Always store images with tarsum.v1 checksum added

Updates `image.StoreImage()` to always ensure that images that are installed in Docker have a tarsum.v1 checksum. Docker-DCO-1.1-Signed-off-by: Josh Hawn <[email protected]> (github: jlhawn)
pallay · Jan 23, 2015 · ba3bad6 · ba3bad6
1 parent edaf23b
commit ba3bad6
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 5 deletions.
diff --git a/image/image.go b/image/image.go
@@ -81,8 +81,8 @@ func LoadImage(root string) (*Image, error) {
 
 // StoreImage stores file system layer data for the given image to the
 // image's registered storage driver. Image metadata is stored in a file
-// at the specified root directory. This function also computes the TarSum
-// of `layerData` (currently using tarsum.dev).
+// at the specified root directory. This function also computes a checksum
+// of `layerData` if the image does not have one already.
 func StoreImage(img *Image, layerData archive.ArchiveReader, root string) error {
 	// Store the layer
 	var (
@@ -96,15 +96,18 @@ func StoreImage(img *Image, layerData archive.ArchiveReader, root string) error
 	if layerData != nil {
 		// If the image doesn't have a checksum, we should add it. The layer
 		// checksums are verified when they are pulled from a remote, but when
-		// a container is committed it should be added here.
-		if img.Checksum == "" {
+		// a container is committed it should be added here. Also ensure that
+		// the stored checksum has the latest version of tarsum (assuming we
+		// are using tarsum).
+		if tarsum.VersionLabelForChecksum(img.Checksum) != tarsum.Version1.String() {
+			// Either there was no checksum or it's not a tarsum.v1
 			layerDataDecompressed, err := archive.DecompressStream(layerData)
 			if err != nil {
 				return err
 			}
 			defer layerDataDecompressed.Close()
 
-			if layerTarSum, err = tarsum.NewTarSum(layerDataDecompressed, true, tarsum.VersionDev); err != nil {
+			if layerTarSum, err = tarsum.NewTarSum(layerDataDecompressed, true, tarsum.Version1); err != nil {
 				return err
 			}
 

diff --git a/pkg/tarsum/tarsum.go b/pkg/tarsum/tarsum.go
@@ -122,6 +122,7 @@ type tHashConfig struct {
 }
 
 var (
+	// NOTE: DO NOT include MD5 or SHA1, which are considered insecure.
 	standardHashConfigs = map[string]tHashConfig{
 		"sha256": {name: "sha256", hash: crypto.SHA256},
 		"sha512": {name: "sha512", hash: crypto.SHA512},

diff --git a/pkg/tarsum/versioning.go b/pkg/tarsum/versioning.go
@@ -22,6 +22,18 @@ const (
 	VersionDev
 )
 
+// VersionLabelForChecksum returns the label for the given tarsum
+// checksum, i.e., everything before the first `+` character in
+// the string or an empty string if no label separator is found.
+func VersionLabelForChecksum(checksum string) string {
+	// Checksums are in the form: {versionLabel}+{hashID}:{hex}
+	sepIndex := strings.Index(checksum, "+")
+	if sepIndex < 0 {
+		return ""
+	}
+	return checksum[:sepIndex]
+}
+
 // Get a list of all known tarsum Version
 func GetVersions() []Version {
 	v := []Version{}