[sha512]: image: enable sha512 support

lsm5 · lsm5 · commit 63e8928a568e · 2025-10-06T14:33:02.000-04:00
Use storage/pkg/supported-digests to get and set digest based on user
input.

Signed-off-by: Lokesh Mandvekar &lt;lsm5@redhat.com&gt;
diff --git a/image/copy/digesting_reader_test.go b/image/copy/digesting_reader_test.go
@@ -34,6 +34,10 @@ func TestDigestingReaderRead(t *testing.T) {
 		{[]byte(""), "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"},
 		{[]byte("abc"), "sha256:ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad"},
 		{make([]byte, 65537), "sha256:3266304f31be278d06c3bd3eb9aa3e00c59bedec0a890de466568b0b90b0e01f"},
+		// SHA512 test cases
+		{[]byte(""), "sha512:cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e"},
+		{[]byte("abc"), "sha512:ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f"},
+		{make([]byte, 65537), "sha512:490821004e5a6025fe335a11f6c27b0f73cae0434bd9d2e5ac7aee3370bd421718cad7d8fbfd5f39153b6ca3b05faede68f5d6e462eeaf143bb034791ceb72ab"},
 	}
 	// Valid input
 	for _, c := range cases {
diff --git a/image/copy/single.go b/image/copy/single.go
@@ -28,6 +28,7 @@ import (
 	"go.podman.io/image/v5/transports"
 	"go.podman.io/image/v5/types"
 	chunkedToc "go.podman.io/storage/pkg/chunked/toc"
+	supportedDigests "go.podman.io/storage/pkg/supported-digests"
 )
 
 // imageCopier tracks state specific to a single image (possibly an item of a manifest list)
@@ -987,7 +988,9 @@ func computeDiffID(stream io.Reader, decompressor compressiontypes.DecompressorF
 		stream = s
 	}
 
-	return digest.Canonical.FromReader(stream)
+	// Use the configured digest algorithm
+	algorithm := supportedDigests.Get()
+	return algorithm.FromReader(stream)
 }
 
 // algorithmsByNames returns slice of Algorithms from a sequence of Algorithm Names
diff --git a/image/copy/single_test.go b/image/copy/single_test.go
@@ -17,6 +17,7 @@ import (
 	"go.podman.io/image/v5/pkg/compression"
 	compressiontypes "go.podman.io/image/v5/pkg/compression/types"
 	"go.podman.io/image/v5/types"
+	supportedDigests "go.podman.io/storage/pkg/supported-digests"
 )
 
 func TestUpdatedBlobInfoFromReuse(t *testing.T) {
@@ -110,13 +111,33 @@ func goDiffIDComputationGoroutineWithTimeout(layerStream io.ReadCloser, decompre
 }
 
 func TestDiffIDComputationGoroutine(t *testing.T) {
+	// Test with SHA256 (default)
 	stream, err := os.Open("fixtures/Hello.uncompressed")
 	require.NoError(t, err)
 	res := goDiffIDComputationGoroutineWithTimeout(stream, nil)
 	require.NotNil(t, res)
 	assert.NoError(t, res.err)
 	assert.Equal(t, "sha256:185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969", res.digest.String())
 
+	// Test with SHA512
+	stream2, err := os.Open("fixtures/Hello.uncompressed")
+	require.NoError(t, err)
+	defer stream2.Close()
+
+	// Save original algorithm and set SHA512
+	originalAlgorithm := supportedDigests.Get()
+	defer func() {
+		err := supportedDigests.Set(originalAlgorithm)
+		require.NoError(t, err)
+	}()
+	err = supportedDigests.Set(digest.SHA512)
+	require.NoError(t, err)
+
+	res2 := goDiffIDComputationGoroutineWithTimeout(stream2, nil)
+	require.NotNil(t, res2)
+	assert.NoError(t, res2.err)
+	assert.Equal(t, "sha512:3615f80c9d293ed7402687f94b22d58e529b8cc7916f8fac7fddf7fbd5af4cf777d3d795a7a00a16bf7e7f3fb9561ee9baae480da9fe7a18769e71886b03f315", res2.digest.String())
+
 	// Error reading input
 	reader, writer := io.Pipe()
 	err = writer.CloseWithError(errors.New("Expected error reading input in diffIDComputationGoroutine"))
@@ -130,32 +151,60 @@ func TestComputeDiffID(t *testing.T) {
 	for _, c := range []struct {
 		filename     string
 		decompressor compressiontypes.DecompressorFunc
+		algorithm    digest.Algorithm
 		result       digest.Digest
 	}{
-		{"fixtures/Hello.uncompressed", nil, "sha256:185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969"},
-		{"fixtures/Hello.gz", nil, "sha256:0bd4409dcd76476a263b8f3221b4ce04eb4686dec40bfdcc2e86a7403de13609"},
-		{"fixtures/Hello.gz", compression.GzipDecompressor, "sha256:185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969"},
-		{"fixtures/Hello.zst", nil, "sha256:361a8e0372ad438a0316eb39a290318364c10b60d0a7e55b40aa3eafafc55238"},
-		{"fixtures/Hello.zst", compression.ZstdDecompressor, "sha256:185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969"},
+		// SHA256 test cases (default)
+		{"fixtures/Hello.uncompressed", nil, digest.SHA256, "sha256:185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969"},
+		{"fixtures/Hello.gz", nil, digest.SHA256, "sha256:0bd4409dcd76476a263b8f3221b4ce04eb4686dec40bfdcc2e86a7403de13609"},
+		{"fixtures/Hello.gz", compression.GzipDecompressor, digest.SHA256, "sha256:185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969"},
+		{"fixtures/Hello.zst", nil, digest.SHA256, "sha256:361a8e0372ad438a0316eb39a290318364c10b60d0a7e55b40aa3eafafc55238"},
+		{"fixtures/Hello.zst", compression.ZstdDecompressor, digest.SHA256, "sha256:185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969"},
+		// SHA512 test cases
+		{"fixtures/Hello.uncompressed", nil, digest.SHA512, "sha512:3615f80c9d293ed7402687f94b22d58e529b8cc7916f8fac7fddf7fbd5af4cf777d3d795a7a00a16bf7e7f3fb9561ee9baae480da9fe7a18769e71886b03f315"},
+		{"fixtures/Hello.gz", nil, digest.SHA512, "sha512:8ee9be48dfc6274f65199847cd18ff4711f00329c5063b17cd128ba45ea1b9cea2479db0266cc1f4a3902874fdd7306f9c8a615347c0603b893fc75184fcb627"},
+		{"fixtures/Hello.gz", compression.GzipDecompressor, digest.SHA512, "sha512:3615f80c9d293ed7402687f94b22d58e529b8cc7916f8fac7fddf7fbd5af4cf777d3d795a7a00a16bf7e7f3fb9561ee9baae480da9fe7a18769e71886b03f315"},
+		{"fixtures/Hello.zst", nil, digest.SHA512, "sha512:e4ddd61689ce9d1cdd49e11dc8dc89ca064bdb09e85b9df56658560b8207647a78b95d04c3f5f2fb31abf13e1822f0d19307df18a3fdf88f58ef24a50e71a1ae"},
+		{"fixtures/Hello.zst", compression.ZstdDecompressor, digest.SHA512, "sha512:3615f80c9d293ed7402687f94b22d58e529b8cc7916f8fac7fddf7fbd5af4cf777d3d795a7a00a16bf7e7f3fb9561ee9baae480da9fe7a18769e71886b03f315"},
 	} {
 		stream, err := os.Open(c.filename)
 		require.NoError(t, err, c.filename)
 		defer stream.Close()
 
+		// Save original algorithm and set the desired one
+		originalAlgorithm := supportedDigests.Get()
+		err = supportedDigests.Set(c.algorithm)
+		require.NoError(t, err)
+
+		// Test the digest computation directly without ImageDestination
 		diffID, err := computeDiffID(stream, c.decompressor)
+
+		// Restore the original algorithm
+		err = supportedDigests.Set(originalAlgorithm)
+		require.NoError(t, err)
+
 		require.NoError(t, err, c.filename)
 		assert.Equal(t, c.result, diffID)
 	}
 
 	// Error initializing decompression
-	_, err := computeDiffID(bytes.NewReader([]byte{}), compression.GzipDecompressor)
+	originalAlgorithm := supportedDigests.Get()
+	err := supportedDigests.Set(digest.SHA256)
+	require.NoError(t, err)
+	_, err = computeDiffID(bytes.NewReader([]byte{}), compression.GzipDecompressor)
 	assert.Error(t, err)
+	err = supportedDigests.Set(originalAlgorithm)
+	require.NoError(t, err)
 
 	// Error reading input
 	reader, writer := io.Pipe()
 	defer reader.Close()
 	err = writer.CloseWithError(errors.New("Expected error reading input in computeDiffID"))
 	require.NoError(t, err)
+	err = supportedDigests.Set(digest.SHA256)
+	require.NoError(t, err)
 	_, err = computeDiffID(reader, nil)
 	assert.Error(t, err)
+	err = supportedDigests.Set(originalAlgorithm)
+	require.NoError(t, err)
 }
diff --git a/image/internal/image/docker_schema2.go b/image/internal/image/docker_schema2.go
@@ -110,9 +110,12 @@ func (m *manifestSchema2) ConfigBlob(ctx context.Context) ([]byte, error) {
 		if err != nil {
 			return nil, err
 		}
-		computedDigest := digest.FromBytes(blob)
-		if computedDigest != m.m.ConfigDescriptor.Digest {
-			return nil, fmt.Errorf("Download config.json digest %s does not match expected %s", computedDigest, m.m.ConfigDescriptor.Digest)
+		// Use the same algorithm as the expected digest
+		expectedDigest := m.m.ConfigDescriptor.Digest
+		algorithm := expectedDigest.Algorithm()
+		computedDigest := algorithm.FromBytes(blob)
+		if computedDigest != expectedDigest {
+			return nil, fmt.Errorf("Download config.json digest %s does not match expected %s", computedDigest, expectedDigest)
 		}
 		m.configBlob = blob
 	}
diff --git a/image/internal/image/oci.go b/image/internal/image/oci.go
@@ -8,7 +8,6 @@ import (
 	"slices"
 
 	ociencspec "github.com/containers/ocicrypt/spec"
-	"github.com/opencontainers/go-digest"
 	imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
 	"go.podman.io/image/v5/docker/reference"
 	"go.podman.io/image/v5/internal/iolimits"
@@ -74,9 +73,12 @@ func (m *manifestOCI1) ConfigBlob(ctx context.Context) ([]byte, error) {
 		if err != nil {
 			return nil, err
 		}
-		computedDigest := digest.FromBytes(blob)
-		if computedDigest != m.m.Config.Digest {
-			return nil, fmt.Errorf("Download config.json digest %s does not match expected %s", computedDigest, m.m.Config.Digest)
+		// Use the same algorithm as the expected digest
+		expectedDigest := m.m.Config.Digest
+		algorithm := expectedDigest.Algorithm()
+		computedDigest := algorithm.FromBytes(blob)
+		if computedDigest != expectedDigest {
+			return nil, fmt.Errorf("Download config.json digest %s does not match expected %s", computedDigest, expectedDigest)
 		}
 		m.configBlob = blob
 	}
diff --git a/image/internal/manifest/manifest_test.go b/image/internal/manifest/manifest_test.go
@@ -71,6 +71,26 @@ func TestDigest(t *testing.T) {
 	actualDigest, err := Digest([]byte{})
 	require.NoError(t, err)
 	assert.Equal(t, digest.Digest(digestSha256EmptyTar), actualDigest)
+
+	// Test SHA512 digest computation
+	testData := []byte("test manifest data")
+
+	// Test SHA256 digest
+	sha256Digest := digest.SHA256.FromBytes(testData)
+	actualDigest, err = Digest(testData)
+	require.NoError(t, err)
+	assert.Equal(t, sha256Digest, actualDigest)
+
+	// Test that we can compute SHA512 digest directly
+	sha512Digest := digest.SHA512.FromBytes(testData)
+	assert.NotEqual(t, sha256Digest, sha512Digest)
+	assert.Equal(t, "sha512", sha512Digest.Algorithm().String())
+	assert.Equal(t, "sha256", sha256Digest.Algorithm().String())
+
+	// Test empty data with SHA512
+	emptySha512Digest := digest.SHA512.FromBytes([]byte{})
+	emptySha256Digest := digest.SHA256.FromBytes([]byte{})
+	assert.NotEqual(t, emptySha256Digest, emptySha512Digest)
 }
 
 func TestMatchesDigest(t *testing.T) {
@@ -87,6 +107,9 @@ func TestMatchesDigest(t *testing.T) {
 		{"v2s1.manifest.json", TestDockerV2S2ManifestDigest, false},
 		// Unrecognized algorithm
 		{"v2s2.manifest.json", digest.Digest("md5:2872f31c5c1f62a694fbd20c1e85257c"), false},
+		// SHA512 test cases
+		{"v2s2.manifest.json", digest.SHA512.FromBytes([]byte("test")), false},
+		{"v2s1.manifest.json", digest.SHA512.FromBytes([]byte("test")), false},
 		// Mangled format
 		{"v2s2.manifest.json", digest.Digest(TestDockerV2S2ManifestDigest.String() + "abc"), false},
 		{"v2s2.manifest.json", digest.Digest(TestDockerV2S2ManifestDigest.String()[:20]), false},
diff --git a/image/internal/putblobdigest/put_blob_digest.go b/image/internal/putblobdigest/put_blob_digest.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/opencontainers/go-digest"
 	"go.podman.io/image/v5/types"
+	supportedDigests "go.podman.io/storage/pkg/supported-digests"
 )
 
 // Digester computes a digest of the provided stream, if not known yet.
@@ -13,15 +14,15 @@ type Digester struct {
 	digester    digest.Digester // Or nil
 }
 
-// newDigester initiates computation of a digest.Canonical digest of stream,
+// newDigester initiates computation of a digest using the configured algorithm of stream,
 // if !validDigest; otherwise it just records knownDigest to be returned later.
 // The caller MUST use the returned stream instead of the original value.
 func newDigester(stream io.Reader, knownDigest digest.Digest, validDigest bool) (Digester, io.Reader) {
 	if validDigest {
 		return Digester{knownDigest: knownDigest}, stream
 	} else {
 		res := Digester{
-			digester: digest.Canonical.Digester(),
+			digester: supportedDigests.Get().Digester(),
 		}
 		stream = io.TeeReader(stream, res.digester.Hash())
 		return res, stream
@@ -37,13 +38,14 @@ func DigestIfUnknown(stream io.Reader, blobInfo types.BlobInfo) (Digester, io.Re
 	return newDigester(stream, d, d != "")
 }
 
-// DigestIfCanonicalUnknown initiates computation of a digest.Canonical digest of stream,
-// if a digest.Canonical digest is not supplied in the provided blobInfo;
+// DigestIfCanonicalUnknown initiates computation of a digest using the configured algorithm of stream,
+// if a digest with the configured algorithm is not supplied in the provided blobInfo;
 // otherwise blobInfo.Digest will be used.
 // The caller MUST use the returned stream instead of the original value.
 func DigestIfCanonicalUnknown(stream io.Reader, blobInfo types.BlobInfo) (Digester, io.Reader) {
 	d := blobInfo.Digest
-	return newDigester(stream, d, d != "" && d.Algorithm() == digest.Canonical)
+	configuredAlgorithm := supportedDigests.Get()
+	return newDigester(stream, d, d != "" && d.Algorithm() == configuredAlgorithm)
 }
 
 // Digest() returns a digest value possibly computed by Digester.
diff --git a/image/internal/putblobdigest/put_blob_digest_test.go b/image/internal/putblobdigest/put_blob_digest_test.go
@@ -40,6 +40,11 @@ func TestDigestIfUnknown(t *testing.T) {
 			computesDigest: false,
 			expectedDigest: digest.Digest("sha256:uninspected-value"),
 		},
+		{
+			inputDigest:    digest.Digest("sha512:uninspected-value"),
+			computesDigest: false,
+			expectedDigest: digest.Digest("sha512:uninspected-value"),
+		},
 		{
 			inputDigest:    digest.Digest("unknown-algorithm:uninspected-value"),
 			computesDigest: false,
@@ -60,6 +65,11 @@ func TestDigestIfCanonicalUnknown(t *testing.T) {
 			computesDigest: false,
 			expectedDigest: digest.Digest("sha256:uninspected-value"),
 		},
+		{
+			inputDigest:    digest.Digest("sha512:uninspected-value"),
+			computesDigest: true,
+			expectedDigest: digest.Canonical.FromBytes(testData),
+		},
 		{
 			inputDigest:    digest.Digest("unknown-algorithm:uninspected-value"),
 			computesDigest: true,
diff --git a/image/pkg/blobcache/dest.go b/image/pkg/blobcache/dest.go
@@ -21,6 +21,7 @@ import (
 	"go.podman.io/image/v5/types"
 	"go.podman.io/storage/pkg/archive"
 	"go.podman.io/storage/pkg/ioutils"
+	supportedDigests "go.podman.io/storage/pkg/supported-digests"
 )
 
 type blobCacheDestination struct {
@@ -92,7 +93,7 @@ func (d *blobCacheDestination) saveStream(wg *sync.WaitGroup, decompressReader i
 		}
 	}()
 
-	digester := digest.Canonical.Digester()
+	digester := supportedDigests.Get().Digester()
 	if err := func() error { // A scope for defer
 		defer tempFile.Close()
 
diff --git a/image/storage/storage_dest.go b/image/storage/storage_dest.go
diff --git a/image/storage/storage_dest_test.go b/image/storage/storage_dest_test.go
diff --git a/image/storage/storage_transport.go b/image/storage/storage_transport.go

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@ import (`
`28`	`28`	`"go.podman.io/image/v5/transports"`
`29`	`29`	`"go.podman.io/image/v5/types"`
`30`	`30`	`chunkedToc "go.podman.io/storage/pkg/chunked/toc"`
	`31`	`+ supportedDigests "go.podman.io/storage/pkg/supported-digests"`
`31`	`32`	`)`
`32`	`33`
`33`	`34`	`// imageCopier tracks state specific to a single image (possibly an item of a manifest list)`
`@@ -987,7 +988,9 @@ func computeDiffID(stream io.Reader, decompressor compressiontypes.DecompressorF`
`987`	`988`	`stream = s`
`988`	`989`	`}`
`989`	`990`
`990`		`- return digest.Canonical.FromReader(stream)`
	`991`	`+ // Use the configured digest algorithm`
	`992`	`+ algorithm := supportedDigests.Get()`
	`993`	`+ return algorithm.FromReader(stream)`
`991`	`994`	`}`
`992`	`995`
`993`	`996`	`// algorithmsByNames returns slice of Algorithms from a sequence of Algorithm Names`
Original file line number	Diff line number	Diff line change
`@@ -110,9 +110,12 @@ func (m *manifestSchema2) ConfigBlob(ctx context.Context) ([]byte, error) {`
`110`	`110`	`if err != nil {`
`111`	`111`	`return nil, err`
`112`	`112`	`}`
`113`		`- computedDigest := digest.FromBytes(blob)`
`114`		`- if computedDigest != m.m.ConfigDescriptor.Digest {`
`115`		`- return nil, fmt.Errorf("Download config.json digest %s does not match expected %s", computedDigest, m.m.ConfigDescriptor.Digest)`
	`113`	`+ // Use the same algorithm as the expected digest`
	`114`	`+ expectedDigest := m.m.ConfigDescriptor.Digest`
	`115`	`+ algorithm := expectedDigest.Algorithm()`
	`116`	`+ computedDigest := algorithm.FromBytes(blob)`
	`117`	`+ if computedDigest != expectedDigest {`
	`118`	`+ return nil, fmt.Errorf("Download config.json digest %s does not match expected %s", computedDigest, expectedDigest)`
`116`	`119`	`}`
`117`	`120`	`m.configBlob = blob`
`118`	`121`	`}`
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@ import (`
`21`	`21`	`"go.podman.io/image/v5/types"`
`22`	`22`	`"go.podman.io/storage/pkg/archive"`
`23`	`23`	`"go.podman.io/storage/pkg/ioutils"`
	`24`	`+ supportedDigests "go.podman.io/storage/pkg/supported-digests"`
`24`	`25`	`)`
`25`	`26`
`26`	`27`	`type blobCacheDestination struct {`
`@@ -92,7 +93,7 @@ func (d blobCacheDestination) saveStream(wg sync.WaitGroup, decompressReader i`
`92`	`93`	`}`
`93`	`94`	`}()`
`94`	`95`
`95`		`- digester := digest.Canonical.Digester()`
	`96`	`+ digester := supportedDigests.Get().Digester()`
`96`	`97`	`if err := func() error { // A scope for defer`
`97`	`98`	`defer tempFile.Close()`
`98`	`99`