From patchwork Fri Jun 27 06:53:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Clara Kowalsky X-Patchwork-Id: 4247 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Fri, 27 Jun 2025 08:54:05 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-qt1-f191.google.com (mail-qt1-f191.google.com [209.85.160.191]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 55R6rrjx015207 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 27 Jun 2025 08:53:53 +0200 Received: by mail-qt1-f191.google.com with SMTP id d75a77b69052e-4a71914dd25sf40012541cf.2 for ; Thu, 26 Jun 2025 23:53:53 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1751007227; cv=pass; d=google.com; s=arc-20240605; b=WxUdnYEkhQU5xc2iPXYT9gXDiAcATIo2/GV20ZAf8h6tdNeuQ4rqJRsmm9F6V+5b6g x7BGyUvaQ/zCFAfMPbK7BCwVokioN8CyfUC5GQYYF1h8hhQ/QXj70aOwclBz5Vygp31x +kF4vYa/3m/E2qVzESUg/OzBzJLpu11tQnGA3zK/K6vU79nr/7aDCgKorfJsHJ6jnZqM JiuqcKAvv3njINYnO3EtlNR9yQR/07Zrlnb3by81nIhPswM1ZH7eNcPGJCpePmrVVUPY L1/nnHTTM8YCevfz1muQl4WLTJQOZxVGcHRf8qOP7tCGnyjsoirsXuZZ+ZDSpS65A6qa VtIA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=Mo/P3Lz8TbySBi73VkhTZHXpppyDETcxHbHGuoibtYs=; fh=go4CbrejYNd3vgDOpYbSlTGlAZPHYX90BhPeM4WMfQ8=; b=clm4qhcSMojGTAbuf4ylV4tuBwOmQbhQZ7DVKqtHvmKKbGatuNO8Vx05Pi0C0vQp+o Lg8AlggbItiy9tOMY8sLsTfkS19SMaOaCXuxdrMhjpMtVJk0rX1dHdyphtJdX647cjz5 yQu9AC+dDRZeqqI9Le/7T2nI5dOwZz+M1j1PhTmQAbJBG2ZTQynJaJFXwmywo+o68kZP a13njH1cEYvTcHG559UqlfcklvO0SsXSYAzPm7DF0Ed6gcKA/PGkRKYquJ4nV8WHVBD+ 0/X+5/hJBq1/qUChRzKjuLWvHWzO82Ho6l8p5+zMJpLZf9YM8Oy//1sHZFLo5phmEixG MGfw==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=kFsPWEL0; spf=pass (google.com: domain of fm-1047747-20250627065343abf53b45a5ff475d7f-p9aze4@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-1047747-20250627065343abf53b45a5ff475d7f-P9AZE4@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1751007227; x=1751612027; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=Mo/P3Lz8TbySBi73VkhTZHXpppyDETcxHbHGuoibtYs=; b=Ovm64nnuXUTxEI6PVvFHuL+B7NzMWyhanOjMc3s9Fpw97t9w75Kna/BVHca4d1MHtM uFfkuRnrzBhrw53O7CpxyrnGdYtF8WnRpLvNZ2vrW/QiqY6ilabV2c57AK/+sX1C52GC dC+EUhc3DktBsGOAdTMcq7zzxT6vwMWBBotA7Kf09vllpHqrbKRJbVGIDL6GodsB+Cwq DtpOVS1/hIA9Y+FDlEhAESlyzpKP35kKsWk8LScwSNJSLu2+T3nUnQlVR2oSjJwyx1iS T+cQaUdMA94b347Zfu4wEmAIRRg1uJNqjLosynvkcd8uIBjmQ7OIDFYCC6li/Hw+Ev0X G/6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751007227; x=1751612027; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Mo/P3Lz8TbySBi73VkhTZHXpppyDETcxHbHGuoibtYs=; b=Ay1Y1WNnPAbzGdiCnnO66+U45GiK8yuMdSnepPljKzz/x2esTSG7WWj3ReU/Jzxy9A bO0lWVEwzdyjaH2hJ6KDJZtMJBWSK3r4ELi8ADpoD4Pc6L++Cs6n7zR15oTtczks4oLY TfArdpTGGs4wWZPu+VrTbI4NqDBIZyf+xrz5Q5UGljKEBcy6Z+2jwSNMfqKA0lNx/U1s P74QjeF11/O3quxOIiQtnoQPQIULyZyurR1FGOdlsogUk2E6EezbmJHEj1adKS37ZONJ doMU1CTursWW8oyUbtfDu/NtvwFujO8T2TQTtIe+dfoR6aMT+511c0VQjwUHl7OCyyRT 1StQ== X-Forwarded-Encrypted: i=2; AJvYcCUeg36AJ91WnyfZcO6/+mTG6b4a6RnTNkf6Enf3IIToDi0Pf9fmhp4CvW8ZB7mriYw9v8QcABI=@isar-build.org X-Gm-Message-State: AOJu0YyhDlqCq2DYMHtTwplIm8Ca6yyZNlaHjxbFPGwee6H3p6L+de+N ORn6Lky6OSejDK3HOJe5yHprygbv09JSKDwQ3Kqu69IFsXCXTB1iEz6/ X-Google-Smtp-Source: AGHT+IG07Oh2dfdW/nBI3pA65JZe5ppJ0brV8s3j2OVFM0nwdQGYgdqDZwHRJ/z3BxnovTGiCDUwfQ== X-Received: by 2002:a05:622a:4009:b0:4a7:2f49:7627 with SMTP id d75a77b69052e-4a7fc9d7db0mr42037151cf.11.1751007227354; Thu, 26 Jun 2025 23:53:47 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZdLph4c5hMO39xZ8M6a+Dfy6u1I5e41o+QOcal9MiKADw== Received: by 2002:a05:622a:45:b0:4a6:f7c2:f438 with SMTP id d75a77b69052e-4a7f30fd1b1ls28049451cf.0.-pod-prod-09-us; Thu, 26 Jun 2025 23:53:46 -0700 (PDT) X-Received: by 2002:a05:622a:5888:b0:4a4:31e2:2e77 with SMTP id d75a77b69052e-4a7fcb2ea8bmr43959781cf.50.1751007226352; Thu, 26 Jun 2025 23:53:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1751007226; cv=none; d=google.com; s=arc-20240605; b=TRMk7yIXfnhUX1gNsuDqV5o2rf7si/Sc+Q4zf02P3uOynZwMKZGwrKBoUBsdxqSisC ZVTkoPQIncaWGxbSQkbv6HtZrnFVHMDKl2MZn/n0LUgPdSqZbj6NGITxY6vgGz0wGhU3 4/v5USat6WQCIJ/zt+2zp17kRtTxZP4gjYFY5NHgvANv0YLQiEG4Az2PWbv/DgRLi5Q5 IEC6jIgtWrr6p22lKPCqJkMi/krPgMiESa9518ssToJ3Y/7FRoXQKJTcraf8Gn8qnm/Y N+aOQCA+bisLSwKpOgEXWkQHbzQfj1fTnZ+g/PqI5Kx4MY5PmaTofJQ2zFwX1EjEooVV Y1xQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:message-id:date :subject:cc:to:from:dkim-signature; bh=LPiaAsdfwc/yS3WySQiu4Wv1tgMzaM3cvVTHiIdvtAA=; fh=nuVAnAKFXZ/c71OwrdWzSuwNyXL8JbkZbL1MQ1Fe+gs=; b=k3pMrmDYFak/0nmjRObJQjPK1S4UQhkgePqAIAfzgCJfExyM7QUWo1391w7IqDH7RM Sp+pEKFpiy70LWax9Ekp5TrSGn5kWu+ilf/c2dKbkXTpFq6ka3IT/uVIk1BS0HT33sr9 fCPmVfUbAf7s3QXH2hqMKhoSVUWbvKLG1paGPA1Pte7TAYJwR146yvda2V2W0mC7/cv8 CP0A0u/Ottz0CTLvFvEfuBvNfQ5KjcRs6MUWXoEhK8leY+hb2zUzIm7EVxelxy97SG7V D5AUAWxz5iLLTLFIex0OD1NnXAGcI/cYxe4lJHhVID7P+E7fNCHE2k1gNQroh7egG/61 fF7g==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=kFsPWEL0; spf=pass (google.com: domain of fm-1047747-20250627065343abf53b45a5ff475d7f-p9aze4@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-1047747-20250627065343abf53b45a5ff475d7f-P9AZE4@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net. [185.136.65.227]) by gmr-mx.google.com with ESMTPS id d75a77b69052e-4a7fbfeb75bsi741271cf.0.2025.06.26.23.53.45 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jun 2025 23:53:46 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1047747-20250627065343abf53b45a5ff475d7f-p9aze4@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) client-ip=185.136.65.227; Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 20250627065343abf53b45a5ff475d7f for ; Fri, 27 Jun 2025 08:53:43 +0200 X-Patchwork-Original-From: "'Clara Kowalsky' via isar-users" From: Clara Kowalsky To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, Clara Kowalsky Subject: [PATCH v3 1/2] container_fetcher: Fix missing checksum warning Date: Fri, 27 Jun 2025 08:53:35 +0200 Message-ID: <20250627065336.2910069-1-clara.kowalsky@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1047747:519-21489:flowmailer X-Original-Sender: clara.kowalsky@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=kFsPWEL0; spf=pass (google.com: domain of fm-1047747-20250627065343abf53b45a5ff475d7f-p9aze4@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-1047747-20250627065343abf53b45a5ff475d7f-P9AZE4@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Clara Kowalsky Reply-To: Clara Kowalsky Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= In case only a tag is specified for a container image in the SRC_URI and no digest, a warning should be issued with the recommendation to add the digest of the container image. So far, we were presenting in the warning the digest of the architecture-specific image that happened to be fetched first. However, we actually want to show the multi-arch manifest digest rather than the architecture-specific one. In addition, reading the manifest.json does not work at this point anyway, as skopeo has already packed it into a Docker archive. Signed-off-by: Clara Kowalsky Reviewed-by: Jan Kiszka --- meta/lib/container_fetcher.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py index 0d659154..16467abb 100644 --- a/meta/lib/container_fetcher.py +++ b/meta/lib/container_fetcher.py @@ -6,6 +6,7 @@ import oe.path import os import tempfile +import json from bb.fetch2 import FetchMethod from bb.fetch2 import logger from bb.fetch2 import MissingChecksumEvent @@ -60,16 +61,17 @@ class Container(FetchMethod): if ud.digest: return - checksum = bb.utils.sha256_file(ud.localpath + "/manifest.json") - checksum_line = f"SRC_URI = \"{ud.url};digest=sha256:{checksum}\"" + inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True) + digest = json.loads(inspect_output)["Digest"] + checksum_line = f'SRC_URI = "{ud.url};digest={digest}"' strict = d.getVar("BB_STRICT_CHECKSUM") or "0" # If strict checking enabled and neither sum defined, raise error if strict == "1": raise NoChecksumError(checksum_line) - checksum_event = {"sha256sum": checksum} + checksum_event = {"sha256sum": digest} bb.event.fire(MissingChecksumEvent(ud.url, **checksum_event), d) if strict == "ignore": @@ -77,7 +79,7 @@ class Container(FetchMethod): # Log missing digest so user can more easily add it logger.warning( - f"Missing checksum for '{ud.localpath}', consider using this " \ + f"Missing checksum for '{ud.url}', consider using this " \ f"SRC_URI in the recipe:\n{checksum_line}") def unpack(self, ud, rootdir, d): From patchwork Fri Jun 27 06:53:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Clara Kowalsky X-Patchwork-Id: 4248 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Fri, 27 Jun 2025 08:54:12 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-qv1-f61.google.com (mail-qv1-f61.google.com [209.85.219.61]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 55R6s0Vg015251 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 27 Jun 2025 08:54:01 +0200 Received: by mail-qv1-f61.google.com with SMTP id 6a1803df08f44-6fac216872csf42407166d6.2 for ; Thu, 26 Jun 2025 23:54:01 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1751007234; cv=pass; d=google.com; s=arc-20240605; b=Dcp8RDDneVN3zHWcm+0g66b67zBQNFVUY/b0zu8IrjtAWMHu58GZaURZLlzkXqvspX 4qTCzfYxfU3cHoBFUGpW75J2IkRfE4yBZShzDm3i3GfgGovk/idAKeAUEVbgplHnsg/c dYQSrSOsayveP6uCj64Tmhpj1rm/SDRvnshQwqUI8tiemszf/Co9gt2QchCQiUv7/yLb R5yE46TArbmVyk660NPbsBKz6I6gaJDvoc4CCDTtAXAanUXdku0oXd61ccJlGwLAdafL SXRGi4aY4uMUhT5mFWtZpRTHBCztsQlbZ6rmK4OH6SAmVwiFbJTk0KXN6Jcl+uxIv1y1 CyeA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Sf7fRmh9r39brixTlC1RNXx2NpTrGZB6NL440LG6T0g=; fh=8XOyrawfQfKGdYI9yde/Tsvvh7Tr12HfOfO5h8RsDVc=; b=lfCyvipuUnTi0zV2ZuSVT/KXyNEJY/uW8Xl8exBOwFp9clORCIBZdc05mtYljU5bHX NOZ6tNNTGCJP0H+SyRnMiRMJk+nawxNZZ4VIpBRVZGhq+A0CFf3b4YPOisjvgQDBY9Xu dBy9C78amcYE8Mcb/+64hkjnwq9m5GE2GB8fXIKbHz93+KflevdbVRY/hfM6mdBqmh94 sDejg9ZB9uGTtws2bw+BnYOU0lKUq4wdSEV8qTnbs8st9qnnHeW5tFaNPRj2/M8ACSvb 78wlof1Jf9Jl3wKU8yMpPCreYFNgQlpgN7mo7GdSziKvRq65q26nqUJf3/PgGS9U67Jn dcKQ==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=EhGcBwJS; spf=pass (google.com: domain of fm-1047747-20250627065350807ceb5273d6ad91ad-rdo9ab@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-20250627065350807ceb5273d6ad91ad-rdO9Ab@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1751007234; x=1751612034; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=Sf7fRmh9r39brixTlC1RNXx2NpTrGZB6NL440LG6T0g=; b=SusiJr0KLDPL3SwkWaKrbmD2cEwbSMeVxeUA3VzUx8D4HElm4Lojz81wcBi4RpkdRn i4TedLmNao94kAVrlpYJQnTqUYEzjFVsyQIJhNafiF6Ui1Hi+5U2UbKbI7hSQsfwOCWd o7ddARVsBXxo336iPzqn+XWtFZAKDo5L8FrmxjxVV8uqTyh8mKUPJGuCJdVxsFx2n5g0 BJhXUriV6XN+sW9SjAzQpsEvsYBT3hH/nCMxT1uoy4oCy+Ij9+2y4AtcQIRWomj5SlhQ HSZdnfKZA4L/8wqitoqtWnTu4pxTJQfLBE2lUgM7CiAZ/gTebWN6tF8/MCf+We74rdAq gDEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1751007234; x=1751612034; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Sf7fRmh9r39brixTlC1RNXx2NpTrGZB6NL440LG6T0g=; b=dMsVEBhuFUrR3RSBOz63GMUGwox6FvkWwrGl7SPvjza/cxq7JzrBVNGbGs3MvfdoqD Kk1f0OnxgZOW24NUD0ByAr6LeA35EsIivmmhgsL17+DVuXkhjXEn1N7dawdNZ2WcugRD g9zNpdIq8mtjHtkj47RV8MsG0pLtlncDWWp8ObLxvcLVLNmMM7FSFK0uwcFKtNw3rrjN yVTjK+0vjm4gS7HDY8XvTVH/XB1RTlelALtUxhXWpNk08NCl4vWobbShMS399l2EifHE 9qcAglK0v7yrYLhxLjuDZSuIAd/B3zNPPdYtUcNKFy7AFTyyTiQvdBTSfukm3jufVVPx +dMQ== X-Forwarded-Encrypted: i=2; AJvYcCU6yAeNL9vmAOpQ/uFd9m6F2XSpibe7iqgSe57h84nLEyDxZek3YOuKjyONJjTbq8RFD+tO/2k=@isar-build.org X-Gm-Message-State: AOJu0YxqUCWtdN86K/6j3Hk+Mth2uhR08Z+8Ogjk2cR2ADyLy6PumoR0 Bhypyk5BG50y77sWZ2WWJOIQDqJqkmmb2iRoxUCcIk5v7QZEP5o5Y3BJ X-Google-Smtp-Source: AGHT+IGqaGtBQmOVO1rlvqLsqQOYqQkrUuBkqNwIZjlKSKaMqCE0HWOOXXCMUYJqdVBZji4tfaBNwg== X-Received: by 2002:a05:6214:3c99:b0:6f4:cfb3:9df9 with SMTP id 6a1803df08f44-7000281ff18mr36636776d6.33.1751007234560; Thu, 26 Jun 2025 23:53:54 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZdTheFkdpwajPIde116xs/+r0j8pN/SoCV3hOfI65hfUw== Received: by 2002:ad4:596c:0:b0:6fa:bf2a:9be7 with SMTP id 6a1803df08f44-6fd75028de1ls31664546d6.0.-pod-prod-06-us; Thu, 26 Jun 2025 23:53:53 -0700 (PDT) X-Received: by 2002:a05:6122:608e:b0:531:236f:1295 with SMTP id 71dfb90a1353d-5330be7697bmr1530210e0c.5.1751007233370; Thu, 26 Jun 2025 23:53:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1751007233; cv=none; d=google.com; s=arc-20240605; b=Zka/gRDmH3ODcyiBzCj0ZZRsJlp/740GL6eniJEL/xjdKkoh9LNi/BU5jlLG/9XgqV jCKBGnyy0EoIF9oWJrtfaA1P28x1Zm7H3SjSwrk3OJT6dxkwRsbvqKQf44BaNSUnvCO3 Kx/aiVoMHbU920DaZEWK2HybW2XSeD0LtgopSWrJNN1ATgUV44Io9L1dkivjiw+LZ3Yl FjYU/Aqj2BHxl8/U8Lyur33dyDOppl+HahznNOXCLqnegDhMUp5d9xyCLRwQcloLVS/E S6tiUxUDGHc7IHcucObYIzVKHDSToQ3ct64jCiZ2j+PsuBcVgw/Ra2G5j7cot8bt9SC/ FoKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=kwpJgLT+sgWnGUZBL3bEvuOPOVckDGqr5f39yMwLatQ=; fh=nuVAnAKFXZ/c71OwrdWzSuwNyXL8JbkZbL1MQ1Fe+gs=; b=Q1xR8XwuoMmW56UAKsbe09v/UlZL+3oNoDPuG6umQoWdaMxotrdka4QZIJjawHjzu9 tGGIMbd2+8sUym8+E39gL5psLNyT8rC9sw0ZmAlWfDxQOR7t95G+b0s8m8bZzsI8oIoZ MSwI9P9kmp4JbnEsY2DR7b42ydqNfe6GTmNCxDBS0tM2LJeY+ohR0ulFPbscxc2B6yNN jDpAtsao21NdHVlKP/FQxymP+L94PPwEmMXRqiLsmCFyVigApwVQa8W2DLMhzcJGlq9N tJgqb8NuM6yoNOhzZRbUG+Wbw6qqcD6PidlQtjhB8v4VQRvGJAgZbInw+pFsL827c+7m Ynnw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=EhGcBwJS; spf=pass (google.com: domain of fm-1047747-20250627065350807ceb5273d6ad91ad-rdo9ab@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-20250627065350807ceb5273d6ad91ad-rdO9Ab@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net. [185.136.64.228]) by gmr-mx.google.com with ESMTPS id 71dfb90a1353d-533090a1726si77422e0c.2.2025.06.26.23.53.52 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jun 2025 23:53:53 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1047747-20250627065350807ceb5273d6ad91ad-rdo9ab@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) client-ip=185.136.64.228; Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20250627065350807ceb5273d6ad91ad for ; Fri, 27 Jun 2025 08:53:50 +0200 X-Patchwork-Original-From: "'Clara Kowalsky' via isar-users" From: Clara Kowalsky To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, Clara Kowalsky Subject: [PATCH v3 2/2] container_fetcher: Verify that tag and digest match Date: Fri, 27 Jun 2025 08:53:36 +0200 Message-ID: <20250627065336.2910069-2-clara.kowalsky@siemens.com> In-Reply-To: <20250627065336.2910069-1-clara.kowalsky@siemens.com> References: <20250627065336.2910069-1-clara.kowalsky@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1047747:519-21489:flowmailer X-Original-Sender: clara.kowalsky@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=EhGcBwJS; spf=pass (google.com: domain of fm-1047747-20250627065350807ceb5273d6ad91ad-rdo9ab@rts-flowmailer.siemens.com designates 185.136.64.228 as permitted sender) smtp.mailfrom=fm-1047747-20250627065350807ceb5273d6ad91ad-rdO9Ab@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Clara Kowalsky Reply-To: Clara Kowalsky Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= If a tag and digest are specified for a container image in the SRC_URI, the tag is ignored until now and the container image with the matching digest is fetched. With this change, the container image is fetched based on the specified tag and it is checked whether the digest matches. If not, an error is thrown. Signed-off-by: Clara Kowalsky Reviewed-by: Jan Kiszka --- meta/lib/container_fetcher.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py index 16467abb..cd1a201a 100644 --- a/meta/lib/container_fetcher.py +++ b/meta/lib/container_fetcher.py @@ -11,6 +11,7 @@ from bb.fetch2 import FetchMethod from bb.fetch2 import logger from bb.fetch2 import MissingChecksumEvent from bb.fetch2 import NoChecksumError +from bb.fetch2 import ChecksumError from bb.fetch2 import runfetchcmd class Container(FetchMethod): @@ -47,6 +48,22 @@ class Container(FetchMethod): def download(self, ud, d): tarball = ud.localfile[:-len('.zst')] with tempfile.TemporaryDirectory(dir=d.getVar('DL_DIR')) as tmpdir: + # If both tag and digest are provided, verify they match + if ud.digest and "tag" in ud.parm: + inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True) + actual_digest = json.loads(inspect_output)["Digest"] + if actual_digest != ud.digest: + messages = [] + messages.append(f"Checksum mismatch for {ud.container_name}:{ud.tag}") + messages.append("If this change is expected (e.g. you have upgraded " \ + "to a new version without updating the checksums) " \ + "then you can use these lines within the recipe:") + messages.append(f'SRC_URI = "docker://{ud.container_name};digest={actual_digest};tag={ud.tag}"') + messages.append("Otherwise you should retry the download and/or " \ + "check with upstream to determine if the container image has " \ + "become corrupted or otherwise unexpectedly modified.") + raise ChecksumError("\n".join(messages), ud.url, actual_digest) + # Take a two steps for downloading into a docker archive because # not all source may have the required Docker schema 2 manifest. runfetchcmd("skopeo copy --preserve-digests " + \