Story #1145
Updated by rbarlow over 9 years ago
The docker manifests have a digest, which is supposed to be a checksum of the manifest. However, the manifest checksum is not calculated on the downloaded manifest but on some permutation of the manifest. The necessary permutation is not known to the Pulp team at this time, so part of this effort will be determining how to calculate the checksum of the digest. There is a GitHub issue[0] with some information that may be useful. Hint: It may be related to removing signatures, but I am not sure. Deliverables: * Determine how to calculate the digest of the manifest, since the manifest as presented has a different checksum than the given digest from the registry. * Rework the Importer to validate the digest of the downloaded manifests to ensure that the expected data was received * Consider whether this should be a setting or not (I lean towards not). If you determine that it should, make sure pulp-admin supports it * Tests * Documentation [0] https://github.com/docker/docker/issues/8093
.