From patchwork Thu Jun 26 14:07:30 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Clara Kowalsky X-Patchwork-Id: 4246 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Thu, 26 Jun 2025 16:08:21 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-il1-f187.google.com (mail-il1-f187.google.com [209.85.166.187]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 55QE84it011525 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 26 Jun 2025 16:08:09 +0200 Received: by mail-il1-f187.google.com with SMTP id e9e14a558f8ab-3df40226ab7sf18622525ab.0 for ; Thu, 26 Jun 2025 07:08:04 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1750946878; cv=pass; d=google.com; s=arc-20240605; b=EBw3c2B+fkASHgIavFhcszw7xd3F5kvulU7xih9zKYFNc82Y0JKw1ymsjLVREvxwuT ANQGdwsi2hktTjm31TxSPIPeAFiODAM2q7ukydVDcGgy2taFiMBiGD/9mL5D61d7JD3k w4Nxrv+27coDQ/XeS4gKT4MhH/Sd582bDbJPFU+DXm/DZ4pK2JvGa96+kgVEuFR1EoSj fxn9UzIgzwPcyoRBdgoMpx4TDSD7anrFq/s7+KXkASKRS/Rw5X/9jucit1sZB54CiJ2U pA4ICaKcij3Vq6bGFYNw3l06qcCuC/LPCF5USajLGw+5aOWw5hQcTVm/Xkqh40dXgKO3 fVuw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=HUns1Phxt2oLR03CcynRoTwmD7EpOs8NCuMnSnuWPbc=; fh=2IU2llEh7yTpYGj1vfDhcU8JwF9Urgk6OAoGCDHx9Y4=; b=WpRwOEdmAZOWyZQYpEl9xvNTAHpTxv3fdGvZKzdYadTVJEUSFS4/3brPsc0ZsL3SYP aRgXKt1v1Wr9xzjI5ncY0mLjuQs6TA5t+Bhe/wubudRv7FzkJbNfjexKDRQdcb0qylrC adJZ6AsjxsjX2EFAJwQdFXAqhGeuOBvZdeZZB2ZwzvR+Db6tWzUz3alWhLxbeOM5lWo0 f7z44nyj4fN0j7DOFgWF81N+M3+axuUq9wv4wcw1GDSfIol3q+BtH3ojeVUleUNwIe0o oDf/hAsepdngezhdIOxEzb9Ca26OhePtbnE+81GX/SSx6KiLPxz8ZSCrnfSlrcexRcMv Twow==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=HYbxw8d4; spf=pass (google.com: domain of fm-1047747-20250626140751f247fc75fcb6c16975-vidymi@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-20250626140751f247fc75fcb6c16975-viDyMI@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1750946878; x=1751551678; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=HUns1Phxt2oLR03CcynRoTwmD7EpOs8NCuMnSnuWPbc=; b=FeNd0CE9kp91wp3+yjiMgh+42fvWtacdOnX3JRXX2gvJ2id7WtN7vYxu7rUNnmjFce wiGpaR3ediFkKDmaR+DG09SW1fxFzTIbJxXy81VYYEFJGs20Wb/gZZLndSjKwp471XRn bzs3qxdo8ZZpbvYNQ+AJMf/+q5/Hr9clfQmvHI5EbKDxMnMjxW3tl24Yll5hiIODp15Y +r9s4XYpLBJXmv+vJd1sRZiP6SVrBn5Dx7KAhzSzVAzBg7pLXQgeDX09ME1v/qU9BaoG YaqSc7fbWbxZEW6N46p0LA3iKCbiOztsGRMOULGqaJp4riF0qfMhgtLOuwVRP5y8G2FM H/cg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750946878; x=1751551678; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=HUns1Phxt2oLR03CcynRoTwmD7EpOs8NCuMnSnuWPbc=; b=fMSa3Udos3a05C4hynhyHP7O5TYFDA2B7sG2BNJWQSljG3jOqH1vrGjLcpWKkZm8/I uiOfwAmUJ2YBfGrZrK+LCvB4SmxYQe9tLDX1elwwNc+0y4MCfKrbNzYj6Xync49mAitU vFMVAyBL9PuJo5tCVIAgqpC6opOwV3STMRrhtv22he+SfKA9fqQ3lyauNwN7UhZzV2Mm quUjUjECinL2bfVSY3VbRGvL5N5uWhM2IGl+ObP1SIzmlRqa67Sax1Cim0zhCYHbeb3H SXri3UdBSzk49Jw2AncFG8pdyH3kTDf+1f84Azv+H5n8wlNoP1t+gAFKI7hkS6DEE0YJ rWIg== X-Forwarded-Encrypted: i=2; AJvYcCXVBUQSBcu9gdN/9trctAB5sVS/kVagaeJxY/Z/YAR5q/oobe9kSuQzj89xXYM4LBHUYjoyn6I=@isar-build.org X-Gm-Message-State: AOJu0YxoWIMZmyxiQKDxR8LcLb0hwzf51mWK34OIj8hAGk26p57oYJ4O bgVzED2d/7uCrBcUaJviRCH+3NHB8rN/kQ5KclajuJ7J6IyjncqmlD8D X-Google-Smtp-Source: AGHT+IGVcF09byWVSNKvAFKhfkmWIX10dClL6b0QAukQJ4lbrLG/Mc04U0rk3+IVT2P3+grMPrxfhw== X-Received: by 2002:a05:6e02:2507:b0:3dd:e7d6:18bb with SMTP id e9e14a558f8ab-3df3290c2d6mr90898505ab.17.1750946875251; Thu, 26 Jun 2025 07:07:55 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZdcy4ZEwyutqyUU520Ph+RcKWRvtvHcNo5yhBq/hmqHSg== Received: by 2002:a05:6e02:4610:b0:3de:12e2:fba4 with SMTP id e9e14a558f8ab-3df3de15030ls9211295ab.0.-pod-prod-02-us; Thu, 26 Jun 2025 07:07:54 -0700 (PDT) X-Received: by 2002:a05:6602:13ce:b0:875:95b6:4666 with SMTP id ca18e2360f4ac-8766b821923mr973595039f.1.1750946874046; Thu, 26 Jun 2025 07:07:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1750946874; cv=none; d=google.com; s=arc-20240605; b=BW43zeMBXTyyDHtvm5M8OiBfj0gp1UsKSiYkg9+jzn1LXTXqieoOSelBHQQE20EYVh 6a+MWlkf9lbyBlUie6g1FiDcs5xX+75HaQOUWN9Ok9/rxxY6d0X3zrzAYOEh9okf3QYI TGWsiy5Tzd6WoDODwcLlgIhzjy7Y0m6PG0vEoeMp6IYe33hA+/kXHmHgXUnF+ZwEu7zB eAnidtle+1eWMwxmHy3AH/0DY2Mzmw58CCJfW6IOGOCrPoBWiVY/xMZw6YpS5huUg+rg Q2fotb8HTp9dFCcb4IFWt6hN2WstGhvrzJqDjf8rmLwLcJv2oCLg4BytCdMXIge1eD5W wRzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:message-id:date :subject:cc:to:from:dkim-signature; bh=vJ0AyM2Ks9p2hhXn1Z5KVye3xMchNIG/U+WaJc6Mbmw=; fh=nuVAnAKFXZ/c71OwrdWzSuwNyXL8JbkZbL1MQ1Fe+gs=; b=lbIU0ehqnAp9f01DqNKeOiILXa8mn9cOzN/w9MjF0QZFPgkknQcQQEtEBwTUtC6lPl Gn+Jm0xbqOnx++IQOlTnhQLs9gM0j1tfZwyLCk0tRb8E7NKDSl7OtvtoL20nHZuV/q5m 00Q3R8zKDMh+15jscEsHwyf/HbodOtYYlmwtZHu7nLbfC1Ok0+/tpUZWNYTam3B3xY9Y vOrlA5/v8zpmtBNIyie6Q7WbG1hCuU48BtmohxfEBdB/g70e+CyMD4YF9FMEqwlSTeQz CrSDcT48DM3ppDNh13t+AvduC+Xp5YsHqVHg/ruFHSyxZtrdUpwWNY59axTFOOlwRnbz ssgg==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=HYbxw8d4; spf=pass (google.com: domain of fm-1047747-20250626140751f247fc75fcb6c16975-vidymi@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-20250626140751f247fc75fcb6c16975-viDyMI@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net. [185.136.64.228]) by gmr-mx.google.com with ESMTPS id 8926c6da1cb9f-5019e072a6asi591145173.7.2025.06.26.07.07.53 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jun 2025 07:07:54 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1047747-20250626140751f247fc75fcb6c16975-vidymi@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) client-ip=185.136.64.228; Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20250626140751f247fc75fcb6c16975 for ; Thu, 26 Jun 2025 16:07:51 +0200 X-Patchwork-Original-From: "'Clara Kowalsky' via isar-users" From: Clara Kowalsky To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, Clara Kowalsky Subject: [PATCH v2 1/2] container_fetcher: Fix missing checksum warning Date: Thu, 26 Jun 2025 16:07:30 +0200 Message-ID: <20250626140731.2732545-1-clara.kowalsky@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1047747:519-21489:flowmailer X-Original-Sender: clara.kowalsky@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=HYbxw8d4; spf=pass (google.com: domain of fm-1047747-20250626140751f247fc75fcb6c16975-vidymi@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-20250626140751f247fc75fcb6c16975-viDyMI@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Clara Kowalsky Reply-To: Clara Kowalsky Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= In case only a tag is specified for a container image in the SRC_URI and no digest, a warning should be issued with the recommendation to add the digest of the container image. So far, we were presenting in the warning the digest of the architecture-specific image that happened to be fetched first. However, we actually want to show the multi-arch manifest digest rather than the architecture-specific one. In addition, reading the manifest.json does not work at this point anyway, as skopeo has already packed it into a Docker archive. Signed-off-by: Clara Kowalsky Reviewed-by: Jan Kiszka --- meta/lib/container_fetcher.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py index 0d659154..16467abb 100644 --- a/meta/lib/container_fetcher.py +++ b/meta/lib/container_fetcher.py @@ -6,6 +6,7 @@ import oe.path import os import tempfile +import json from bb.fetch2 import FetchMethod from bb.fetch2 import logger from bb.fetch2 import MissingChecksumEvent @@ -60,16 +61,17 @@ class Container(FetchMethod): if ud.digest: return - checksum = bb.utils.sha256_file(ud.localpath + "/manifest.json") - checksum_line = f"SRC_URI = \"{ud.url};digest=sha256:{checksum}\"" + inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True) + digest = json.loads(inspect_output)["Digest"] + checksum_line = f'SRC_URI = "{ud.url};digest={digest}"' strict = d.getVar("BB_STRICT_CHECKSUM") or "0" # If strict checking enabled and neither sum defined, raise error if strict == "1": raise NoChecksumError(checksum_line) - checksum_event = {"sha256sum": checksum} + checksum_event = {"sha256sum": digest} bb.event.fire(MissingChecksumEvent(ud.url, **checksum_event), d) if strict == "ignore": @@ -77,7 +79,7 @@ class Container(FetchMethod): # Log missing digest so user can more easily add it logger.warning( - f"Missing checksum for '{ud.localpath}', consider using this " \ + f"Missing checksum for '{ud.url}', consider using this " \ f"SRC_URI in the recipe:\n{checksum_line}") def unpack(self, ud, rootdir, d): From patchwork Thu Jun 26 14:07:31 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Clara Kowalsky X-Patchwork-Id: 4245 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Thu, 26 Jun 2025 16:08:07 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-il1-f185.google.com (mail-il1-f185.google.com [209.85.166.185]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 55QE820e011511 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 26 Jun 2025 16:08:03 +0200 Received: by mail-il1-f185.google.com with SMTP id e9e14a558f8ab-3df3b71b987sf9326375ab.0 for ; Thu, 26 Jun 2025 07:08:03 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1750946877; cv=pass; d=google.com; s=arc-20240605; b=FQGxyLlOpcO/SF6HietF3YUTVTuIoi0CBbkfWb/dzTmemhCtdl2O0SNLXVqWuYNEkR h/uBzbndnaAlhHuVrSn+Bl2nbc6100dc8K8lVUDwd2vx5l3G2j0toBoEagPgIRozGB5y v7VGVA4Y6g4y45kpAx6xCoNqf3lq6QL8e1NYmSY9Bc8ie3cqtiDvZIqZySvwFwvLKQPL VauTmLLI1Qx8z/Bx4k3YX8yw1xBSsTjXqs0hIQzTq9o6DkLWDLMNWk0VvipgUA5FKXz5 t0D6znXL5pj7a+8a73b9oU4kzf4tjJIHZPnhaZYLM2br/Z/T01iWKCwkPezLSVHuAFtm edSQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=prXUywDGIfZ2kaJtm9z9HlskzmsqFf3sYXTNuZOuWmo=; fh=KJushXE3GxgHzg0dVgxqrt8OCxW5+rIKK5vZyPgGZP8=; b=JngcYpl+VQwJl01za+63GMeyUV4lMOpVBsVXZYBOxNQSdaS1Hycq9N2aJ3oSbifBrn mbYokCZ9xghJ2qv/NsMYNdSIe3MP+N+QXe/QEJ6GFe2CL2jzkkq+XEk2JdQKwBPg+ijn s0WGyx+F86mc+7mQv4e9I152kXb0zN/ypwqTqQV29DB+Dnm6ty88u5wLbc7VYp2tglDI j2i2epn/rujNXmAGKUDdocAY7M3UI7BpWS4cr/LV3/JjtkNjv/uusOYuJD9r+0NRQQP8 BuHidN5IHVF1oqCR8HKAJWOnrUqca+aFaQENz1eh582ZU9zzDxB/7gBJI1BTAa/Yaa1j +MQw==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=f+xoXsV5; spf=pass (google.com: domain of fm-1047747-2025062614075501e770f355ac24705c-h6xicn@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-2025062614075501e770f355ac24705c-H6XICn@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1750946877; x=1751551677; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=prXUywDGIfZ2kaJtm9z9HlskzmsqFf3sYXTNuZOuWmo=; b=qfln5IK2+9DtFtqkZwFfw/x0BMAToWTbMa5a/zxr36wD5pElzKzZhhT0aEcWuTJOkp Lwn+sKzThbatY6y+cp7WrXDEG+2ffI1y1Y276Rjhpzn034Udk/hrZUn71Ln3xwOizM2v zI/6e7cN7vkJ15icFvG6CW2kxW9O11nuEOIRWi5legZd76RqkmNkVVC8yE5aqOp8MDJF mc7Emr0nPtRAop/VAMNRj3bgq5bQ7RpkfNOu+BxHfg8P2MdmgMNLiqc6+blbCaoSPIGe /WcBRjOUE0w4akNEB2v4xqT115Ce5LlvQPkVqJr+hShv4ouMKoM9QFzSiG2/smUlYF/B Ucyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750946877; x=1751551677; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=prXUywDGIfZ2kaJtm9z9HlskzmsqFf3sYXTNuZOuWmo=; b=aVrJ3zBCTWmQztmhH0JRPyBKUGp0VM6YHS4YHMLZQTpyJ7Ca3xqvyVzaTkmGAMjLyC vZD53CG/hA8w+qA8XAwLR0fol4BIEIUhdOOOSpc2QoccWzAqlEI6Fw2bzwQtUvL7a6zE W7t95sU5lEJkAVumVyP+EpR5gOvKGci5UKV84i/juBqhJm8s6VKQH9JGm1k4NHKaooCK UGP+lfXvjUJtPoTKldKqo/EztzZgwqSx0w9quhhIwgGOvds5gkvx7joMCzUqWSrQV+4q FRQC/lqoKAjz5ApLG28k0NSvYfU0oWFAJwCawwh8zz/5d7qQwaalPnkUimpGbskCFWKz rjaQ== X-Forwarded-Encrypted: i=2; AJvYcCWEVUcEcPcvqZ9vz4F+PCtbq/o3qgmWM7bd4L8ixPqAVhBjAhJYTEkK9/oXzI+X+UhAf9K95JI=@isar-build.org X-Gm-Message-State: AOJu0Yx7XrBAqdy57Wy2SL4OahFAuMJ/eCf+qMLcb/gOsO1N/9fzd9kw uHPjkjJL/uPd+b0zKIbSnB5UbWSIU3ETNFb4lJ2T8yumLzJ9fNDD3Plj X-Google-Smtp-Source: AGHT+IGU0HqBiPAQiFK4SioibOgQnmjl6oL6Wr+gTRZkLaWT+C0FmDPfEi0EISP3Un7SY2R4DvJ+xw== X-Received: by 2002:a05:6e02:18c9:b0:3de:25cb:42c2 with SMTP id e9e14a558f8ab-3df329c72e4mr98511875ab.18.1750946876867; Thu, 26 Jun 2025 07:07:56 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZdF+EDGfjwdbSL8+SST4dpxiSco8Mb9eyacy70nmYJuCQ== Received: by 2002:a05:6e02:4707:b0:3d1:9c39:8f7e with SMTP id e9e14a558f8ab-3df3de6ae71ls7418005ab.2.-pod-prod-07-us; Thu, 26 Jun 2025 07:07:56 -0700 (PDT) X-Received: by 2002:a05:6602:3c3:b0:86c:fdb3:2798 with SMTP id ca18e2360f4ac-8766b9828f1mr906654839f.11.1750946875888; Thu, 26 Jun 2025 07:07:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1750946875; cv=none; d=google.com; s=arc-20240605; b=dNSzvL0sbT5jxlp3pqYYqtfnyS/JnAs4T85+lo+BDylWVOoGPWGdVa1ZGnOnLxKeum VGXLGNUIZBfDBzEKvV4TASlNYL+NCox39wodeuhHEN+66vWebF/4zKsKYwPsIbZZ1XtK peDGQSUGmGMwx3pdGHusWUzV8Qfuss43H5pDq52fj4NCx084K6B0zgJmuXBvRtU+uiLW HOXTJw2SpkPlhSPu4gWI1KNxYZirKtMQ7AlXt9TYoWyBFpmQUN3BdUlHGvylxQG3f4hf wCvZ2bLeBepT2IcRdYJT9NmzGGtErxY1dqzqhN9YdyS7RalHPBVQEObKbYyn4qCKQkTN LqOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=NXz30nGZu9YLfwUm6ZLNoBmiBLTLLnSsJy7+Aj9zTCg=; fh=nuVAnAKFXZ/c71OwrdWzSuwNyXL8JbkZbL1MQ1Fe+gs=; b=E6qudU5y3U55Z9jNfUPrF6yh5hdOrvBjxPHf5YolgIE7ZA6c6HMGTncOb1c8prBBKp f/I5G4C6UJLA7tuyvBWHcCxLOssS8+bncwg/TWfE7eTNTRiphSKx7+9r5A4bYXct0ofb BsgaT4eZqCLv0TDLVf047J8dhX/W0YhclKVkGdLda4GP6zSMj34mXTcc3iUbkdASShm9 sgW/UpWj7bSv9Ix42N9Cdudzd7vdSnJH6m0fZPny6/VfSACqmdiDSZcaEEUFAcBudhEJ uYS0e7dWgbOGjlCvuxNATXd+7SCmGitPgsX3xV2Cz4jD2iZCJ2Gv3zEZo7QXGC3/LEgY uUfg==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=f+xoXsV5; spf=pass (google.com: domain of fm-1047747-2025062614075501e770f355ac24705c-h6xicn@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-2025062614075501e770f355ac24705c-H6XICn@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net. [185.136.64.228]) by gmr-mx.google.com with ESMTPS id 8926c6da1cb9f-5019e072a6asi591145173.7.2025.06.26.07.07.55 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jun 2025 07:07:55 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1047747-2025062614075501e770f355ac24705c-h6xicn@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) client-ip=185.136.64.228; Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 2025062614075501e770f355ac24705c for ; Thu, 26 Jun 2025 16:07:55 +0200 X-Patchwork-Original-From: "'Clara Kowalsky' via isar-users" From: Clara Kowalsky To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, Clara Kowalsky Subject: [PATCH v2 2/2] container_fetcher: Verify that tag and digest match Date: Thu, 26 Jun 2025 16:07:31 +0200 Message-ID: <20250626140731.2732545-2-clara.kowalsky@siemens.com> In-Reply-To: <20250626140731.2732545-1-clara.kowalsky@siemens.com> References: <20250626140731.2732545-1-clara.kowalsky@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1047747:519-21489:flowmailer X-Original-Sender: clara.kowalsky@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=f+xoXsV5; spf=pass (google.com: domain of fm-1047747-2025062614075501e770f355ac24705c-h6xicn@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-2025062614075501e770f355ac24705c-H6XICn@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Clara Kowalsky Reply-To: Clara Kowalsky Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= If a tag and digest are specified for a container image in the SRC_URI, the tag is ignored until now and the container image with the matching digest is fetched. With this change, the container image is fetched based on the specified tag and it is checked whether the digest matches. If not, an error is thrown. Signed-off-by: Clara Kowalsky --- meta/lib/container_fetcher.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py index 16467abb..08766742 100644 --- a/meta/lib/container_fetcher.py +++ b/meta/lib/container_fetcher.py @@ -11,6 +11,7 @@ from bb.fetch2 import FetchMethod from bb.fetch2 import logger from bb.fetch2 import MissingChecksumEvent from bb.fetch2 import NoChecksumError +from bb.fetch2 import ChecksumError from bb.fetch2 import runfetchcmd class Container(FetchMethod): @@ -47,6 +48,22 @@ class Container(FetchMethod): def download(self, ud, d): tarball = ud.localfile[:-len('.zst')] with tempfile.TemporaryDirectory(dir=d.getVar('DL_DIR')) as tmpdir: + # If both tag and digest are provided, verify they match + if ud.digest and not "tag" in ud.parm: + inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True) + actual_digest = json.loads(inspect_output)["Digest"] + if actual_digest != ud.digest: + messages = [] + messages.append(f"Checksum mismatch for {ud.container_name}:{ud.tag}") + messages.append("If this change is expected (e.g. you have upgraded " \ + "to a new version without updating the checksums) " \ + "then you can use these lines within the recipe:") + messages.append(f'SRC_URI = "docker://{ud.container_name};digest={actual_digest};tag={ud.tag}"') + messages.append("Otherwise you should retry the download and/or " \ + "check with upstream to determine if the container image has " \ + "become corrupted or otherwise unexpectedly modified.") + raise ChecksumError("\n".join(messages), ud.url, actual_digest) + # Take a two steps for downloading into a docker archive because # not all source may have the required Docker schema 2 manifest. runfetchcmd("skopeo copy --preserve-digests " + \