image/manifest: Add DigestWithAlgorithm function
#499
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When storing blobs with non-canonical digest algorithms (e.g., sha512), store the blob under the provided digest algorithm with an algorithm prefix (e.g., "sha512-abc" instead of just "abc"). SHA256 (canonical) digests continue to be stored without a prefix for backward compatibility. Signed-off-by: Lokesh Mandvekar <[email protected]>
Introduce version 1.2 and dynamically assign versions based on the digest algorithms used: - Version 1.1 for sha256-only images (backward compatibility) - Version 1.2 for images using non-sha256 digest algorithms (e.g., sha512) Add validation in both ImageDestination and ImageSource to: - Assume 1.1 if no version file found in dir transport images - Accept both version 1.1 and 1.2 - Refuse unsupported future versions Signed-off-by: Lokesh Mandvekar <[email protected]>
Add a new `manifest.DigestWithAlgorithm` function that allows computing the digest of a manifest using a specified algorithm (e.g., SHA256, SHA512) while properly handling v2s1 signed manifest signature stripping. This addresses the need for skopeo's `--manifest-digest` flag to support different digest algorithms while correctly handling all manifest types, particularly Docker v2s1 signed manifests that require signature stripping before digest computation. Signed-off-by: Lokesh Mandvekar <[email protected]>
lsm5
force-pushed
the
digest-redux-manifest
branch
from
e1149c9 to
bdbac34
Compare
lsm5
changed the title
DigestWithAlgorithm functionDigestWithAlgorithm function
|
Packit jobs failed. @containers/packit-build please check. |
podmanbot
pushed a commit
to podmanbot/buildah
that referenced
this pull request
Nov 26, 2025
|
✅ A new PR has been created in buildah to vendor these changes: containers/buildah#6541 |
mtrmac
reviewed
Nov 27, 2025
|
|
||
| // Digest returns the a digest of a docker manifest, with any necessary implied transformations like stripping v1s1 signatures. | ||
| // This is publicly visible as c/image/manifest.Digest. | ||
| func Digest(manifest []byte) (digest.Digest, error) { |
Contributor
There was a problem hiding this comment.
With Digest just a { return DigestWithAlgorithm(manifest, digest.Canonical } it would be 100% clear what the correspondence between the two functions is, and we would decrease the risk of divergence.
Comment on lines
+103
to
+105
| sha256Digest, err := DigestWithAlgorithm(manifest, digest.SHA256) | ||
| require.NoError(t, err) | ||
| assert.NotEqual(t, sha256Digest, actualDigest, c.path) |
| require.NoError(t, err) | ||
| actualDigest, err := DigestWithAlgorithm(manifest, digest.SHA512) | ||
| require.NoError(t, err) | ||
| assert.Equal(t, digest.SHA512, actualDigest.Algorithm()) |
Contributor
There was a problem hiding this comment.
This is not particularly precise…
I think
- The empty input can be reasonably included in the test case table
- The test case table can contain exact sha256 and sha512 digests
Then TestDigest and TestDigestWithAlgorithm can work from a shared table, differing only in whether they process 1 / 2 values.
Alternatively, if Digest became just a wrapper over DigestWithAlgorithm, it would be acceptable to have comprehensive tests only for …WithAlgorithm (more precise than the current ones), and a ~smoke-test for Digest. (I weakly prefer the shared table and thorough testing of both.)
38 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add a new
manifest.DigestWithAlgorithmfunction thatallows computing the digest of a manifest using a specified algorithm
(e.g., SHA256, SHA512) while properly handling v2s1 signed manifest
signature stripping.
This addresses the need for skopeo's
--manifest-digestflag to supportdifferent digest algorithms while correctly handling all manifest types,
particularly Docker v2s1 signed manifests that require signature
stripping before digest computation.
Note: Currently rebased on #475 .