Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add --digestfile support to buildah source push #5399

Closed
arewm opened this issue Mar 12, 2024 · 0 comments · Fixed by #5454
Closed

Add --digestfile support to buildah source push #5399

arewm opened this issue Mar 12, 2024 · 0 comments · Fixed by #5454
Labels
locked - please file new issue/PR

Comments

@arewm
Copy link

arewm commented Mar 12, 2024

Description

When using buildah source push, I would like to know what the digest of the OCI artifact pushed is such that I can reference the artifact by digest instead of tag.

In order to ensure that the content of a source is not tampered with, the best practice is to use digest references as the digest is sensitive to any changes in the underlying tarballs. In the absence of knowing what the digest of the artifact is at push time, the process for getting the digest value would be something like:

  • Push the source artifact to the registry
  • Query for the digest of the artifact in the remote registry
  • Pull the artifact from the remote registry by digest
  • Check the integrity of the artifact against the local filesystem

Another potential option would be to use Skopeo to push the artifact

$ buildah source create /tmp/source-image
$ buildah source add /tmp/source-image /foo/bar
$ buildah source add /tmp/source-image /foo/baz
$ skopeo copy --digestfile digestfile.local oci:/tmp/source-image docker://quay.io/foobar/baz-source

But this would not work well if running from within a single Tekton task from a container that only has buildah.
@arewm arewm mentioned this issue Apr 2, 2024
Open
flouthoc added a commit to flouthoc/buildah that referenced this issue Apr 2, 2024
@flouthoc
source-push: add support for --digestfile
faf2ed9 
Allow writing digest of the pushed source to the specified `digestfile`

Closes: containers#5399

Signed-off-by: flouthoc <flouthoc.git@gmail.com>
@flouthoc flouthoc mentioned this issue Apr 2, 2024
Merged
flouthoc added a commit to flouthoc/buildah that referenced this issue Apr 2, 2024
@flouthoc
source-push: add support for --digestfile
5b414ad 
Allow writing digest of the pushed source to the specified `digestfile`

Closes: containers#5399

Signed-off-by: flouthoc <flouthoc.git@gmail.com>
@stale-locking-app stale-locking-app bot locked as resolved and limited conversation to collaborators Jul 3, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
locked - please file new issue/PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

source-push: add support for --digestfile flouthoc/buildah
1 participant
@arewm