image/internal: validate blob against digest

lsm5 · lsm5 · commit b2b28b0b9f09 · 2025-11-17T10:56:23.000-05:00
`validateBlobAgainstDigest` verifies that the provided blob matches
the exepcted digest. If expected digest itself is invalid or unusable,
it rejects the blob. Callers don't need to pre-validate the expected
digest.

This enables `skopeo copy` to work with sha512-digested images.

Signed-off-by: Lokesh Mandvekar &lt;lsm5@redhat.com&gt;
diff --git a/image/internal/image/digest_validation.go b/image/internal/image/digest_validation.go
@@ -0,0 +1,26 @@
+package image
+
+import (
+	"fmt"
+
+	"github.com/opencontainers/go-digest"
+)
+
+func validateBlobAgainstDigest(blob []byte, expectedDigest digest.Digest) error {
+	if expectedDigest == "" {
+		return fmt.Errorf("expected digest is empty")
+	}
+	err := expectedDigest.Validate()
+	if err != nil {
+		return fmt.Errorf("invalid digest format: %q", expectedDigest)
+	}
+	digestAlgorithm := expectedDigest.Algorithm()
+	if !digestAlgorithm.Available() {
+		return fmt.Errorf("unsupported digest algorithm: %s", digestAlgorithm)
+	}
+	computedDigest := digestAlgorithm.FromBytes(blob)
+	if computedDigest != expectedDigest {
+		return fmt.Errorf("Download config.json digest %s does not match expected %s", computedDigest, expectedDigest)
+	}
+	return nil
+}
diff --git a/image/internal/image/docker_schema2.go b/image/internal/image/docker_schema2.go
@@ -110,9 +110,9 @@ func (m *manifestSchema2) ConfigBlob(ctx context.Context) ([]byte, error) {
 		if err != nil {
 			return nil, err
 		}
-		computedDigest := digest.FromBytes(blob)
-		if computedDigest != m.m.ConfigDescriptor.Digest {
-			return nil, fmt.Errorf("Download config.json digest %s does not match expected %s", computedDigest, m.m.ConfigDescriptor.Digest)
+		expectedDigest := m.m.ConfigDescriptor.Digest
+		if err := validateBlobAgainstDigest(blob, expectedDigest); err != nil {
+			return nil, fmt.Errorf("config descriptor validation failed: %w", err)
 		}
 		m.configBlob = blob
 	}
diff --git a/image/internal/image/oci.go b/image/internal/image/oci.go
@@ -8,7 +8,6 @@ import (
 	"slices"
 
 	ociencspec "github.com/containers/ocicrypt/spec"
-	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"go.podman.io/image/v5/docker/reference"
 	"go.podman.io/image/v5/internal/iolimits"
@@ -74,9 +73,9 @@ func (m *manifestOCI1) ConfigBlob(ctx context.Context) ([]byte, error) {
 		if err != nil {
 			return nil, err
 		}
-		computedDigest := digest.FromBytes(blob)
-		if computedDigest != m.m.Config.Digest {
-			return nil, fmt.Errorf("Download config.json digest %s does not match expected %s", computedDigest, m.m.Config.Digest)
+		expectedDigest := m.m.Config.Digest
+		if err := validateBlobAgainstDigest(blob, expectedDigest); err != nil {
+			return nil, fmt.Errorf("config validation failed: %w", err)
 		}
 		m.configBlob = blob
 	}

Original file line number	Diff line number	Diff line change
`@@ -110,9 +110,9 @@ func (m *manifestSchema2) ConfigBlob(ctx context.Context) ([]byte, error) {`
`110`	`110`	`if err != nil {`
`111`	`111`	`return nil, err`
`112`	`112`	`}`
`113`		`- computedDigest := digest.FromBytes(blob)`
`114`		`- if computedDigest != m.m.ConfigDescriptor.Digest {`
`115`		`- return nil, fmt.Errorf("Download config.json digest %s does not match expected %s", computedDigest, m.m.ConfigDescriptor.Digest)`
	`113`	`+ expectedDigest := m.m.ConfigDescriptor.Digest`
	`114`	`+ if err := validateBlobAgainstDigest(blob, expectedDigest); err != nil {`
	`115`	`+ return nil, fmt.Errorf("config descriptor validation failed: %w", err)`
`116`	`116`	`}`
`117`	`117`	`m.configBlob = blob`
`118`	`118`	`}`
Original file line number	Diff line number	Diff line change
`@@ -8,7 +8,6 @@ import (`
`8`	`8`	`"slices"`
`9`	`9`
`10`	`10`	`ociencspec "github.com/containers/ocicrypt/spec"`
`11`		`- "github.com/opencontainers/go-digest"`
`12`	`11`	`imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"`
`13`	`12`	`"go.podman.io/image/v5/docker/reference"`
`14`	`13`	`"go.podman.io/image/v5/internal/iolimits"`
`@@ -74,9 +73,9 @@ func (m *manifestOCI1) ConfigBlob(ctx context.Context) ([]byte, error) {`
`74`	`73`	`if err != nil {`
`75`	`74`	`return nil, err`
`76`	`75`	`}`
`77`		`- computedDigest := digest.FromBytes(blob)`
`78`		`- if computedDigest != m.m.Config.Digest {`
`79`		`- return nil, fmt.Errorf("Download config.json digest %s does not match expected %s", computedDigest, m.m.Config.Digest)`
	`76`	`+ expectedDigest := m.m.Config.Digest`
	`77`	`+ if err := validateBlobAgainstDigest(blob, expectedDigest); err != nil {`
	`78`	`+ return nil, fmt.Errorf("config validation failed: %w", err)`
`80`	`79`	`}`
`81`	`80`	`m.configBlob = blob`
`82`	`81`	`}`