Skip to content

Support SHA512 hash for image verification #154

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
simcod wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Support SHA512 hash for image verification #154

simcod wants to merge 10 commits into from

Conversation

@simcod
Copy link
Contributor

@simcod simcod commented Mar 5, 2025

Description

When a machine image is retrieved, its integrity is checked. Currently this is done with an md5 hash file next to the image file. This PR adds support for a sha512 checksum file. Thus, md5 and sha512 checksum files can be used for image verification. If both are present, sha512 will be used.

majst01
majst01 reviewed Mar 5, 2025
View reviewed changes
@majst01
Copy link
Contributor

majst01 commented Mar 5, 2025

This would raise a lot of work in other repos like, metal-images, metal-image-cache and potentially others.

I would rather prefer that we try to move over to use OCI images. This format already includes signing and is a more commonly used format for such use-cases.

majst01
majst01 reviewed Mar 7, 2025
View reviewed changes
@simcod simcod marked this pull request as ready for review March 10, 2025 07:02
@simcod simcod requested a review from a team as a code owner March 10, 2025 07:02
robertvolkmann
robertvolkmann suggested changes Mar 10, 2025
View reviewed changes
@majst01
Copy link
Contributor

majst01 commented Mar 13, 2025

Will merge after i validated #148 in our test environment !

@majst01
Copy link
Contributor

majst01 commented Mar 19, 2025
edited
Loading

Maybe this also helps in this respect:

https://github.blog/changelog/2025-03-18-github-actions-now-supports-a-digest-for-validating-your-artifacts-at-runtime/

Should at least be noted in the Readme.md

@github-project-automation github-project-automation bot moved this to Review in Development Jun 5, 2025
@Gerrit91 Gerrit91 removed the status in Development Jun 13, 2025
@robertvolkmann robertvolkmann changed the title Support sha512 hash for image verification Support SHA512 hash for image verification Jun 30, 2025
@robertvolkmann
Copy link
Contributor

robertvolkmann commented Oct 20, 2025

Any plan to merge or to close it?

@majst01
Copy link
Contributor

majst01 commented Oct 21, 2025

Any plan to merge or to close it?

There are still no sha256 checksum generated, still interested in this but this must be done first.

@robertvolkmann
Copy link
Contributor

robertvolkmann commented Oct 21, 2025

There are still no sha256 checksum generated, still interested in this but this must be done first.

@mac641 are you interested to look into it?

@mac641
Copy link
Contributor

mac641 commented Oct 22, 2025

There are still no sha256 checksum generated, still interested in this but this must be done first.

@mac641 are you interested to look into it?

Yes, it reads interesting. I'll see what I can do.

@majst01
Copy link
Contributor

majst01 commented Oct 22, 2025

There are still no sha256 checksum generated, still interested in this but this must be done first.

@mac641 are you interested to look into it?

Yes, it reads interesting. I'll see what I can do.

I am not sure if this is worth the effort, i would rather prefer to make metal-hammer able to pull metal-images as oci artifacts. This would also solve the signature check problem and must not be done for two algorithms as here

@majst01 majst01 mentioned this pull request Oct 22, 2025
Draft
@majst01
Copy link
Contributor

majst01 commented Oct 22, 2025

There are still no sha256 checksum generated, still interested in this but this must be done first.

@mac641 are you interested to look into it?

Yes, it reads interesting. I'll see what I can do.

I am not sure if this is worth the effort, i would rather prefer to make metal-hammer able to pull metal-images as oci artifacts. This would also solve the signature check problem and must not be done for two algorithms as here

Made a small sample here: #169 which should not be used as a real PR but as showcase how this could be achieved.

if someone has spare time, raise your hands :-)

@mac641
Copy link
Contributor

mac641 commented Oct 23, 2025

There are still no sha256 checksum generated, still interested in this but this must be done first.

@mac641 are you interested to look into it?

Yes, it reads interesting. I'll see what I can do.

I am not sure if this is worth the effort, i would rather prefer to make metal-hammer able to pull metal-images as oci artifacts. This would also solve the signature check problem and must not be done for two algorithms as here

Made a small sample here: #169 which should not be used as a real PR but as showcase how this could be achieved.

if someone has spare time, raise your hands :-)

Me ✋

@mac641 mac641 mentioned this pull request Nov 14, 2025
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@majst01 majst01 majst01 left review comments

@vknabel vknabel vknabel approved these changes

+1 more reviewer

@robertvolkmann robertvolkmann robertvolkmann approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

Development
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@simcod @majst01 @robertvolkmann @mac641 @vknabel