Skip to content

image/manifest: Add DigestWithAlgorithm function #499

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

image/manifest: Add DigestWithAlgorithm function #499

wants to merge 3 commits into from

Conversation

@lsm5
Copy link
Member

@lsm5 lsm5 commented Nov 26, 2025

Add a new manifest.DigestWithAlgorithm function that
allows computing the digest of a manifest using a specified algorithm
(e.g., SHA256, SHA512) while properly handling v2s1 signed manifest
signature stripping.

This addresses the need for skopeo's --manifest-digest flag to support
different digest algorithms while correctly handling all manifest types,
particularly Docker v2s1 signed manifests that require signature
stripping before digest computation.

Note: Currently rebased on #475 .

lsm5 added 2 commits November 26, 2025 14:23
@lsm5
image/directory: store blobs with digest algorithm prefix
517d3d3 
When storing blobs with non-canonical digest algorithms (e.g., sha512),
store the blob under the provided digest algorithm with an algorithm
prefix (e.g., "sha512-abc" instead of just "abc").

SHA256 (canonical) digests continue to be stored without a prefix for
backward compatibility.

Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5
image/directory: assign version based on digest algorithm
9cd39ec 
Introduce version 1.2 and dynamically assign versions based on the digest
algorithms used:
- Version 1.1 for sha256-only images (backward compatibility)
- Version 1.2 for images using non-sha256 digest algorithms (e.g., sha512)

Add validation in both ImageDestination and ImageSource to:
- Assume 1.1 if no version file found in dir transport images
- Accept both version 1.1 and 1.2
- Refuse unsupported future versions

Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@github-actions github-actions bot added the image Related to "image" package label Nov 26, 2025
@lsm5
image/manifest: Add DigestWithAlgorithm function
bdbac34 
Add a new `manifest.DigestWithAlgorithm` function that
allows computing the digest of a manifest using a specified algorithm
(e.g., SHA256, SHA512) while properly handling v2s1 signed manifest
signature stripping.

This addresses the need for skopeo's `--manifest-digest` flag to support
different digest algorithms while correctly handling all manifest types,
particularly Docker v2s1 signed manifests that require signature
stripping before digest computation.

Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
@lsm5 lsm5 force-pushed the digest-redux-manifest branch from e1149c9 to bdbac34 Compare November 26, 2025 19:40
@lsm5 lsm5 changed the title manifest: Add DigestWithAlgorithm function image/manifest: Add DigestWithAlgorithm function Nov 26, 2025
@packit-as-a-service
Copy link

packit-as-a-service bot commented Nov 26, 2025

Packit jobs failed. @containers/packit-build please check.

podmanbot pushed a commit to podmanbot/buildah that referenced this pull request Nov 26, 2025
@github-actions
dnm: Vendor changes from containers/container-libs#499
ddcc97e
@podmanbot
Copy link

podmanbot commented Nov 26, 2025

✅ A new PR has been created in buildah to vendor these changes: containers/buildah#6541

@podmanbot podmanbot mentioned this pull request Nov 26, 2025
Draft
@lsm5 lsm5 mentioned this pull request Nov 26, 2025
Open
@lsm5 lsm5 marked this pull request as ready for review November 27, 2025 14:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

image Related to "image" package

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lsm5 @podmanbot