metal-hammer icon indicating copy to clipboard operation
metal-hammer copied to clipboard
verified publisher icon metal-stack

Support SHA512 hash for image verification

Open simcod opened this issue 9 months ago • 10 comments

Description

When a machine image is retrieved, its integrity is checked. Currently this is done with an md5 hash file next to the image file. This PR adds support for a sha512 checksum file. Thus, md5 and sha512 checksum files can be used for image verification. If both are present, sha512 will be used.

simcod avatar Mar 05 '25 12:03 simcod

This would raise a lot of work in other repos like, metal-images, metal-image-cache and potentially others.

I would rather prefer that we try to move over to use OCI images. This format already includes signing and is a more commonly used format for such use-cases.

majst01 avatar Mar 05 '25 14:03 majst01

Will merge after i validated #148 in our test environment !

majst01 avatar Mar 13 '25 07:03 majst01

Maybe this also helps in this respect:

https://github.blog/changelog/2025-03-18-github-actions-now-supports-a-digest-for-validating-your-artifacts-at-runtime/

Should at least be noted in the Readme.md

majst01 avatar Mar 19 '25 09:03 majst01

Any plan to merge or to close it?

robertvolkmann avatar Oct 20 '25 17:10 robertvolkmann

Any plan to merge or to close it?

There are still no sha256 checksum generated, still interested in this but this must be done first.

majst01 avatar Oct 21 '25 05:10 majst01

There are still no sha256 checksum generated, still interested in this but this must be done first.

@mac641 are you interested to look into it?

robertvolkmann avatar Oct 21 '25 06:10 robertvolkmann

There are still no sha256 checksum generated, still interested in this but this must be done first.

@mac641 are you interested to look into it?

Yes, it reads interesting. I'll see what I can do.

mac641 avatar Oct 22 '25 09:10 mac641

There are still no sha256 checksum generated, still interested in this but this must be done first.

@mac641 are you interested to look into it?

Yes, it reads interesting. I'll see what I can do.

I am not sure if this is worth the effort, i would rather prefer to make metal-hammer able to pull metal-images as oci artifacts. This would also solve the signature check problem and must not be done for two algorithms as here

majst01 avatar Oct 22 '25 09:10 majst01

There are still no sha256 checksum generated, still interested in this but this must be done first.

@mac641 are you interested to look into it?

Yes, it reads interesting. I'll see what I can do.

I am not sure if this is worth the effort, i would rather prefer to make metal-hammer able to pull metal-images as oci artifacts. This would also solve the signature check problem and must not be done for two algorithms as here

Made a small sample here: https://github.com/metal-stack/metal-hammer/pull/169 which should not be used as a real PR but as showcase how this could be achieved.

if someone has spare time, raise your hands :-)

majst01 avatar Oct 22 '25 14:10 majst01

There are still no sha256 checksum generated, still interested in this but this must be done first.

@mac641 are you interested to look into it?

Yes, it reads interesting. I'll see what I can do.

I am not sure if this is worth the effort, i would rather prefer to make metal-hammer able to pull metal-images as oci artifacts. This would also solve the signature check problem and must not be done for two algorithms as here

Made a small sample here: https://github.com/metal-stack/metal-hammer/pull/169 which should not be used as a real PR but as showcase how this could be achieved.

if someone has spare time, raise your hands :-)

Me ✋

mac641 avatar Oct 23 '25 12:10 mac641