image/copy: Allow user to force digest algorithm in CLI ops like skopeo copy

Changes to image/copy/blob.go:
- Use digests.Options.Choose() to validate digest changes

Changes to image/copy/copy.go:
- Add SetForceDigestAlgorithm() helper to configure digest forcing

Changes to image/copy/single.go:
- Add updateManifestConfigDigest() helper that uses typed manifest
  structures (OCI1/Schema2) to update config digest, avoiding generic
  JSON manipulation
- Modify copyConfig() to return the new config digest when changed
- Update copyUpdatedConfigAndManifest() to handle config digest changes
  by calling updateManifestConfigDigest() when needed

Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>

Author: lsm5

image/copy/blob.go

@@ -7,6 +7,7 @@ import (
 	"io"
 
 	"github.com/sirupsen/logrus"
+	"go.podman.io/image/v5/internal/digests"
 	"go.podman.io/image/v5/internal/private"
 	compressiontypes "go.podman.io/image/v5/pkg/compression/types"
 	"go.podman.io/image/v5/types"
@@ -138,7 +139,17 @@ func (ic *imageCopier) copyBlobFromStream(ctx context.Context, srcReader io.Read
 		return types.BlobInfo{}, fmt.Errorf("Internal error writing blob %s, digest verification failed but was ignored", srcInfo.Digest)
 	}
 	if stream.info.Digest != "" && uploadedInfo.Digest != stream.info.Digest {
-		return types.BlobInfo{}, fmt.Errorf("Internal error writing blob %s, blob with digest %s saved with digest %s", srcInfo.Digest, stream.info.Digest, uploadedInfo.Digest)
+		expectedAlgo, err := ic.c.options.digestOptions.Choose(digests.Situation{
+			Preexisting:                 stream.info.Digest,
+			CannotChangeAlgorithmReason: ic.cannotModifyManifestReason,
+		})
+		if err != nil {
+			return types.BlobInfo{}, err
+		}
+		// If we're forcing a different algorithm and the uploaded digest uses that algorithm, it's acceptable
+		if uploadedInfo.Digest.Algorithm() != expectedAlgo {
+			return types.BlobInfo{}, fmt.Errorf("Internal error writing blob %s, blob with digest %s saved with digest %s", srcInfo.Digest, stream.info.Digest, uploadedInfo.Digest)
+		}
 	}
 	if digestingReader.validationSucceeded {
 		if err := compressionStep.recordValidatedDigestData(ic.c, uploadedInfo, srcInfo, encryptionStep, decryptionStep); err != nil {

image/copy/copy.go

@@ -167,6 +167,19 @@ type Options struct {
 	digestOptions digests.Options
 }
 
+// SetForceDigestAlgorithm forces the use of a specific digest algorithm for this copy operation.
+func (o *Options) SetForceDigestAlgorithm(algo digest.Algorithm) error {
+	if !algo.Available() {
+		return fmt.Errorf("digest algorithm %q is not available", algo.String())
+	}
+	digestOpts, err := digests.MustUse(algo)
+	if err != nil {
+		return fmt.Errorf("failed to set force-digest algorithm: %w", err)
+	}
+	o.digestOptions = digestOpts
+	return nil
+}
+
 // OptionCompressionVariant allows to supply information about
 // selected compression algorithm and compression level by the
 // end-user. Refer to EnsureCompressionVariantsExist to know
@@ -214,7 +227,10 @@ func Image(ctx context.Context, policyContext *signature.PolicyContext, destRef,
 	// only to allow gradually building the feature set.
 	// After c/image/copy consistently implements it, provide a public digest options API of some kind.
 	optionsCopy := *options
-	optionsCopy.digestOptions = digests.CanonicalDefault()
+	// Only set default if not already configured
+	if optionsCopy.digestOptions.MustUseSet() == "" {
+		optionsCopy.digestOptions = digests.CanonicalDefault()
+	}
 	options = &optionsCopy
 
 	if err := validateImageListSelection(options.ImageListSelection); err != nil {

image/copy/single.go

@@ -592,10 +592,19 @@ func (ic *imageCopier) copyUpdatedConfigAndManifest(ctx context.Context, instanc
 		return nil, "", fmt.Errorf("reading manifest: %w", err)
 	}
 
-	if err := ic.copyConfig(ctx, pendingImage); err != nil {
+	newConfigDigest, err := ic.copyConfig(ctx, pendingImage)
+	if err != nil {
 		return nil, "", err
 	}
 
+	// Config digest changed due to forcing a different digest algorithm
+	if newConfigDigest != nil {
+		man, err = ic.updateManifestConfigDigest(man, pendingImage, *newConfigDigest)
+		if err != nil {
+			return nil, "", fmt.Errorf("updating manifest config digest: %w", err)
+		}
+	}
+
 	ic.c.Printf("Writing manifest to image destination\n")
 	manifestDigest, err := manifest.Digest(man)
 	if err != nil {
@@ -611,13 +620,41 @@ func (ic *imageCopier) copyUpdatedConfigAndManifest(ctx context.Context, instanc
 	return man, manifestDigest, nil
 }
 
+// updateManifestConfigDigest uses typed manifest structures instead of generic JSON manipulation.
+// This leverages the existing manifest parsing and serialization infrastructure.
+func (ic *imageCopier) updateManifestConfigDigest(manifestBlob []byte, src types.Image, newConfigDigest digest.Digest) ([]byte, error) {
+	_, mt, err := src.Manifest(context.Background())
+	if err != nil {
+		return nil, fmt.Errorf("getting manifest type: %w", err)
+	}
+
+	m, err := manifest.FromBlob(manifestBlob, mt)
+	if err != nil {
+		return nil, fmt.Errorf("parsing manifest: %w", err)
+	}
+
+	switch typedManifest := m.(type) {
+	case *manifest.OCI1:
+		typedManifest.Config.Digest = newConfigDigest
+		return typedManifest.Serialize()
+	case *manifest.Schema2:
+		typedManifest.ConfigDescriptor.Digest = newConfigDigest
+		return typedManifest.Serialize()
+	case *manifest.Schema1:
+		return nil, fmt.Errorf("cannot update config digest for schema1 manifest")
+	default:
+		return nil, fmt.Errorf("unsupported manifest type for config digest update: %T", m)
+	}
+}
+
 // copyConfig copies config.json, if any, from src to dest.
-func (ic *imageCopier) copyConfig(ctx context.Context, src types.Image) error {
+// It returns the new config digest if it changed (due to digest algorithm forcing), or nil otherwise.
+func (ic *imageCopier) copyConfig(ctx context.Context, src types.Image) (*digest.Digest, error) {
 	srcInfo := src.ConfigInfo()
 	if srcInfo.Digest != "" {
 		if err := ic.c.concurrentBlobCopiesSemaphore.Acquire(ctx, 1); err != nil {
 			// This can only fail with ctx.Err(), so no need to blame acquiring the semaphore.
-			return fmt.Errorf("copying config: %w", err)
+			return nil, fmt.Errorf("copying config: %w", err)
 		}
 		defer ic.c.concurrentBlobCopiesSemaphore.Release(1)
 
@@ -645,13 +682,19 @@ func (ic *imageCopier) copyConfig(ctx context.Context, src types.Image) error {
 			return destInfo, nil
 		}()
 		if err != nil {
-			return err
+			return nil, err
 		}
 		if destInfo.Digest != srcInfo.Digest {
-			return fmt.Errorf("Internal error: copying uncompressed config blob %s changed digest to %s", srcInfo.Digest, destInfo.Digest)
+			// Allow digest algorithm changes when forcing a specific digest algorithm
+			forcingDifferentAlgo := ic.c.options.digestOptions.MustUseSet() != "" &&
+				destInfo.Digest.Algorithm() != srcInfo.Digest.Algorithm()
+			if !forcingDifferentAlgo {
+				return nil, fmt.Errorf("Internal error: copying uncompressed config blob %s changed digest to %s", srcInfo.Digest, destInfo.Digest)
+			}
+			return &destInfo.Digest, nil
 		}
 	}
-	return nil
+	return nil, nil
 }
 
 // diffIDResult contains both a digest value and an error from diffIDComputationGoroutine.