image/copy: Add guards for unsupported digest forcing scenarios

lsm5 · lsm5 · commit eca922f97927 · 2025-12-26T16:29:02.000-05:00
Add guards and limitations for cases where digest forcing is not yet supported or incompatible with certain features: 1. Multi-arch images (multiple.go): - Not yet implemented; needs per-instance config digest updates - Fail cleanly with clear error message - See #552 (comment) 2. Docker schema1 manifests (single.go): - Lack separate config descriptor, only support sha256 - Fail early when forcing non-sha256 algorithms 3. zstd:chunked compression (single.go): - Uses sha256 for internal TOC and chunk digests - Fall back to plain zstd when forcing non-sha256 - Fail if requireCompressionFormatMatch is set 4. PutBlobPartial optimization (single.go): - Incompatible with forcing different digest (needs full layer) - Disable partial pull when algorithms don't match 5. Blob reuse optimization (single.go): - Skip blob reuse when digest algorithms don't match - Future: could support cross-digest reuse via BlobInfoCache These guards ensure clean failures and fallbacks rather than silent corruption or confusing errors. Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
diff --git a/image/copy/multiple.go b/image/copy/multiple.go
@@ -208,6 +208,12 @@ func (c *copier) copyMultipleImages(ctx context.Context) (copiedManifest []byte,
 		cannotModifyManifestListReason = "Instructed to preserve digests"
 	}
 
+	// FIXME: Multi-arch not supported yet; would need config digest updates for each instance.
+	// See https://github.com/containers/container-libs/pull/552#discussion_r2611627578
+	if c.options.digestOptions.MustUseSet() != "" {
+		return nil, fmt.Errorf("forcing digest algorithm with multi-arch images is not yet implemented")
+	}
+
 	// Determine if we'll need to convert the manifest list to a different format.
 	forceListMIMEType := c.options.ForceManifestMIMEType
 	switch forceListMIMEType {
diff --git a/image/copy/single.go b/image/copy/single.go
@@ -783,19 +783,34 @@ func (ic *imageCopier) copyLayer(ctx context.Context, srcInfo types.BlobInfo, to
 			tocDigest = *d
 		}
 
-		reused, reusedBlob, err := ic.c.dest.TryReusingBlobWithOptions(ctx, srcInfo, private.TryReusingBlobOptions{
-			Cache:                   ic.c.blobInfoCache,
-			CanSubstitute:           canSubstitute,
-			EmptyLayer:              emptyLayer,
-			LayerIndex:              &layerIndex,
-			SrcRef:                  srcRef,
-			PossibleManifestFormats: append([]string{ic.manifestConversionPlan.preferredMIMEType}, ic.manifestConversionPlan.otherMIMETypeCandidates...),
-			RequiredCompression:     requiredCompression,
-			OriginalCompression:     srcInfo.CompressionAlgorithm,
-			TOCDigest:               tocDigest,
-		})
-		if err != nil {
-			return types.BlobInfo{}, "", fmt.Errorf("trying to reuse blob %s at destination: %w", srcInfo.Digest, err)
+		// FIXME: Blob reuse disabled when forcing different digest algorithm.
+		canTryReuse := true
+		if forcedAlgo := ic.c.options.digestOptions.MustUseSet(); forcedAlgo != "" {
+			if srcInfo.Digest.Algorithm() != forcedAlgo {
+				logrus.Debugf("Skipping blob reuse for %s: digest algorithm %s doesn't match forced algorithm %s",
+					srcInfo.Digest, srcInfo.Digest.Algorithm(), forcedAlgo)
+				canTryReuse = false
+			}
+		}
+
+		reused := false
+		var reusedBlob private.ReusedBlob
+		if canTryReuse {
+			var err error
+			reused, reusedBlob, err = ic.c.dest.TryReusingBlobWithOptions(ctx, srcInfo, private.TryReusingBlobOptions{
+				Cache:                   ic.c.blobInfoCache,
+				CanSubstitute:           canSubstitute,
+				EmptyLayer:              emptyLayer,
+				LayerIndex:              &layerIndex,
+				SrcRef:                  srcRef,
+				PossibleManifestFormats: append([]string{ic.manifestConversionPlan.preferredMIMEType}, ic.manifestConversionPlan.otherMIMETypeCandidates...),
+				RequiredCompression:     requiredCompression,
+				OriginalCompression:     srcInfo.CompressionAlgorithm,
+				TOCDigest:               tocDigest,
+			})
+			if err != nil {
+				return types.BlobInfo{}, "", fmt.Errorf("trying to reuse blob %s at destination: %w", srcInfo.Digest, err)
+			}
 		}
 		if reused {
 			logrus.Debugf("Skipping blob %s (already present):", srcInfo.Digest)
