[PATCH 1/2] container_fetcher: Fix missing checksum warning
7 views
Skip to first unread message
Clara Kowalsky
Jun 25, 2025, 9:54:52 AMJun 25
to isar-...@googlegroups.com, jan.k...@siemens.com, Clara Kowalsky
In case only a tag is specified for a container image in the SRC_URI and
no digest, a warning should be issued with the recommendation to add the
digest of the container image.
So far, the number specified in the warning would be the checksum of the
manifest.json, which is a metadata file. However, we want to show the
registry digest, which is calculated over the complete image content.
In addition, reading the manifest.json does not work at this point
anyway, as skopeo has already packed it into a Docker archive.
Signed-off-by: Clara Kowalsky <clara.k...@siemens.com>
---
meta/lib/container_fetcher.py | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py
index 0d659154..16467abb 100644
--- a/meta/lib/container_fetcher.py
+++ b/meta/lib/container_fetcher.py
@@ -6,6 +6,7 @@
import oe.path
import os
import tempfile
+import json
from bb.fetch2 import FetchMethod
from bb.fetch2 import logger
from bb.fetch2 import MissingChecksumEvent
@@ -60,16 +61,17 @@ class Container(FetchMethod):
if ud.digest:
return
- checksum = bb.utils.sha256_file(ud.localpath + "/manifest.json")
- checksum_line = f"SRC_URI = \"{ud.url};digest=sha256:{checksum}\""
+ inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True)
+ digest = json.loads(inspect_output)["Digest"]
+ checksum_line = f'SRC_URI = "{ud.url};digest={digest}"'
strict = d.getVar("BB_STRICT_CHECKSUM") or "0"
# If strict checking enabled and neither sum defined, raise error
if strict == "1":
raise NoChecksumError(checksum_line)
- checksum_event = {"sha256sum": checksum}
+ checksum_event = {"sha256sum": digest}
bb.event.fire(MissingChecksumEvent(ud.url, **checksum_event), d)
if strict == "ignore":
@@ -77,7 +79,7 @@ class Container(FetchMethod):
# Log missing digest so user can more easily add it
logger.warning(
- f"Missing checksum for '{ud.localpath}', consider using this " \
+ f"Missing checksum for '{ud.url}', consider using this " \
f"SRC_URI in the recipe:\n{checksum_line}")
def unpack(self, ud, rootdir, d):
--
2.49.0
no digest, a warning should be issued with the recommendation to add the
digest of the container image.
So far, the number specified in the warning would be the checksum of the
manifest.json, which is a metadata file. However, we want to show the
registry digest, which is calculated over the complete image content.
In addition, reading the manifest.json does not work at this point
anyway, as skopeo has already packed it into a Docker archive.
Signed-off-by: Clara Kowalsky <clara.k...@siemens.com>
---
meta/lib/container_fetcher.py | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py
index 0d659154..16467abb 100644
--- a/meta/lib/container_fetcher.py
+++ b/meta/lib/container_fetcher.py
@@ -6,6 +6,7 @@
import oe.path
import os
import tempfile
+import json
from bb.fetch2 import FetchMethod
from bb.fetch2 import logger
from bb.fetch2 import MissingChecksumEvent
@@ -60,16 +61,17 @@ class Container(FetchMethod):
if ud.digest:
return
- checksum = bb.utils.sha256_file(ud.localpath + "/manifest.json")
- checksum_line = f"SRC_URI = \"{ud.url};digest=sha256:{checksum}\""
+ inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True)
+ digest = json.loads(inspect_output)["Digest"]
+ checksum_line = f'SRC_URI = "{ud.url};digest={digest}"'
strict = d.getVar("BB_STRICT_CHECKSUM") or "0"
# If strict checking enabled and neither sum defined, raise error
if strict == "1":
raise NoChecksumError(checksum_line)
- checksum_event = {"sha256sum": checksum}
+ checksum_event = {"sha256sum": digest}
bb.event.fire(MissingChecksumEvent(ud.url, **checksum_event), d)
if strict == "ignore":
@@ -77,7 +79,7 @@ class Container(FetchMethod):
# Log missing digest so user can more easily add it
logger.warning(
- f"Missing checksum for '{ud.localpath}', consider using this " \
+ f"Missing checksum for '{ud.url}', consider using this " \
f"SRC_URI in the recipe:\n{checksum_line}")
def unpack(self, ud, rootdir, d):
--
2.49.0
Clara Kowalsky
Jun 25, 2025, 9:54:57 AMJun 25
to isar-...@googlegroups.com, jan.k...@siemens.com, Clara Kowalsky
If a tag and digest are specified for a container image in the SRC_URI,
the tag is ignored until now and the container image with the matching
digest is fetched.
With this change, the container image is fetched based on the specified
tag and it is checked whether the digest matches. If not, an error is
thrown.
meta/lib/container_fetcher.py | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py
index 16467abb..75366988 100644
--- a/meta/lib/container_fetcher.py
+++ b/meta/lib/container_fetcher.py
@@ -11,6 +11,7 @@ from bb.fetch2 import FetchMethod
+from bb.fetch2 import ChecksumError
from bb.fetch2 import runfetchcmd
class Container(FetchMethod):
@@ -47,6 +48,22 @@ class Container(FetchMethod):
def download(self, ud, d):
tarball = ud.localfile[:-len('.zst')]
with tempfile.TemporaryDirectory(dir=d.getVar('DL_DIR')) as tmpdir:
+ # If both tag and digest are provided, verify they match
+ if ud.digest and ud.tag != "latest":
+ if actual_digest != ud.digest:
+ messages = []
+ messages.append(f"Checksum mismatch for {ud.container_name}:{ud.tag}")
+ messages.append("If this change is expected (e.g. you have upgraded " \
+ "to a new version without updating the checksums) " \
+ "then you can use these lines within the recipe:")
+ messages.append(f'SRC_URI = "docker://{ud.container_name};digest={actual_digest};tag={ud.tag}"')
+ messages.append("Otherwise you should retry the download and/or " \
+ "check with upstream to determine if the container image has " \
+ "become corrupted or otherwise unexpectedly modified.")
+ raise ChecksumError("\n".join(messages), ud.url, actual_digest)
+
# Take a two steps for downloading into a docker archive because
# not all source may have the required Docker schema 2 manifest.
runfetchcmd("skopeo copy --preserve-digests " + \
--
2.49.0
the tag is ignored until now and the container image with the matching
digest is fetched.
With this change, the container image is fetched based on the specified
tag and it is checked whether the digest matches. If not, an error is
thrown.
meta/lib/container_fetcher.py | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py
index 16467abb..75366988 100644
--- a/meta/lib/container_fetcher.py
+++ b/meta/lib/container_fetcher.py
@@ -11,6 +11,7 @@ from bb.fetch2 import FetchMethod
from bb.fetch2 import logger
from bb.fetch2 import MissingChecksumEvent
from bb.fetch2 import NoChecksumError
from bb.fetch2 import MissingChecksumEvent
+from bb.fetch2 import ChecksumError
from bb.fetch2 import runfetchcmd
class Container(FetchMethod):
@@ -47,6 +48,22 @@ class Container(FetchMethod):
def download(self, ud, d):
tarball = ud.localfile[:-len('.zst')]
with tempfile.TemporaryDirectory(dir=d.getVar('DL_DIR')) as tmpdir:
+ # If both tag and digest are provided, verify they match
+ if ud.digest and ud.tag != "latest":
+ inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True)
+ actual_digest = json.loads(inspect_output)["Digest"]
+ if actual_digest != ud.digest:
+ messages = []
+ messages.append(f"Checksum mismatch for {ud.container_name}:{ud.tag}")
+ messages.append("If this change is expected (e.g. you have upgraded " \
+ "to a new version without updating the checksums) " \
+ "then you can use these lines within the recipe:")
+ messages.append(f'SRC_URI = "docker://{ud.container_name};digest={actual_digest};tag={ud.tag}"')
+ messages.append("Otherwise you should retry the download and/or " \
+ "check with upstream to determine if the container image has " \
+ "become corrupted or otherwise unexpectedly modified.")
+ raise ChecksumError("\n".join(messages), ud.url, actual_digest)
+
# Take a two steps for downloading into a docker archive because
# not all source may have the required Docker schema 2 manifest.
runfetchcmd("skopeo copy --preserve-digests " + \
--
2.49.0
Jan Kiszka
Jun 25, 2025, 11:42:38 AMJun 25
to Clara Kowalsky, isar-...@googlegroups.com
On 25.06.25 15:54, Clara Kowalsky wrote:
> In case only a tag is specified for a container image in the SRC_URI and
> no digest, a warning should be issued with the recommendation to add the
> digest of the container image.
> So far, the number specified in the warning would be the checksum of the
> manifest.json, which is a metadata file. However, we want to show the
> registry digest, which is calculated over the complete image content.
Actually, we were presenting the digest of the architecture-specific
> In case only a tag is specified for a container image in the SRC_URI and
> no digest, a warning should be issued with the recommendation to add the
> digest of the container image.
> So far, the number specified in the warning would be the checksum of the
> manifest.json, which is a metadata file. However, we want to show the
> registry digest, which is calculated over the complete image content.
image that happened to be fetched first, not that of the manifest
describing images for all supported archs of this tag. I would recommend
to update that.
But the conclusion remains correct: We need the latter, not the former.
Jan
Linux Expert Center
Jan Kiszka
Jun 25, 2025, 11:47:39 AMJun 25
to Clara Kowalsky, isar-...@googlegroups.com
On 25.06.25 15:54, Clara Kowalsky wrote:
and not "tag" in ud.parm
> + inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True)
> + actual_digest = json.loads(inspect_output)["Digest"]
> + if actual_digest != ud.digest:
> + messages = []
> + messages.append(f"Checksum mismatch for {ud.container_name}:{ud.tag}")
> + messages.append("If this change is expected (e.g. you have upgraded " \
> + "to a new version without updating the checksums) " \
> + "then you can use these lines within the recipe:")
> + messages.append(f'SRC_URI = "docker://{ud.container_name};digest={actual_digest};tag={ud.tag}"')
> + messages.append("Otherwise you should retry the download and/or " \
> + "check with upstream to determine if the container image has " \
> + "become corrupted or otherwise unexpectedly modified.")
mismatch?
> + raise ChecksumError("\n".join(messages), ud.url, actual_digest)
> +
> # Take a two steps for downloading into a docker archive because
> # not all source may have the required Docker schema 2 manifest.
> runfetchcmd("skopeo copy --preserve-digests " + \
Clara Kowalsky
Jun 25, 2025, 3:58:57 PMJun 25
to Jan Kiszka, isar-...@googlegroups.com
>
>> + inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True)
>> + actual_digest = json.loads(inspect_output)["Digest"]
>> + if actual_digest != ud.digest:
>> + messages = []
>> + messages.append(f"Checksum mismatch for {ud.container_name}:{ud.tag}")
>> + messages.append("If this change is expected (e.g. you have upgraded " \
>> + "to a new version without updating the checksums) " \
>> + "then you can use these lines within the recipe:")
>> + messages.append(f'SRC_URI = "docker://{ud.container_name};digest={actual_digest};tag={ud.tag}"')
>> + messages.append("Otherwise you should retry the download and/or " \
>> + "check with upstream to determine if the container image has " \
>> + "become corrupted or otherwise unexpectedly modified.")
>
> Rather long. Is bitbake similarly verbose when detecting a checksum
> mismatch?
>
case of checksum mismatch:
https://github.com/ilbers/isar/blob/master/bitbake/lib/bb/fetch2/__init__.py#L633
BR,
Clara
Clara Kowalsky
Jun 26, 2025, 10:07:56 AMJun 26
to isar-...@googlegroups.com, jan.k...@siemens.com, Clara Kowalsky
In case only a tag is specified for a container image in the SRC_URI and
no digest, a warning should be issued with the recommendation to add the
digest of the container image.
So far, we were presenting in the warning the digest of the
no digest, a warning should be issued with the recommendation to add the
digest of the container image.
architecture-specific image that happened to be fetched first. However,
we actually want to show the multi-arch manifest digest rather than the
architecture-specific one.
In addition, reading the manifest.json does not work at this point
anyway, as skopeo has already packed it into a Docker archive.
anyway, as skopeo has already packed it into a Docker archive.
meta/lib/container_fetcher.py | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py
1 file changed, 6 insertions(+), 4 deletions(-)
index 0d659154..16467abb 100644
--- a/meta/lib/container_fetcher.py
+++ b/meta/lib/container_fetcher.py
@@ -6,6 +6,7 @@
import oe.path
import os
import tempfile
+import json
import oe.path
import os
import tempfile
+import json
from bb.fetch2 import FetchMethod
from bb.fetch2 import logger
from bb.fetch2 import MissingChecksumEvent
from bb.fetch2 import logger
from bb.fetch2 import MissingChecksumEvent
@@ -60,16 +61,17 @@ class Container(FetchMethod):
if ud.digest:
return
- checksum = bb.utils.sha256_file(ud.localpath + "/manifest.json")
- checksum_line = f"SRC_URI = \"{ud.url};digest=sha256:{checksum}\""
if ud.digest:
return
- checksum = bb.utils.sha256_file(ud.localpath + "/manifest.json")
- checksum_line = f"SRC_URI = \"{ud.url};digest=sha256:{checksum}\""
+ inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True)
+ digest = json.loads(inspect_output)["Digest"]
+ checksum_line = f'SRC_URI = "{ud.url};digest={digest}"'
strict = d.getVar("BB_STRICT_CHECKSUM") or "0"
# If strict checking enabled and neither sum defined, raise error
if strict == "1":
raise NoChecksumError(checksum_line)
- checksum_event = {"sha256sum": checksum}
+ checksum_event = {"sha256sum": digest}
bb.event.fire(MissingChecksumEvent(ud.url, **checksum_event), d)
if strict == "ignore":
@@ -77,7 +79,7 @@ class Container(FetchMethod):
# Log missing digest so user can more easily add it
logger.warning(
- f"Missing checksum for '{ud.localpath}', consider using this " \
+ f"Missing checksum for '{ud.url}', consider using this " \
f"SRC_URI in the recipe:\n{checksum_line}")
def unpack(self, ud, rootdir, d):
--
2.49.0
+ checksum_line = f'SRC_URI = "{ud.url};digest={digest}"'
strict = d.getVar("BB_STRICT_CHECKSUM") or "0"
# If strict checking enabled and neither sum defined, raise error
if strict == "1":
raise NoChecksumError(checksum_line)
- checksum_event = {"sha256sum": checksum}
+ checksum_event = {"sha256sum": digest}
bb.event.fire(MissingChecksumEvent(ud.url, **checksum_event), d)
if strict == "ignore":
@@ -77,7 +79,7 @@ class Container(FetchMethod):
# Log missing digest so user can more easily add it
logger.warning(
- f"Missing checksum for '{ud.localpath}', consider using this " \
+ f"Missing checksum for '{ud.url}', consider using this " \
f"SRC_URI in the recipe:\n{checksum_line}")
def unpack(self, ud, rootdir, d):
--
Clara Kowalsky
Jun 26, 2025, 10:07:56 AMJun 26
to isar-...@googlegroups.com, jan.k...@siemens.com, Clara Kowalsky
If a tag and digest are specified for a container image in the SRC_URI,
the tag is ignored until now and the container image with the matching
digest is fetched.
With this change, the container image is fetched based on the specified
tag and it is checked whether the digest matches. If not, an error is
thrown.
the tag is ignored until now and the container image with the matching
digest is fetched.
With this change, the container image is fetched based on the specified
tag and it is checked whether the digest matches. If not, an error is
thrown.
meta/lib/container_fetcher.py | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py
1 file changed, 17 insertions(+)
index 16467abb..08766742 100644
--- a/meta/lib/container_fetcher.py
+++ b/meta/lib/container_fetcher.py
@@ -11,6 +11,7 @@ from bb.fetch2 import FetchMethod
from bb.fetch2 import logger
from bb.fetch2 import MissingChecksumEvent
from bb.fetch2 import MissingChecksumEvent
from bb.fetch2 import NoChecksumError
+from bb.fetch2 import ChecksumError
from bb.fetch2 import runfetchcmd
class Container(FetchMethod):
@@ -47,6 +48,22 @@ class Container(FetchMethod):
def download(self, ud, d):
tarball = ud.localfile[:-len('.zst')]
with tempfile.TemporaryDirectory(dir=d.getVar('DL_DIR')) as tmpdir:
+ # If both tag and digest are provided, verify they match
+ if ud.digest and not "tag" in ud.parm:
+from bb.fetch2 import ChecksumError
from bb.fetch2 import runfetchcmd
class Container(FetchMethod):
@@ -47,6 +48,22 @@ class Container(FetchMethod):
def download(self, ud, d):
tarball = ud.localfile[:-len('.zst')]
with tempfile.TemporaryDirectory(dir=d.getVar('DL_DIR')) as tmpdir:
+ # If both tag and digest are provided, verify they match
+ inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True)
+ actual_digest = json.loads(inspect_output)["Digest"]
+ if actual_digest != ud.digest:
+ messages = []
+ messages.append(f"Checksum mismatch for {ud.container_name}:{ud.tag}")
+ messages.append("If this change is expected (e.g. you have upgraded " \
+ "to a new version without updating the checksums) " \
+ "then you can use these lines within the recipe:")
+ messages.append(f'SRC_URI = "docker://{ud.container_name};digest={actual_digest};tag={ud.tag}"')
+ messages.append("Otherwise you should retry the download and/or " \
+ "check with upstream to determine if the container image has " \
+ "become corrupted or otherwise unexpectedly modified.")
+ if actual_digest != ud.digest:
+ messages = []
+ messages.append(f"Checksum mismatch for {ud.container_name}:{ud.tag}")
+ messages.append("If this change is expected (e.g. you have upgraded " \
+ "to a new version without updating the checksums) " \
+ "then you can use these lines within the recipe:")
+ messages.append(f'SRC_URI = "docker://{ud.container_name};digest={actual_digest};tag={ud.tag}"')
+ messages.append("Otherwise you should retry the download and/or " \
+ "check with upstream to determine if the container image has " \
+ "become corrupted or otherwise unexpectedly modified.")
+ raise ChecksumError("\n".join(messages), ud.url, actual_digest)
+
# Take a two steps for downloading into a docker archive because
# not all source may have the required Docker schema 2 manifest.
runfetchcmd("skopeo copy --preserve-digests " + \
--
+
# Take a two steps for downloading into a docker archive because
# not all source may have the required Docker schema 2 manifest.
runfetchcmd("skopeo copy --preserve-digests " + \
2.49.0
Jan Kiszka
Jun 26, 2025, 12:00:21 PMJun 26
to Clara Kowalsky, isar-...@googlegroups.com
again? Don't we rather need
if ud.digest and "tag" in ud.parm:
?
> + inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True)
> + actual_digest = json.loads(inspect_output)["Digest"]
> + if actual_digest != ud.digest:
> + messages = []
> + messages.append(f"Checksum mismatch for {ud.container_name}:{ud.tag}")
> + messages.append("If this change is expected (e.g. you have upgraded " \
> + "to a new version without updating the checksums) " \
> + "then you can use these lines within the recipe:")
> + messages.append(f'SRC_URI = "docker://{ud.container_name};digest={actual_digest};tag={ud.tag}"')
> + messages.append("Otherwise you should retry the download and/or " \
> + "check with upstream to determine if the container image has " \
> + "become corrupted or otherwise unexpectedly modified.")
> + raise ChecksumError("\n".join(messages), ud.url, actual_digest)
> +
> # Take a two steps for downloading into a docker archive because
> # not all source may have the required Docker schema 2 manifest.
> runfetchcmd("skopeo copy --preserve-digests " + \
Jan Kiszka
Jun 26, 2025, 12:02:33 PMJun 26
to Clara Kowalsky, isar-...@googlegroups.com
Clara Kowalsky
Jun 27, 2025, 2:53:15 AMJun 27
to Jan Kiszka, isar-...@googlegroups.com
ud.digest and not "tag" in ud.parm:", we only enter this case if no tag
is specified in the SRC_URI, which is not what we want. The digest is
then compared to the digest of "latest"...
Tested with "if ud.digest and "tag" in ud.parm:": This is correct, it
means we have a tag and a digest explicitly specified in the SRC_URI and
then we want to do the "skopeo inspect" to check for a mismatch.
Sending v3 with this change + Reviewed-By.
BR,
Clara
Clara Kowalsky
Jun 27, 2025, 2:53:47 AMJun 27
to isar-...@googlegroups.com, jan.k...@siemens.com, Clara Kowalsky
In case only a tag is specified for a container image in the SRC_URI and
no digest, a warning should be issued with the recommendation to add the
digest of the container image.
So far, we were presenting in the warning the digest of the
architecture-specific image that happened to be fetched first. However,
we actually want to show the multi-arch manifest digest rather than the
architecture-specific one.
In addition, reading the manifest.json does not work at this point
anyway, as skopeo has already packed it into a Docker archive.
Signed-off-by: Clara Kowalsky <clara.k...@siemens.com>
Reviewed-by: Jan Kiszka <jan.k...@siemens.com>
no digest, a warning should be issued with the recommendation to add the
digest of the container image.
So far, we were presenting in the warning the digest of the
architecture-specific image that happened to be fetched first. However,
we actually want to show the multi-arch manifest digest rather than the
architecture-specific one.
In addition, reading the manifest.json does not work at this point
anyway, as skopeo has already packed it into a Docker archive.
Signed-off-by: Clara Kowalsky <clara.k...@siemens.com>
---
meta/lib/container_fetcher.py | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py
meta/lib/container_fetcher.py | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
index 0d659154..16467abb 100644
--- a/meta/lib/container_fetcher.py
+++ b/meta/lib/container_fetcher.py
@@ -6,6 +6,7 @@
import oe.path
import os
import tempfile
+import json
import oe.path
import os
import tempfile
+import json
from bb.fetch2 import FetchMethod
from bb.fetch2 import logger
from bb.fetch2 import MissingChecksumEvent
from bb.fetch2 import logger
from bb.fetch2 import MissingChecksumEvent
@@ -60,16 +61,17 @@ class Container(FetchMethod):
if ud.digest:
return
- checksum = bb.utils.sha256_file(ud.localpath + "/manifest.json")
- checksum_line = f"SRC_URI = \"{ud.url};digest=sha256:{checksum}\""
if ud.digest:
return
- checksum = bb.utils.sha256_file(ud.localpath + "/manifest.json")
- checksum_line = f"SRC_URI = \"{ud.url};digest=sha256:{checksum}\""
+ inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True)
+ digest = json.loads(inspect_output)["Digest"]
+ checksum_line = f'SRC_URI = "{ud.url};digest={digest}"'
strict = d.getVar("BB_STRICT_CHECKSUM") or "0"
# If strict checking enabled and neither sum defined, raise error
if strict == "1":
raise NoChecksumError(checksum_line)
- checksum_event = {"sha256sum": checksum}
+ checksum_event = {"sha256sum": digest}
bb.event.fire(MissingChecksumEvent(ud.url, **checksum_event), d)
if strict == "ignore":
@@ -77,7 +79,7 @@ class Container(FetchMethod):
# Log missing digest so user can more easily add it
logger.warning(
- f"Missing checksum for '{ud.localpath}', consider using this " \
+ f"Missing checksum for '{ud.url}', consider using this " \
f"SRC_URI in the recipe:\n{checksum_line}")
def unpack(self, ud, rootdir, d):
--
+ checksum_line = f'SRC_URI = "{ud.url};digest={digest}"'
strict = d.getVar("BB_STRICT_CHECKSUM") or "0"
# If strict checking enabled and neither sum defined, raise error
if strict == "1":
raise NoChecksumError(checksum_line)
- checksum_event = {"sha256sum": checksum}
+ checksum_event = {"sha256sum": digest}
bb.event.fire(MissingChecksumEvent(ud.url, **checksum_event), d)
if strict == "ignore":
@@ -77,7 +79,7 @@ class Container(FetchMethod):
# Log missing digest so user can more easily add it
logger.warning(
- f"Missing checksum for '{ud.localpath}', consider using this " \
+ f"Missing checksum for '{ud.url}', consider using this " \
f"SRC_URI in the recipe:\n{checksum_line}")
def unpack(self, ud, rootdir, d):
2.49.0
Clara Kowalsky
Jun 27, 2025, 2:53:54 AMJun 27
to isar-...@googlegroups.com, jan.k...@siemens.com, Clara Kowalsky
If a tag and digest are specified for a container image in the SRC_URI,
the tag is ignored until now and the container image with the matching
digest is fetched.
With this change, the container image is fetched based on the specified
tag and it is checked whether the digest matches. If not, an error is
thrown.
the tag is ignored until now and the container image with the matching
digest is fetched.
With this change, the container image is fetched based on the specified
tag and it is checked whether the digest matches. If not, an error is
thrown.
Signed-off-by: Clara Kowalsky <clara.k...@siemens.com>
Reviewed-by: Jan Kiszka <jan.k...@siemens.com>
---
Reviewed-by: Jan Kiszka <jan.k...@siemens.com>
---
meta/lib/container_fetcher.py | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/meta/lib/container_fetcher.py b/meta/lib/container_fetcher.py
1 file changed, 17 insertions(+)
index 16467abb..cd1a201a 100644
--- a/meta/lib/container_fetcher.py
+++ b/meta/lib/container_fetcher.py
@@ -11,6 +11,7 @@ from bb.fetch2 import FetchMethod
from bb.fetch2 import logger
from bb.fetch2 import MissingChecksumEvent
from bb.fetch2 import MissingChecksumEvent
from bb.fetch2 import NoChecksumError
+from bb.fetch2 import ChecksumError
from bb.fetch2 import runfetchcmd
class Container(FetchMethod):
@@ -47,6 +48,22 @@ class Container(FetchMethod):
def download(self, ud, d):
tarball = ud.localfile[:-len('.zst')]
with tempfile.TemporaryDirectory(dir=d.getVar('DL_DIR')) as tmpdir:
+ # If both tag and digest are provided, verify they match
+ if ud.digest and "tag" in ud.parm:
+from bb.fetch2 import ChecksumError
from bb.fetch2 import runfetchcmd
class Container(FetchMethod):
@@ -47,6 +48,22 @@ class Container(FetchMethod):
def download(self, ud, d):
tarball = ud.localfile[:-len('.zst')]
with tempfile.TemporaryDirectory(dir=d.getVar('DL_DIR')) as tmpdir:
+ # If both tag and digest are provided, verify they match
+ inspect_output = runfetchcmd(f"skopeo inspect docker://{ud.container_name}:{ud.tag}", d, True)
+ actual_digest = json.loads(inspect_output)["Digest"]
+ if actual_digest != ud.digest:
+ messages = []
+ messages.append(f"Checksum mismatch for {ud.container_name}:{ud.tag}")
+ messages.append("If this change is expected (e.g. you have upgraded " \
+ "to a new version without updating the checksums) " \
+ "then you can use these lines within the recipe:")
+ messages.append(f'SRC_URI = "docker://{ud.container_name};digest={actual_digest};tag={ud.tag}"')
+ messages.append("Otherwise you should retry the download and/or " \
+ "check with upstream to determine if the container image has " \
+ "become corrupted or otherwise unexpectedly modified.")
+ raise ChecksumError("\n".join(messages), ud.url, actual_digest)
+
# Take a two steps for downloading into a docker archive because
# not all source may have the required Docker schema 2 manifest.
runfetchcmd("skopeo copy --preserve-digests " + \
--
+ if actual_digest != ud.digest:
+ messages = []
+ messages.append(f"Checksum mismatch for {ud.container_name}:{ud.tag}")
+ messages.append("If this change is expected (e.g. you have upgraded " \
+ "to a new version without updating the checksums) " \
+ "then you can use these lines within the recipe:")
+ messages.append(f'SRC_URI = "docker://{ud.container_name};digest={actual_digest};tag={ud.tag}"')
+ messages.append("Otherwise you should retry the download and/or " \
+ "check with upstream to determine if the container image has " \
+ "become corrupted or otherwise unexpectedly modified.")
+ raise ChecksumError("\n".join(messages), ud.url, actual_digest)
+
# Take a two steps for downloading into a docker archive because
# not all source may have the required Docker schema 2 manifest.
runfetchcmd("skopeo copy --preserve-digests " + \
2.49.0
Baurzhan Ismagulov
Aug 27, 2025, 7:15:41 AM (11 days ago) Aug 27
to isar-...@googlegroups.com
On 2025-06-27 08:53, 'Clara Kowalsky' via isar-users wrote:
> In case only a tag is specified for a container image in the SRC_URI and
> no digest, a warning should be issued with the recommendation to add the
> digest of the container image.
> So far, we were presenting in the warning the digest of the
> architecture-specific image that happened to be fetched first. However,
> we actually want to show the multi-arch manifest digest rather than the
> architecture-specific one.
> In addition, reading the manifest.json does not work at this point
> anyway, as skopeo has already packed it into a Docker archive.
Applied to next, thanks.
> In case only a tag is specified for a container image in the SRC_URI and
> no digest, a warning should be issued with the recommendation to add the
> digest of the container image.
> So far, we were presenting in the warning the digest of the
> architecture-specific image that happened to be fetched first. However,
> we actually want to show the multi-arch manifest digest rather than the
> architecture-specific one.
> In addition, reading the manifest.json does not work at this point
> anyway, as skopeo has already packed it into a Docker archive.
With kind regards,
Baurzhan
Reply all
Reply to author
Forward
0 new messages