image/directory: digest algorithm agility with manifest constraints

lsm5 · claude · lsm5 · commit f8744f33c697 · 2025-11-19T16:17:26.000-05:00
When storing blobs with non-canonical digest algorithms (e.g., sha512):
- Store the blob under the provided digest algorithm (e.g., "sha512-abc")
- Also compute and store a hard link under the canonical digest (sha256)

Co-Authored-By: Claude Code &lt;noreply@anthropic.com&gt;
Signed-off-by: Lokesh Mandvekar &lt;lsm5@redhat.com&gt;
diff --git a/image/directory/directory_dest.go b/image/directory/directory_dest.go
@@ -151,7 +151,15 @@ func (d *dirImageDestination) PutBlobWithOptions(ctx context.Context, stream io.
 		}
 	}()
 
-	digester, stream := putblobdigest.DigestIfCanonicalUnknown(stream, inputInfo)
+	digester, stream := putblobdigest.DigestIfUnknown(stream, inputInfo)
+
+	var canonicalDigester digest.Digester
+	computeCanonical := inputInfo.Digest != "" && inputInfo.Digest.Algorithm() != digest.Canonical
+	if computeCanonical {
+		canonicalDigester = digest.Canonical.Digester()
+		stream = io.TeeReader(stream, canonicalDigester.Hash())
+	}
+
 	// TODO: This can take quite some time, and should ideally be cancellable using ctx.Done().
 	size, err := io.Copy(blobFile, stream)
 	if err != nil {
@@ -185,6 +193,18 @@ func (d *dirImageDestination) PutBlobWithOptions(ctx context.Context, stream io.
 	if err := os.Rename(blobFile.Name(), blobPath); err != nil {
 		return private.UploadedBlob{}, err
 	}
+
+	if computeCanonical {
+		canonicalDigest := canonicalDigester.Digest()
+		canonicalPath, err := d.ref.layerPath(canonicalDigest)
+		if err != nil {
+			return private.UploadedBlob{}, err
+		}
+		if err := os.Link(blobPath, canonicalPath); err != nil && !os.IsExist(err) {
+			return private.UploadedBlob{}, fmt.Errorf("creating canonical digest link: %w", err)
+		}
+	}
+
 	succeeded = true
 	return private.UploadedBlob{Digest: blobDigest, Size: size}, nil
 }
diff --git a/image/directory/directory_transport.go b/image/directory/directory_transport.go
@@ -176,8 +176,15 @@ func (ref dirReference) layerPath(digest digest.Digest) (string, error) {
 	if err := digest.Validate(); err != nil { // digest.Digest.Encoded() panics on failure, and could possibly result in a path with ../, so validate explicitly.
 		return "", err
 	}
-	// FIXME: Should we keep the digest identification?
-	return filepath.Join(ref.path, digest.Encoded()), nil
+
+	var filename string
+	if digest.Algorithm().String() == "sha256" {
+		filename = digest.Encoded()
+	} else {
+		filename = digest.Algorithm().String() + "-" + digest.Encoded()
+	}
+
+	return filepath.Join(ref.path, filename), nil
 }
 
 // signaturePath returns a path for a signature within a directory using our conventions.
diff --git a/image/directory/directory_transport_test.go b/image/directory/directory_transport_test.go
@@ -209,14 +209,21 @@ func TestReferenceManifestPath(t *testing.T) {
 }
 
 func TestReferenceLayerPath(t *testing.T) {
-	const hex = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+	const hex256 = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+	const hex512 = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
 
 	ref, tmpDir := refToTempDir(t)
 	dirRef, ok := ref.(dirReference)
 	require.True(t, ok)
-	res, err := dirRef.layerPath("sha256:" + hex)
+
+	res, err := dirRef.layerPath("sha256:" + hex256)
+	require.NoError(t, err)
+	assert.Equal(t, tmpDir+"/"+hex256, res)
+
+	res, err = dirRef.layerPath("sha512:" + hex512)
 	require.NoError(t, err)
-	assert.Equal(t, tmpDir+"/"+hex, res)
+	assert.Equal(t, tmpDir+"/sha512-"+hex512, res)
+
 	_, err = dirRef.layerPath(digest.Digest("sha256:../hello"))
 	assert.Error(t, err)
 }
