schema: allow compound algorithm specifiers in digests

[stevvooe]

While we currently have support for only sha256 in digests, OCI image
processors may encounter other kinds of "compound" digests, such as
tarsum+sha256. This change allows OCI validation stacks to correctly
validate these digest algorithms, then let them report failure based on
the lack of algorithm support.

Future cases include allow different encoding, such as a sha256+b64
and others. While this future proofs the field against this, this isn't
an endorsement to ride out and do this today. This just provides some
algorithmic agility that may be required later.

Note that this brings digest in line with what is supported across the
docker ecosystem today.

Signed-off-by: Stephen J Day stephen.day@docker.com

[AkihiroSuda]

Do we need other than +?

[AkihiroSuda]

Also, can we allow non-hexadecimal digest values?
e.g.
multihash+base58:QmRZxt2b1FVZPNqd8hsiykDL3TdBDeTSPX9Kv46HmX4Gx8

[zhouhao3]

Need add fail: false,.

[stevvooe]

Actually, you don't. Go initializes values to their zero value. The zero value for a boolean is false.

[stevvooe]

Also, can we allow non-hexadecimal digest values?
e.g.
multihash+base58:QmRZxt2b1FVZPNqd8hsiykDL3TdBDeTSPX9Kv46HmX4Gx8

Agreed, but I'll do this in a follow up.

[vbatts]

This lgtm, though there is no wording around this structure and what the separators indicate. If a value of sha256+farts+farts+farts:0228f90e926ba6b96e4f39cf294b2586d38fbb5a1e385c05cd1ee40ea54fe7fd is encountered, should it be attempted as sha256 or just errored out if I don't have a hash of sha256+farts+farts+farts?

[stevvooe]

The algorithms are treated as hardcoded strings. The allowance of these characters is just for stylization and this PR is just reserving the ability to do this in the future.

sha256+farts+farts+farts would have to be specific algorithm registered with the digester, contained in at least three levels of farts, by convention. From the perspective of the digest dispatch in go-digest, sha256+farts+farts and sha256+farts+farts+farts are just strings without any relation.

[AkihiroSuda]

What is the expected meaning of [._-]?
Does it differ from +?

[vbatts]

right on. A brief explanation of that, as well as updating the regexp, in https://github.com/opencontainers/image-spec/blob/master/descriptor.md#digests-and-verification would be helpful then.

[stevvooe]

@vbatts Widened the character set and updated the specification to match the goal.

@opencontainers/image-spec-maintainers PTAL

[wking]

If the intention is to allow filesystem safe base 64, you'll want to add _=- to your encoded regexp. If the intention is to allow vanilla base 64, you'll want to add +/=.

[vbatts]

oh right. hrm.

[stevvooe]

= actually isn't needed for base64. I'll add _-.

[wking]

= actually isn't needed for base64. I'll add _-.

From the RFC:

Implementations MUST include appropriate pad characters at the end of encoded data unless the specification referring to this document explicitly states otherwise.

So if you do not allow = than all specs that use base 64 will need that explicit statement. This spec doesn't currently reference RFC 4648, so we don't need that explicit statement, but I see no reason to forbid = in the encoded part.

[stevvooe]

@wking The padding is recoverable from the length of the string. It is not needed in this case or most uses of base64. In fact, the RFC says exactly that. Please be clear that we are not adding support for base64 encoded digests. We are ensuring that they are supportable in the future.

[wking]

We are ensuring that they are supportable in the future.

Right, but without allowing trailing =, you're allowing them only when:

• The alg defines the length of the unencoded hash, and
• The alg spec explicitly states that pad characters MUST NOT be appended.

[vbatts]

apart from allowing the charset for base64 in the encoded section, this LGTM

[stevvooe]

@vbatts Updated.

[erikh]

can you see my comments on this subject on #599? Maybe we can unify this.

[stevvooe]

@erikh I'm not sure that is fully related. Digest already has a history of a particular character set.

[vbatts]

base64 has = for padding as well

[stevvooe]

= is not required for base64, since the length is known.

[vbatts]

sorry, how is the length known for arbitrary encoded types?

[stevvooe]

The length of the digest is a part of the algorithm. Each algorithm has a fixed length.

[vbatts]

that feels like an assumption, especially as this is introducing arbitrary encoding types.

[stevvooe]

But it is not an assumption. The algorithm must encode the length.

[vbatts]

i must be missing something. i don't see that is not outlined anywhere.

[stevvooe]

crytpo.Hash, identified by the algorithm, has a fixed length output. It is a property of cryptographic hash functions. I'm pushing an update that allows this anyway. Do you have any examples of cryptographic hash functions that aren't parameterized by configuration of the algorithm? Effectively, they have to comparable in the same domain and typically that doesn't exist.

[stevvooe]

Updated to allow it though.

[vbatts]

right right, but crypto.Hash is not what we're binding ourselves to here. It's being opened up to allow arbitrary strings for the algorithm. Just saying that it's an assumption that the algorithm being used has a fixed size.
Thanks for updating. I'll take a look.

[stevvooe]

@opencontainers/image-spec-maintainers PTAL

Let's move this forward so we can get the release out.

[stevvooe]

Updates:

• Allow = in encoded portion
• Decomposed regexp into components

[vbatts]

heh
LGTM

[wking]

“Supported” isn't particularly clear to me. I think there are two interesting levels for algorithm identifiers in the spec:

• Registered (e.g. listed here).
• Required to be implemented (as we do for sha256 here).

For example, sha512 (in flight with #609) would be “registered” but would not be “required to be implemented”.

I'm in favor of staying DRY and dropping the “Supported” column here, but I'd also be ok with a “Registered” and/or “Required to be implemented” columns. Without a clearer definition, I'm not in favor of a “Supported” column.

[stevvooe]

When this PR lands, you can submit a wildly complicated scheme to your liking. For now, this is quite clear.

[vbatts]

heh. Though "support" has meaning in contexts. This is perhaps clear enough

[wking]

This is perhaps clear enough…

It will become more clear once this is rebased around #609 (which has since landed), since we can see what value sha512 gets in this column to distinguish “registered” from “required to be implemented”.

[AkihiroSuda]

Please consider adding the following sentence:

When encoded denotes a hex value, it MUST NOT (SHOULD NOT?) use upper characters, i.e. /[A-F]/. (when algorithm is sha256?)

[stevvooe]

When encoded denotes a hex value, it MUST NOT (SHOULD NOT?) use upper characters, i.e. /[A-F]/. (when algorithm is sha256?)

This constraint belongs to the algorithm, not this portion of the specification. If you want to qualify this, please submit a second PR.

[stevvooe]

@AkihiroSuda Maybe, it could be part of the registered table?

[vbatts]

pls2rebase

[stevvooe]

pls2rebase

Done.

[vbatts]

maybe a nit, but does this grammar implies that there be only a single separator+component?

[stevvooe]

[] is "optional" and * is zero or more. This should match the following productions (A = algorithm-component, S = algorithm-separator):

A
ASA
ASASA

The following would not be matched:

SA
ASAS

Put more succinctly, it allows a separator to appear sandwiched by algorithm-component, non-contiguously.

[vbatts]

besides the nit question, i reckon this LGTM

[vbatts]

silly pullapprove
👍

[stevvooe]

@opencontainers/image-spec-maintainers PTAL

[philips]

LGTM, thanks @stevvooe