`cfsctl` digests are incompatible with recent `bootc`

[gucci-on-fleek]

Since bootc-dev/bootc@02c57b3, bootc exclusively uses SHA-512 digests. This means that building a composefs-based image and installing it with bootc install to-disk won't work:

• If you use a Type 1 BLS entry (/boot/loader/entries/), installation will work properly, but bootc will write a SHA-512 digest to /boot/loader/entries/[…].conf, so booting the system fails in the initramfs with an Error: Invalid string length error.

  composefs-rs/crates/composefs-setup-root/src/main.rs

  Line 239 in 0f63603

  let (image, insecure) = get_cmdline_composefs::<Sha256HashValue>(cmdline)?;

• If you use a Type 2 BLS entry (UKI), then cfsctl will only output SHA-256 digests

  composefs-rs/crates/cfsctl/src/main.rs

  Lines 255 to 261 in 0f63603

  	OciCommand::Pull { ref image, name } => {
  	let (sha256, verity) =
  	composefs_oci::pull(&Arc::new(repo), image, name.as_deref(), None).await?;
  	println!("sha256 {}", hex::encode(sha256));
  	println!("verity {}", verity.to_hex());
  	}

  so the digests embedded in the UKI will also use SHA-256. This means that when installing with bootc install to-disk, you'll get an error: Installing to disk: Setting up composefs boot: Setting up UKI boot: Writing <kver>.efi to ESP: Parsing composefs=: Invalid string length error.

  https://github.com/bootc-dev/bootc/blob/71dc8e52d3697155c1f0b668313a00b555ce78f1/crates/lib/src/bootc_composefs/boot.rs#L609

There are examples of both methods in examples/, but because of this, none of them are working for me right now.

(I may also be completely misunderstanding something and/or building my containers incorrectly, so sorry in advance if everything that I mentioned above turns out to be wrong.)

[cgwalters]

Hi, at the current time the intention is that bootc will have a frontend for every operation currently exposed via cfsctl.

There are examples of both methods in examples/, but because of this, none of them are working for me right now.

In this particular case, see https://github.com/bootc-dev/bootc/blob/71dc8e52d3697155c1f0b668313a00b555ce78f1/tests/build-sealed#L39 which we plan to stabilize as an API - but feedback on all of that appreciated!