rdO9Ab@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1751007234; x=1751612034; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=Sf7fRmh9r39brixTlC1RNXx2NpTrGZB6NL440LG6T0g=; b=SusiJr0KLDPL3SwkWaKrbmD2cEwbSMeVxeUA3VzUx8D4HElm4Lojz81wcBi4RpkdRn i4TedLmNao94kAVrlpYJQnTqUYEzjFVsyQIJhNafiF6Ui1Hi+5U2UbKbI7hSQsfwOCWd o7ddARVsBXxo336iPzqn+XWtFZAKDo5L8FrmxjxVV8uqTyh8mKUPJGuCJdVxsFx2n5g0 BJhXUriV6XN+sW9SjAzQpsEvsYBT3hH/nCMxT1uoy4oCy+Ij9+2y4AtcQIRWomj5SlhQ HSZdnfKZA4L/8wqitoqtWnTu4pxTJQfLBE2lUgM7CiAZ/gTebWN6tF8/MCf+We74rdAq gDEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751007234; x=1751612034; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Sf7fRmh9r39brixTlC1RNXx2NpTrGZB6NL440LG6T0g=; b=dMsVEBhuFUrR3RSBOz63GMUGwox6FvkWwrGl7SPvjza/cxq7JzrBVNGbGs3MvfdoqD Kk1f0OnxgZOW24NUD0ByAr6LeA35EsIivmmhgsL17+DVuXkhjXEn1N7dawdNZ2WcugRD g9zNpdIq8mtjHtkj47RV8MsG0pLtlncDWWp8ObLxvcLVLNmMM7FSFK0uwcFKtNw3rrjN yVTjK+0vjm4gS7HDY8XvTVH/XB1RTlelALtUxhXWpNk08NCl4vWobbShMS399l2EifHE 9qcAglK0v7yrYLhxLjuDZSuIAd/B3zNPPdYtUcNKFy7AFTyyTiQvdBTSfukm3jufVVPx +dMQ== X-Forwarded-Encrypted: i=2; AJvYcCU6yAeNL9vmAOpQ/uFd9m6F2XSpibe7iqgSe57h84nLEyDxZek3YOuKjyONJjTbq8RFD+tO/2k=@isar-build.org X-Gm-Message-State: AOJu0YxqUCWtdN86K/6j3Hk+Mth2uhR08Z+8Ogjk2cR2ADyLy6PumoR0 Bhypyk5BG50y77sWZ2WWJOIQDqJqkmmb2iRoxUCcIk5v7QZEP5o5Y3BJ X-Google-Smtp-Source: AGHT+IGqaGtBQmOVO1rlvqLsqQOYqQkrUuBkqNwIZjlKSKaMqCE0HWOOXXCMUYJqdVBZji4tfaBNwg== X-Received: by 2002:a05:6214:3c99:b0:6f4:cfb3:9df9 with SMTP id 6a1803df08f44-7000281ff18mr36636776d6.33.1751007234560; Thu, 26 Jun 2025 23:53:54 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZdTheFkdpwajPIde116xs/+r0j8pN/SoCV3hOfI65hfUw== Received: by 2002:ad4:596c:0:b0:6fa:bf2a:9be7 with SMTP id 6a1803df08f44-6fd75028de1ls31664546d6.0.-pod-prod-06-us; Thu, 26 Jun 2025 23:53:53 -0700 (PDT) X-Received: by 2002:a05:6122:608e:b0:531:236f:1295 with SMTP id 71dfb90a1353d-5330be7697bmr1530210e0c.5.1751007233370; Thu, 26 Jun 2025 23:53:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1751007233; cv=none; d=google.com; s=arc-20240605; b=Zka/gRDmH3ODcyiBzCj0ZZRsJlp/740GL6eniJEL/xjdKkoh9LNi/BU5jlLG/9XgqV jCKBGnyy0EoIF9oWJrtfaA1P28x1Zm7H3SjSwrk3OJT6dxkwRsbvqKQf44BaNSUnvCO3 Kx/aiVoMHbU920DaZEWK2HybW2XSeD0LtgopSWrJNN1ATgUV44Io9L1dkivjiw+LZ3Yl FjYU/Aqj2BHxl8/U8Lyur33dyDOppl+HahznNOXCLqnegDhMUp5d9xyCLRwQcloLVS/E S6tiUxUDGHc7IHcucObYIzVKHDSToQ3ct64jCiZ2j+PsuBcVgw/Ra2G5j7cot8bt9SC/ FoKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=kwpJgLT+sgWnGUZBL3bEvuOPOVckDGqr5f39yMwLatQ=; fh=nuVAnAKFXZ/c71OwrdWzSuwNyXL8JbkZbL1MQ1Fe+gs=; b=Q1xR8XwuoMmW56UAKsbe09v/UlZL+3oNoDPuG6umQoWdaMxotrdka4QZIJjawHjzu9 tGGIMbd2+8sUym8+E39gL5psLNyT8rC9sw0ZmAlWfDxQOR7t95G+b0s8m8bZzsI8oIoZ MSwI9P9kmp4JbnEsY2DR7b42ydqNfe6GTmNCxDBS0tM2LJeY+ohR0ulFPbscxc2B6yNN jDpAtsao21NdHVlKP/FQxymP+L94PPwEmMXRqiLsmCFyVigApwVQa8W2DLMhzcJGlq9N tJgqb8NuM6yoNOhzZRbUG+Wbw6qqcD6PidlQtjhB8v4VQRvGJAgZbInw+pFsL827c+7m Ynnw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=EhGcBwJS; spf=pass (google.com: domain of fm-1047747-20250627065350807ceb5273d6ad91ad-rdo9ab@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-20250627065350807ceb5273d6ad91ad-rdO9Ab@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net. [185.136.64.228]) by gmr-mx.google.com with ESMTPS id 71dfb90a1353d-533090a1726si77422e0c.2.2025.06.26.23.53.52 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jun 2025 23:53:53 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1047747-20250627065350807ceb5273d6ad91ad-rdo9ab@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) client-ip=185.136.64.228; Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20250627065350807ceb5273d6ad91ad for ; Fri, 27 Jun 2025 08:53:50 +0200 X-Patchwork-Original-From: "'Clara Kowalsky' via isar-users" From: Clara Kowalsky To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, Clara Kowalsky Subject: [PATCH v3 2/2] container_fetcher: Verify that tag and digest match Date: Fri, 27 Jun 2025 08:53:36 +0200 Message-ID: <20250627065336.2910069-2-clara.kowalsky@siemens.com> In-Reply-To: <20250627065336.2910069-1-clara.kowalsky@siemens.com> References: <20250627065336.2910069-1-clara.kowalsky@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1047747:519-21489:flowmailer X-Original-Sender: clara.kowalsky@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=EhGcBwJS; spf=pass (google.com: domain of fm-1047747-20250627065350807ceb5273d6ad91ad-rdo9ab@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-20250627065350807ceb5273d6ad91ad-rdO9Ab@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Clara Kowalsky Reply-To: Clara Kowalsky Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= If a tag and digest are specified for a container image in the SRC_URI, the tag is ignored until now and the container image with the matching digest is fetched. With this change, the container image is fetched based on the specified tag and it is checked whether the digest matches. If not, an error is thrown. Signed-off-by: Clara Kowalsky Reviewed-by: Jan Kiszka --- meta/lib/container_fetcher.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py index 16467abb..cd1a201a 100644 --- a/meta/lib/container_fetcher.py +++ b/meta/lib/container_fetcher.py @@ -11,6 +11,7 @@ from bb.fetch2 import FetchMethod from bb.fetch2 import logger from bb.fetch2 import MissingChecksumEvent from bb.fetch2 import NoChecksumError +from bb.fetch2 import ChecksumError from bb.fetch2 import runfetchcmd class Container(FetchMethod): @@ -47,6 +48,22 @@ class Container(FetchMethod): def download(self, ud, d): tarball = ud.localfile[:-len('.zst')] with tempfile.TemporaryDirectory(dir=d.getVar('DL_DIR')) as tmpdir: + # If both tag and digest are provided, verify they match + if ud.digest and "tag" in ud.parm: + inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True) + actual_digest = json.loads(inspect_output)["Digest"] + if actual_digest != ud.digest: + messages = [] + messages.append(f"Checksum mismatch for {ud.container_name}:{ud.tag}") + messages.append("If this change is expected (e.g. you have upgraded " \ + "to a new version without updating the checksums) " \ + "then you can use these lines within the recipe:") + messages.append(f'SRC_URI = "docker://{ud.container_name};digest={actual_digest};tag={ud.tag}"') + messages.append("Otherwise you should retry the download and/or " \ + "check with upstream to determine if the container image has " \ + "become corrupted or otherwise unexpectedly modified.") + raise ChecksumError("\n".join(messages), ud.url, actual_digest) + # Take a two steps for downloading into a docker archive because # not all source may have the required Docker schema 2 manifest. runfetchcmd("skopeo copy --preserve-digests " + \