mkosi icon indicating copy to clipboard operation
mkosi copied to clipboard
verified publisher icon systemd

Using Checksum=true seems to generate incorrect output

Open justinvreeland opened this issue 1 year ago • 2 comments

mkosi commit the issue has been seen with

main

Used host distribution

Archlinux

Used target distribution

default

Linux kernel version used

6.10.8-arch1-1

CPU architectures issue was seen on

x86_64

Unexpected behaviour you saw

I expected to see a SHA256SUMS file or image.sha256 file that would be compatible with importctl. Instead files with names like image.SHA256SUMS are generated. When using the configuration attached I see:

ls mkosi.output
total 34188
    0 lrwxrwxrwx 1 root root        9 Sep 13 12:31 image -> image.raw
34184 -rw-r--r-- 1 root root 36028416 Sep 13 12:31 image.raw
    4 -rw-r--r-- 1 root root       76 Sep 13 12:31 image.SHA256SUMS

The mkosi docs lead me to believe the file should be created as a standalone file. From the mkosi docs:

Generate a SHA256SUMS file of all generated artifacts after the build is complete.

The importctl docs seem to agree:

Verification is done either via an
inline signed file with the name of the image and the suffix
.sha256 or via separate SHA256SUMS and SHA256SUMS.gpg files.

This also applies to the image.SHA256SUMS.gpg file.

Used mkosi config

[Validation]
Checksum=true

mkosi output

No response

justinvreeland avatar Sep 13 '24 19:09 justinvreeland

Unfortunately we have to bake the image name into the output, otherwise when generating multiple outputs they would clobber each other. You will have to do some post processing after invoking mkosi or maybe you can hack this with a postoutput script.

behrmann avatar Sep 13 '24 20:09 behrmann

Ahh I can understand how that causes problem. Were I making a lot of images in the same directory though I'd like have the option to concatenate and re-sign the file for all the images built into that directory. I can see people wanting things either way depending on how much post processing they want to do. I think it'd be ideal for mkosi to be able to produce working output to be consumed by related tools though.

justinvreeland avatar Sep 13 '24 20:09 justinvreeland

Most importantly the docs should at least get updated

septatrix avatar Oct 30 '24 00:10 septatrix

Related to this, it looks like we currently prefix an asterisk before each filename in the generated SHA256SUMS, but there's no mention of this in the documentation (and it's unclear to me why it's done in the first place).

davide125 avatar Nov 13 '24 21:11 davide125

Related to this, it looks like we currently prefix an asterisk before each filename in the generated SHA256SUMS, but there's no mention of this in the documentation (and it's unclear to me why it's done in the first place).

That symbolizes a binary file (see the man page of sha256sum et al) but that is mostly a convention and not done by all tools

septatrix avatar Nov 13 '24 23:11 septatrix

I think it'd be ideal for mkosi to be able to produce working output to be consumed by related tools though.

This goes both ways, I think it'd be great if related tools consumed the output produced by mkosi. I've attached a PR to update the docs. I think for this specific case updating importctl to optionally look for the style of SHA256SUMS that mkosi produces would be the better solution.

DaanDeMeyer avatar Jan 21 '25 15:01 DaanDeMeyer