From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 48D092D0C6F
	for <kdevops@lists.linux.dev>; Wed, 27 Aug 2025 03:57:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=198.137.202.133
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1756267071; cv=none; b=VGqmTc3+Oz7n/4tnqduyzlIAyOijRE0cMjqbkJI2ZIYnFXmhiPRTlkN0q5TsBXKxW53XSZ4yPVdAVoME0iOByn98xUUp+eNKQe5bxrngX9yIziYqrKz7yfG2vRaPxlEfj7UPTh9cXcVn1tNN8bt12UV2Ap5VuQbiHXFQzcomOZU=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1756267071; c=relaxed/simple;
	bh=DX7g9redCH7XXJRe6cvKYjP6mLtZIZH9C1wDtRYwSNo=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=Rqtw2YtAHAN0sWvMY+yXPvdhPgD7KuZoY6RkYaJ96RlGx82iYD14VdXpv26QwZv3V5FqPYj6JEZnnzGqrT9qRYMCNlWLyvJR9sRfPCXT+HfyQGyag6bhtdxrvM+9BITG5NKfNTE5XdsKJ2NRzPEzc11IPvwT8qfS9WP74bqW9HU=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=kernel.org; spf=none smtp.mailfrom=infradead.org; dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b=rl0iKpWY; arc=none smtp.client-ip=198.137.202.133
Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=quarantine dis=none) header.from=kernel.org
Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=infradead.org
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=infradead.org header.i=@infradead.org header.b="rl0iKpWY"
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=infradead.org; s=bombadil.20210309; h=Sender:Content-Transfer-Encoding:
	MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:
	Reply-To:Content-Type:Content-ID:Content-Description;
	bh=G+IH7jyTxnxBLU+f9c4y/CY7O8XCRvEjdfeIfvAAdCU=; b=rl0iKpWY1n5zRUKgubSkOUnf6R
	ak6PnNU7sJhJZd60RT0XdXJXXONMw5SuADANm5BU6UwpSCLWaxVsjryFJmjORwP4Hb0cYjyaFcQbj
	QjZxKPQ8HSK0hMxe266JF06hefRCWks0OmYWjZsMWF5FMZJma75bjFh5Q84u4egGHcgI3yaZnrkk/
	PJ//+GISmSHL9fy/UpSRRWiVMZ/rn7kThoqSp1HglPxnjDyN1bUeYnVeGZKz9ZRoHEt6a4ru0y6zb
	gCKHAktYflQfkynhXF+/sy8vaY1F0s184nibaBBXcVpIktQC722PVNK7FS0J2es3jdzOv+rglzf0K
	e6eKsOJA==;
Received: from mcgrof by bombadil.infradead.org with local (Exim 4.98.2 #2 (Red Hat Linux))
	id 1ur7IB-0000000DuAD-49QD;
	Wed, 27 Aug 2025 03:57:47 +0000
From: Luis Chamberlain <mcgrof@kernel.org>
To: Chuck Lever <cel@kernel.org>,
	Daniel Gomez <da.gomez@kruces.com>,
	kdevops@lists.linux.dev
Cc: Luis Chamberlain <mcgrof@kernel.org>
Subject: [RFT 4/4] guestfs: fix checksum verification for resized custom images
Date: Tue, 26 Aug 2025 20:57:47 -0700
Message-ID: <20250827035747.3314144-5-mcgrof@kernel.org>
X-Mailer: git-send-email 2.49.0
In-Reply-To: <20250827035747.3314144-1-mcgrof@kernel.org>
References: <20250827035747.3314144-1-mcgrof@kernel.org>
Precedence: bulk
X-Mailing-List: kdevops@lists.linux.dev
List-Id: <kdevops.lists.linux.dev>
List-Subscribe: <mailto:kdevops+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:kdevops+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: Luis Chamberlain <mcgrof@infradead.org>

The SHA512 checksum verification was failing because it was being run
after the image had been resized and modified. The checksum from the
upstream source is only valid for the original downloaded image, not
the modified version.

Fix by:
1. Verifying the checksum immediately after download, before any
   modifications
2. Removing the redundant checksum verification that happened after
   resize operations

This ensures the image integrity is verified when downloaded, but
doesn't fail on subsequent runs when the image has been customized
for kdevops use.

Error was:
  sha512sum: WARNING: 1 computed checksum did NOT match
  debian-13-generic-amd64-daily.raw: FAILED

Generated-by: Claude AI
Signed-off-by: Luis Chamberlain <mcgrof@kernel.org>
---
 .../roles/base_image/tasks/custom-image.yml   | 57 ++++++++-----------
 1 file changed, 24 insertions(+), 33 deletions(-)

diff --git a/playbooks/roles/base_image/tasks/custom-image.yml b/playbooks/roles/base_image/tasks/custom-image.yml
index a3a8cbbd..d23cce96 100644
--- a/playbooks/roles/base_image/tasks/custom-image.yml
+++ b/playbooks/roles/base_image/tasks/custom-image.yml
@@ -46,6 +46,29 @@
     - not custom_image_stat.stat.exists
     - guestfs_has_custom_raw_image_url|bool
 
+- name: Verify custom image checksum immediately after download
+  when:
+    - custom_image_download is changed
+    - guestfs_has_custom_raw_image_sha512sums|bool
+  block:
+    - name: Get the base name of the sha512sums file for verification
+      ansible.builtin.set_fact:
+        sha512sums_file: "{{ guestfs_custom_raw_image_sha512sums_url | basename }}"
+
+    - name: Fetch the sha512sums file for verification
+      become: true
+      become_method: ansible.builtin.sudo
+      ansible.builtin.get_url:
+        url: "{{ guestfs_custom_raw_image_sha512sums_url }}"
+        dest: "{{ custom_image_dir }}"
+        mode: "u=rw,g=r,o=r"
+
+    - name: Verify checksum of freshly downloaded image
+      ansible.builtin.command:
+        cmd: "sha512sum --ignore-missing -c {{ sha512sums_file }}"
+        chdir: "{{ custom_image_dir }}"
+      changed_when: false
+
 - name: Resize custom image to match configured size
   become: true
   become_method: ansible.builtin.sudo
@@ -104,42 +127,10 @@
     get_mime: false
   register: sentinel_stat
 
-- name: Check the custom image
+- name: Configure custom image with kdevops settings
   when:
     - not sentinel_stat.stat.exists
-    - guestfs_has_custom_raw_image_sha512sums|bool
   block:
-    - name: Get the base name of the sha512sums file
-      ansible.builtin.set_fact:
-        sha512sums_file: "{{ guestfs_custom_raw_image_sha512sums_url | basename }}"
-
-    - name: Set the full pathname of sha512sums file
-      ansible.builtin.set_fact:
-        custom_image_sha512sum: "{{ custom_image_dir }}/{{ sha512sums_file }}"
-
-    - name: Check if the sha512sums file already exists
-      ansible.builtin.stat:
-        path: "{{ custom_image_sha512sum }}"
-        get_attributes: false
-        get_checksum: false
-        get_mime: false
-      register: sha512sums_stat
-
-    - name: Fetch the sha512sums file
-      become: true
-      become_method: ansible.builtin.sudo
-      ansible.builtin.get_url:
-        url: "{{ guestfs_custom_raw_image_sha512sums_url }}"
-        dest: "{{ custom_image_dir }}"
-        mode: "u=rw,g=r,o=r"
-      when:
-        - not sha512sums_stat.stat.exists
-
-    - name: Compute checksum of something
-      ansible.builtin.command:
-        cmd: "sha512sum --ignore-missing -c {{ sha512sums_file }}"
-        chdir: "{{ custom_image_dir }}"
-      changed_when: false
 
     - name: Get the UID of the kdevops user on the control host
       ansible.builtin.command:
-- 
2.50.1