[RFT 4/4] guestfs: fix checksum verification for resized custom images

[Luis Chamberlain <mcgrof@kernel.org>]

The SHA512 checksum verification was failing because it was being run
after the image had been resized and modified. The checksum from the
upstream source is only valid for the original downloaded image, not
the modified version.

Fix by:
1. Verifying the checksum immediately after download, before any
   modifications
2. Removing the redundant checksum verification that happened after
   resize operations

This ensures the image integrity is verified when downloaded, but
doesn't fail on subsequent runs when the image has been customized
for kdevops use.

Error was:
  sha512sum: WARNING: 1 computed checksum did NOT match
  debian-13-generic-amd64-daily.raw: FAILED

Generated-by: Claude AI
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
 .../roles/base_image/tasks/custom-image.yml   | 57 ++++++++-----------
 1 file changed, 24 insertions(+), 33 deletions(-)

diff --git a/playbooks/roles/base_image/tasks/custom-image.yml b/playbooks/roles/base_image/tasks/custom-image.yml
index a3a8cbbd..d23cce96 100644
--- a/playbooks/roles/base_image/tasks/custom-image.yml
+++ b/playbooks/roles/base_image/tasks/custom-image.yml
@@ -46,6 +46,29 @@
     - not custom_image_stat.stat.exists
     - guestfs_has_custom_raw_image_url|bool
 
+- name: Verify custom image checksum immediately after download
+  when:
+    - custom_image_download is changed
+    - guestfs_has_custom_raw_image_sha512sums|bool
+  block:
+    - name: Get the base name of the sha512sums file for verification
+      ansible.builtin.set_fact:
+        sha512sums_file: "{{ guestfs_custom_raw_image_sha512sums_url | basename }}"
+
+    - name: Fetch the sha512sums file for verification
+      become: true
+      become_method: ansible.builtin.sudo
+      ansible.builtin.get_url:
+        url: "{{ guestfs_custom_raw_image_sha512sums_url }}"
+        dest: "{{ custom_image_dir }}"
+        mode: "u=rw,g=r,o=r"
+
+    - name: Verify checksum of freshly downloaded image
+      ansible.builtin.command:
+        cmd: "sha512sum --ignore-missing -c {{ sha512sums_file }}"
+        chdir: "{{ custom_image_dir }}"
+      changed_when: false
+
 - name: Resize custom image to match configured size
   become: true
   become_method: ansible.builtin.sudo
@@ -104,42 +127,10 @@
     get_mime: false
   register: sentinel_stat
 
-- name: Check the custom image
+- name: Configure custom image with kdevops settings
   when:
     - not sentinel_stat.stat.exists
-    - guestfs_has_custom_raw_image_sha512sums|bool
   block:
-    - name: Get the base name of the sha512sums file
-      ansible.builtin.set_fact:
-        sha512sums_file: "{{ guestfs_custom_raw_image_sha512sums_url | basename }}"
-
-    - name: Set the full pathname of sha512sums file
-      ansible.builtin.set_fact:
-        custom_image_sha512sum: "{{ custom_image_dir }}/{{ sha512sums_file }}"
-
-    - name: Check if the sha512sums file already exists
-      ansible.builtin.stat:
-        path: "{{ custom_image_sha512sum }}"
-        get_attributes: false
-        get_checksum: false
-        get_mime: false
-      register: sha512sums_stat
-
-    - name: Fetch the sha512sums file
-      become: true
-      become_method: ansible.builtin.sudo
-      ansible.builtin.get_url:
-        url: "{{ guestfs_custom_raw_image_sha512sums_url }}"
-        dest: "{{ custom_image_dir }}"
-        mode: "u=rw,g=r,o=r"
-      when:
-        - not sha512sums_stat.stat.exists
-
-    - name: Compute checksum of something
-      ansible.builtin.command:
-        cmd: "sha512sum --ignore-missing -c {{ sha512sums_file }}"
-        chdir: "{{ custom_image_dir }}"
-      changed_when: false
 
     - name: Get the UID of the kdevops user on the control host
       ansible.builtin.command:
-- 
2.50.1