From patchwork Wed Jun 25 13:54:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Clara Kowalsky X-Patchwork-Id: 4236 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 25 Jun 2025 15:55:10 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-qt1-f183.google.com (mail-qt1-f183.google.com [209.85.160.183]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 55PDt3SD005684 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 25 Jun 2025 15:55:03 +0200 Received: by mail-qt1-f183.google.com with SMTP id d75a77b69052e-4a58813b591sf16898371cf.1 for ; Wed, 25 Jun 2025 06:55:03 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1750859692; cv=pass; d=google.com; s=arc-20240605; b=HiiaiLqpQDiWFKQw8jZpUwjc6KXdxIheWwUhS6Vgyi4AQH1hloNxwSU9xhKzyEhJmD rw7GGeHwZCugg74KUHFASdjda4zXmthiNIDJXMT7kTUa56HmN83T5bRPIi2qLgiizm9m XgNkc5s1i55mHfoG36rRuVCfoID1PHSxonVSl/7a/UfyXrf++WpOXd8YfhtsDEMJupUX nRVdUsAEIiwyTd+mCtvvZZr7UCK8puufzpemPBB6cuIrTmuHvlJcZTZICsd0VCzDMaiQ /sj+QjVUInUVTNThXHxfYWVKg2XSuQoRdA1nUpOzF7p7eUUCOenh5IG0zwfrAjTRtpaA BY/Q== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=IJi8g88oM8tJ7PE8DMO8jko/J/toMn3jOgd9p6H24IU=; fh=ZYO3+y6Z0BVMVf7US7RkEktDGS5YlN2dJJXd7puBa8M=; b=Lv5Cc7pFvXu7V+QoP7RMVA2yze10JdgDiEdLrVcXDDoLAk9nYKoON7pPL66Rbfj26/ CVqL8tZhCurhqpUwDxlE8bQlwJuWI0I0H1ED7KWe0KFX52pDfI2TF6LvU6J+9J8LP9II NCfPUuIwjtwYdVbOQE3UgbFYUpA+5NKitFvYjdRk6OL0oik5D73yS25z5JRvy4SfVLEM cCF75yRKa5E917ALoq451NcM9PObwIXNJXuO+e1SHYVG8DmaTHzlctuxvragchKTTOtQ wMQkqa1gfeh9tld7FnwodMkf7qB4SOx2Ma+dpWyHqJuBwyKXbsiCkmeduik5ec1XCih6 KJzQ==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=YfYGOflf; spf=pass (google.com: domain of fm-1047747-20250625135447de70a26571b1078d1d-vx98ok@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1047747-20250625135447de70a26571b1078d1d-VX98oK@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1750859692; x=1751464492; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=IJi8g88oM8tJ7PE8DMO8jko/J/toMn3jOgd9p6H24IU=; b=MtUPdfXyFvWREnBY8fuV1EMtGkH2cIiYK8S16Dr5xn50QbdEW6jYjAF40Y4f0Ul1q3 F5ALeF3d31DfhzGLdJuWS5GEacqKymozB86hfrxIvYnx4cWFHFYJugWSlRwmlY0gIQ5O TPtya+zMR2QBwLMfK7ulqQSy2jrcRqFPTfdIC5C2ROGb9aZPKW3R4n90eILXHhOxLMCI UM5lmNKYEeyj03uC05I70PuB3u5FiY2S/dhyXnWENL79XKFebEGZQ8v1kWvdy4myvQbS wW08szqDXZw7xGzo3Vnc0rgcmDdCpgFcPIh525wEQKonOgwwXhFv+LSftiHavnsG7ga+ W7rw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750859692; x=1751464492; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=IJi8g88oM8tJ7PE8DMO8jko/J/toMn3jOgd9p6H24IU=; b=w6SHkmu5UoAIT47+0I+haQ+J8D+s+JPbsJWhBxksJJSCixIzNjyvEoNSC/e8fzcc6g AsLzowqLla9CX9Pqy4/OPq2VcHHgDlvJdrspoOfbxduqe/dAikCFuUaCPqN1LF1CUqet 8Qje/SYkGumgbODpttLIikKs+/041c+pBb0e4StUyyga3BsvYObE9sARM2ntX9FmI1Rg UV3XHyOkqt5kDefjGObWoz6UqV/+jQPbas6kZsbUaq/lE4STS2nbRC5wD4X09kzfmuj+ FemBqQC10PcsoT9EcZU8z90zLG8pfWRLbcusUJOdq0PYhmN8I5+8hem6jm++xrNrg3Ss ktgg== X-Forwarded-Encrypted: i=2; AJvYcCUiLR9a+T8wTSjpnnRsRCaa4yrp63c1dEX7jGQMvEarTzpb8WjVpJFjIXFHyqU4lKXBsJHGW74=@isar-build.org X-Gm-Message-State: AOJu0YziabtOv7Hgv+n+FboN7SZ9XhMyVyeRoczW+eh+H3B3P2ys4ekS 2YLP+LMRXF0rPxfjnmJ2r91qIZdiA9mucycUVn2rWGYLjGYyB/QgWCIs X-Google-Smtp-Source: AGHT+IG6+3WQXESLvLfdDF4T3YvXOeyQ5xYoCSMWiKKx8o5t2Oqh9zO7IPsWSDkIf1pPCJ62dD1eFQ== X-Received: by 2002:ac8:5783:0:b0:4a7:6408:b449 with SMTP id d75a77b69052e-4a7c121b9ddmr44570271cf.2.1750859691879; Wed, 25 Jun 2025 06:54:51 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZdjpm/MTUTU0yQ2w1lPfqmil7dQcCvkutKrqMcyS7HoZw== Received: by 2002:a05:622a:58c5:b0:476:6eec:3aa5 with SMTP id d75a77b69052e-4a76f278ebdls111993471cf.0.-pod-prod-00-us; Wed, 25 Jun 2025 06:54:51 -0700 (PDT) X-Received: by 2002:a05:622a:250d:b0:494:731c:8746 with SMTP id d75a77b69052e-4a7ae9e44f4mr116061721cf.23.1750859690883; Wed, 25 Jun 2025 06:54:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1750859690; cv=none; d=google.com; s=arc-20240605; b=VpoNt7r//3nF1ias6f+9mzGdx6sApjRD1zAyaLVghoYKz76FvdxjCZyPjgbxXAcrV5 ld1/xu94AQydqDQuyf4nE6wVAlnzx2c+KPAAzQV6+JtxpVROSu1uLTT+FwHTg0TyB0Ze lgA5UQ+79ew79e0Axo3PRGSqHem9ENVrFAjX7JNQempmtpOst15iROR+RV6RCsjA68vz kztKzd6GP1dL1+RoVlKW3DuKMP4yCq8JxjoZihbDiK7qrw4zVq8hEofGLuRgzofJo9cX A1gKAvfwuNWnVxXGUJ4bted3bpO7Ea161m7CdVi0vn9zGoWEZsCM9Fqv22P1l7p9Fk6g no2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:message-id:date :subject:cc:to:from:dkim-signature; bh=tcn7FT9mB654HNUfoYPdvg+FVqV/AGiiHo7Imi1nIio=; fh=nuVAnAKFXZ/c71OwrdWzSuwNyXL8JbkZbL1MQ1Fe+gs=; b=hoiK1SUdJmxreQvO2/L1KK89t9SGqOQpOQ/+2+JBVF0z+rmi7mPU6OYG93o+eyr4Iy tDIQbMC5BAgQ8+ON0Zj5SD0ces58JbQaCvobORn7VrpzAm4T4q6opq9Zam6QM6R73vU5 0XQeMpaUWCzmTRBW36+Ui3Gb5vsUG94pFIHQK8XD/lIkjctDBSpAKIJAwVAb2cRlajNU 0n/oy8HXi0XDFffTHIpWmtReKNFCvkpQdRax8VPiObYQlS9m4FvyrTtJ8CCX8nkSAMUg eeah9v+PwLcwdhtVkcvELeDzIPTiC4mYhUZup2Zl8y/vLR1lbAAmoKi1WdhxSh0E0WR0 L3ig==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=YfYGOflf; spf=pass (google.com: domain of fm-1047747-20250625135447de70a26571b1078d1d-vx98ok@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1047747-20250625135447de70a26571b1078d1d-VX98oK@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net. [185.136.64.227]) by gmr-mx.google.com with ESMTPS id d75a77b69052e-4a779cf1538si4983921cf.0.2025.06.25.06.54.50 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Jun 2025 06:54:50 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1047747-20250625135447de70a26571b1078d1d-vx98ok@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) client-ip=185.136.64.227; Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 20250625135447de70a26571b1078d1d for ; Wed, 25 Jun 2025 15:54:47 +0200 X-Patchwork-Original-From: "'Clara Kowalsky' via isar-users" From: Clara Kowalsky To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, Clara Kowalsky Subject: [PATCH 1/2] container_fetcher: Fix missing checksum warning Date: Wed, 25 Jun 2025 15:54:41 +0200 Message-ID: <20250625135442.1420977-1-clara.kowalsky@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1047747:519-21489:flowmailer X-Original-Sender: clara.kowalsky@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=YfYGOflf; spf=pass (google.com: domain of fm-1047747-20250625135447de70a26571b1078d1d-vx98ok@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1047747-20250625135447de70a26571b1078d1d-VX98oK@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Clara Kowalsky Reply-To: Clara Kowalsky Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-6.2 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= In case only a tag is specified for a container image in the SRC_URI and no digest, a warning should be issued with the recommendation to add the digest of the container image. So far, the number specified in the warning would be the checksum of the manifest.json, which is a metadata file. However, we want to show the registry digest, which is calculated over the complete image content. In addition, reading the manifest.json does not work at this point anyway, as skopeo has already packed it into a Docker archive. Signed-off-by: Clara Kowalsky --- meta/lib/container_fetcher.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py index 0d659154..16467abb 100644 --- a/meta/lib/container_fetcher.py +++ b/meta/lib/container_fetcher.py @@ -6,6 +6,7 @@ import oe.path import os import tempfile +import json from bb.fetch2 import FetchMethod from bb.fetch2 import logger from bb.fetch2 import MissingChecksumEvent @@ -60,16 +61,17 @@ class Container(FetchMethod): if ud.digest: return - checksum = bb.utils.sha256_file(ud.localpath + "/manifest.json") - checksum_line = f"SRC_URI = \"{ud.url};digest=sha256:{checksum}\"" + inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True) + digest = json.loads(inspect_output)["Digest"] + checksum_line = f'SRC_URI = "{ud.url};digest={digest}"' strict = d.getVar("BB_STRICT_CHECKSUM") or "0" # If strict checking enabled and neither sum defined, raise error if strict == "1": raise NoChecksumError(checksum_line) - checksum_event = {"sha256sum": checksum} + checksum_event = {"sha256sum": digest} bb.event.fire(MissingChecksumEvent(ud.url, **checksum_event), d) if strict == "ignore": @@ -77,7 +79,7 @@ class Container(FetchMethod): # Log missing digest so user can more easily add it logger.warning( - f"Missing checksum for '{ud.localpath}', consider using this " \ + f"Missing checksum for '{ud.url}', consider using this " \ f"SRC_URI in the recipe:\n{checksum_line}") def unpack(self, ud, rootdir, d): From patchwork Wed Jun 25 13:54:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Clara Kowalsky X-Patchwork-Id: 4237 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 25 Jun 2025 15:55:12 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-il1-f184.google.com (mail-il1-f184.google.com [209.85.166.184]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 55PDt3eX005695 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 25 Jun 2025 15:55:04 +0200 Received: by mail-il1-f184.google.com with SMTP id e9e14a558f8ab-3df33827a8csf14038885ab.1 for ; Wed, 25 Jun 2025 06:55:04 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1750859697; cv=pass; d=google.com; s=arc-20240605; b=Q2gaMotH1VtQmmHzKqZcHZxOB/Ye8M8tYBNqHHKy1w59wUQRz67Vb+xluO3U7RH2KI DufRc3ZIhdmY1dy6iGK1peoxPlOSKdLKQo9lbai3TO9g8Q6Vj6WIlZi/yTAsEEOksqZe 0k5rN2rsVK83hsLzgWCHzVwF+Ja4+YOkn/0BzYK9MursFgnDwcP9YNOUv7EiKXMYvzCV KU3oSzJL9V3GGiA67Je06c3QpXjvncaO/JoIwPKioaL85B5rWZWLcQGnY5y6+Mz2lFBk Jc/B0Zzkz/8skI9vLfKfzPMZV++tO2mngp19iKZLav2YTMk7/4ErRPOfmyfumsijr6gN cxQQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=6gnTTsKlSq/CfPsVEGlU120RuyYrtt8bK4IV/HNZ488=; fh=Pf3USFQBrMo4zZmTv2nUnq22nWlzYdl/xOLslctQy7Y=; b=l14X76BSfuvYeLjUVO8Z+zGJxaEC7YK61RMDmORM/WD84Zp1GgtmaIHHDk0bdUWzF+ vjKUZah1Hc/rlstWv7uwE3w8285tgf4XS7ZQHHi0Vd4/J1/m+276iEqxgbYOlLvgEcjG UbA9Ul+KiY14jndh3RfmOjqIhu8FOwbZ0msyYvrsQlL2eZHl3Vuj7oPFQ6+j1MbrxNrn s0HceaW3F4At+Qo/rptW96OxoolQNAmtPEjSscn3gZ/0oDjlz4lgd56w4i3ZUrFXu2CS vAwWOp+R/Qm9FKUl40QK0Mjt1FlKPhlDBVHYR4pckxe8CK9rRyuzgFOMCgeCbmGrl0j2 3SBA==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=qGrkeWyH; spf=pass (google.com: domain of fm-1047747-202506251354530552f4bb1df1c7a36c-_mwou8@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1047747-202506251354530552f4bb1df1c7a36c-_MwOU8@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1750859697; x=1751464497; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=6gnTTsKlSq/CfPsVEGlU120RuyYrtt8bK4IV/HNZ488=; b=epswBk1ppnfFJE6hjSttKQ5tYBPJtU4akDOgNEPUGUeIluuhPG0uSL90UJNYEidbKL gu+88/LBNF5MsYW1fox0MSNzxkRwFFhq7plmHXnvQPS8eEk7H0HtibC2pAqqJIZochij 6Hos/Wd+jdbAs6iRNCaKiklOwlCz6ZKMJlrDGhzb3aC4MeDwz93hFSKATO9OZLuAz+hN LexJBWAYtjqkyTKQi+UThlw7nk+K/dGHINMrl5JEMwNnXAzfhYu/QCEhIXHhCufZGk5a wmm3PeS6LQhl0AuWbup38GyeLe2ZUn8Uc7zP+CKM6Lxg2VScI/H8idOvCNcUs0GPpDzo c82g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750859697; x=1751464497; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=6gnTTsKlSq/CfPsVEGlU120RuyYrtt8bK4IV/HNZ488=; b=Goy6SH9ptKn9r+y6qKhS59Uufzbid1eoNvqdOBkYb/dxAu2c8KP81Jj/RtDgYdix1F 3IJpaO3tTLXP2jdk5/xOo0/IOvRVnXLS92To9oTNRiZMsLJOvo7SPYiH6qdkYyArfFhy 0twzEB8/34tSk/kKUMJFTBOwO8rbYq9BFrU1MIz6BJ1bmEIvqPD5uIHiow0ekKyPbzmw 708Hydvi7A/R/3M0IwrJhLn7eisrJ2HtaGLw3qeYcqylZENnaS8Vc9uyUMxgfXZ4oRYD Xso0AbvNwMqU7avijY9WE1iOEZO3WtoyakIOlWi7JqounY2QzHj8sEuS+cfvG90oh9o3 El6g== X-Forwarded-Encrypted: i=2; AJvYcCUVSEgnnojdO0fjl5h01qBD77w4RmlXZUGdWfRzlrXmdjFhWeN4Va6WEnqvJbo25aJi+iO4cAw=@isar-build.org X-Gm-Message-State: AOJu0YyCoje4ZXy/yB21UqATNaMl263/AFEzppcj6FpValwC2MPAelg/ Gi26jGFg8R8N0jVVFpBaNSX/RXTUNNGcqWDZ5qh41cObt49yg2r3ct5Z X-Google-Smtp-Source: AGHT+IHy5QQ9Vk/K6Ix/2WpHUQ0Q1X1JLsjs/HpXZFNCU+IiXKYacAytHJcgDIbJjqds61gg7n3pPQ== X-Received: by 2002:a05:6e02:154c:b0:3de:14d4:a755 with SMTP id e9e14a558f8ab-3df32a1ff86mr43459465ab.21.1750859697401; Wed, 25 Jun 2025 06:54:57 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZfh1tvwPJkXotkNn8kN1rh6wmWkQeieT6WSSsOB9GSReg== Received: by 2002:a05:6e02:461c:b0:3df:1573:75e4 with SMTP id e9e14a558f8ab-3df15737e4fls25153685ab.2.-pod-prod-08-us; Wed, 25 Jun 2025 06:54:56 -0700 (PDT) X-Received: by 2002:a05:6602:7186:b0:873:4807:816e with SMTP id ca18e2360f4ac-8766bb749c7mr404846539f.13.1750859696400; Wed, 25 Jun 2025 06:54:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1750859696; cv=none; d=google.com; s=arc-20240605; b=UGc2qgV/wFXu4rOfjyE4SxMTODuFIyUnCuVzP64k2V35xxc+h/3L5Fe4Xzewu8BPb4 LBkfkKsdcVKkbaYCPwDVC/nSplO609LBFwnYWtEX0ZjPYCfFfPCmXU5NbjNU4G+6vMYh Um/xJ1lSd6e3jTuVJA2s/sl7gejsxmdqMenqsMyGM7N36rhnxyuh/d3LOCyDud9sM2tI i8CX8pHlFTL1zM8CVlFoO6xfr1FHbI3zfstWcqcUcsOYVZIPnohPvpFekeByZ8Yu3nC5 ESpiOtZVlTr+NCYNAU7LVIDbxQLu909hLLhFa/mO0XldcSuRhhUmldOkTB5MnrWAyU5f IpSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=41fcspiH4ngsvTHRRVwlFzExXvLAyATseg0+A2BNap8=; fh=nuVAnAKFXZ/c71OwrdWzSuwNyXL8JbkZbL1MQ1Fe+gs=; b=CGNNdJ2ZrE5DIz5ZkkEXBPjlZYv4WQZX6n6NKQu7DjuBgNjLxSOYjnbvhGGULgcgdG oyMn9i9devAM/g3edk/hIVGuHbRBuCrnWoYyZnajunqhQuq/mek0FNsWSqgrc0kqpSix Qd2F1mqSHUJJfObyhn2OSpcRc7EI7bl9tnyod7Nz+tkXFJQhcGarC1xT0cMurfhNMsEj i3IPLW1ijYobkT9xui5vCOuxIaOHbLTgytQXObMDagkod9xsyR7voKEiZxz6EN9H+yed rrgJIeteiSUvjb3LTbHQ8/K+A+uSjqcqHGOdAM621uv1WGiaY0Rw/zu22CxkF0y3opOX RgYQ==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=qGrkeWyH; spf=pass (google.com: domain of fm-1047747-202506251354530552f4bb1df1c7a36c-_mwou8@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1047747-202506251354530552f4bb1df1c7a36c-_MwOU8@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-227.siemens.flowmailer.net (mta-64-227.siemens.flowmailer.net. [185.136.64.227]) by gmr-mx.google.com with ESMTPS id 8926c6da1cb9f-5019e0516acsi2394173.5.2025.06.25.06.54.56 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Jun 2025 06:54:56 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1047747-202506251354530552f4bb1df1c7a36c-_mwou8@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) client-ip=185.136.64.227; Received: by mta-64-227.siemens.flowmailer.net with ESMTPSA id 202506251354530552f4bb1df1c7a36c for ; Wed, 25 Jun 2025 15:54:53 +0200 X-Patchwork-Original-From: "'Clara Kowalsky' via isar-users" From: Clara Kowalsky To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, Clara Kowalsky Subject: [PATCH 2/2] container_fetcher: Verify that tag and digest match Date: Wed, 25 Jun 2025 15:54:42 +0200 Message-ID: <20250625135442.1420977-2-clara.kowalsky@siemens.com> In-Reply-To: <20250625135442.1420977-1-clara.kowalsky@siemens.com> References: <20250625135442.1420977-1-clara.kowalsky@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1047747:519-21489:flowmailer X-Original-Sender: clara.kowalsky@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=qGrkeWyH; spf=pass (google.com: domain of fm-1047747-202506251354530552f4bb1df1c7a36c-_mwou8@rts-flowmailer.siemens.com designates 185.136.64.227 as permitted sender) smtp.mailfrom=fm-1047747-202506251354530552f4bb1df1c7a36c-_MwOU8@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Clara Kowalsky Reply-To: Clara Kowalsky Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-1.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_RNBL, RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= If a tag and digest are specified for a container image in the SRC_URI, the tag is ignored until now and the container image with the matching digest is fetched. With this change, the container image is fetched based on the specified tag and it is checked whether the digest matches. If not, an error is thrown. Signed-off-by: Clara Kowalsky --- meta/lib/container_fetcher.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py index 16467abb..75366988 100644 --- a/meta/lib/container_fetcher.py +++ b/meta/lib/container_fetcher.py @@ -11,6 +11,7 @@ from bb.fetch2 import FetchMethod from bb.fetch2 import logger from bb.fetch2 import MissingChecksumEvent from bb.fetch2 import NoChecksumError +from bb.fetch2 import ChecksumError from bb.fetch2 import runfetchcmd class Container(FetchMethod): @@ -47,6 +48,22 @@ class Container(FetchMethod): def download(self, ud, d): tarball = ud.localfile[:-len('.zst')] with tempfile.TemporaryDirectory(dir=d.getVar('DL_DIR')) as tmpdir: + # If both tag and digest are provided, verify they match + if ud.digest and ud.tag != "latest": + inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True) + actual_digest = json.loads(inspect_output)["Digest"] + if actual_digest != ud.digest: + messages = [] + messages.append(f"Checksum mismatch for {ud.container_name}:{ud.tag}") + messages.append("If this change is expected (e.g. you have upgraded " \ + "to a new version without updating the checksums) " \ + "then you can use these lines within the recipe:") + messages.append(f'SRC_URI = "docker://{ud.container_name};digest={actual_digest};tag={ud.tag}"') + messages.append("Otherwise you should retry the download and/or " \ + "check with upstream to determine if the container image has " \ + "become corrupted or otherwise unexpectedly modified.") + raise ChecksumError("\n".join(messages), ud.url, actual_digest) + # Take a two steps for downloading into a docker archive because # not all source may have the required Docker schema 2 manifest. runfetchcmd("skopeo copy --preserve-digests " + \