Merge pull request #6194 from tonistiigi/git-sha256

git: add sha256 commit support

Author: AkihiroSuda

frontend/dockerfile/dockerfile_addgit_test.go

@@ -21,7 +21,8 @@ import (
 )
 
 var addGitTests = integration.TestFuncs(
-	testAddGit,
+	testAddGitSHA1,
+	testAddGitSHA256,
 	testAddGitChecksumCache,
 	testGitQueryString,
 )
@@ -30,15 +31,27 @@ func init() {
 	allTests = append(allTests, addGitTests...)
 }
 
-func testAddGit(t *testing.T, sb integration.Sandbox) {
+func testAddGitSHA1(t *testing.T, sb integration.Sandbox) {
+	testAddGit(t, sb, "sha1")
+}
+
+func testAddGitSHA256(t *testing.T, sb integration.Sandbox) {
+	testAddGit(t, sb, "sha256")
+}
+
+func testAddGit(t *testing.T, sb integration.Sandbox, format string) {
 	integration.SkipOnPlatform(t, "windows")
 	f := getFrontend(t, sb)
 
 	gitDir, err := os.MkdirTemp("", "buildkit")
 	require.NoError(t, err)
 	defer os.RemoveAll(gitDir)
+	initOptions := ""
+	if format == "sha256" {
+		initOptions = " --object-format=sha256"
+	}
 	gitCommands := []string{
-		"git init",
+		"git init" + initOptions,
 		"git config --local user.email test",
 		"git config --local user.name test",
 	}

frontend/dockerfile/dockerfile_provenance_test.go

@@ -45,7 +45,8 @@ import (
 
 var provenanceTests = integration.TestFuncs(
 	testProvenanceAttestation,
-	testGitProvenanceAttestation,
+	testGitProvenanceAttestationSHA1,
+	testGitProvenanceAttestationSHA256,
 	testMultiPlatformProvenance,
 	testClientFrontendProvenance,
 	testClientLLBProvenance,
@@ -389,7 +390,15 @@ RUN echo ok> /foo
 	}
 }
 
-func testGitProvenanceAttestation(t *testing.T, sb integration.Sandbox) {
+func testGitProvenanceAttestationSHA1(t *testing.T, sb integration.Sandbox) {
+	testGitProvenanceAttestation(t, sb, "sha1")
+}
+
+func testGitProvenanceAttestationSHA256(t *testing.T, sb integration.Sandbox) {
+	testGitProvenanceAttestation(t, sb, "sha256")
+}
+
+func testGitProvenanceAttestation(t *testing.T, sb integration.Sandbox, format string) {
 	integration.SkipOnPlatform(t, "windows")
 	workers.CheckFeatureCompat(t, sb, workers.FeatureDirectPush, workers.FeatureProvenance)
 	ctx := sb.Context()
@@ -423,8 +432,12 @@ COPY myapp.Dockerfile /
 				fstest.CreateFile("myapp.Dockerfile", dockerfile, 0600),
 			)
 
+			initOptions := ""
+			if format == "sha256" {
+				initOptions = " --object-format=sha256"
+			}
 			err = runShell(dir.Name,
-				"git init",
+				"git init"+initOptions,
 				"git config --local user.email test",
 				"git config --local user.name test",
 				"git add myapp.Dockerfile",
@@ -519,15 +532,15 @@ COPY myapp.Dockerfile /
 					require.NotEmpty(t, pred.BuildDefinition.ResolvedDependencies[1].Digest["sha256"])
 
 					require.Equal(t, expectedURL+"/.git#v1", pred.BuildDefinition.ResolvedDependencies[2].URI)
-					require.Equal(t, strings.TrimSpace(string(expectedGitSHA)), pred.BuildDefinition.ResolvedDependencies[2].Digest["sha1"])
+					require.Equal(t, strings.TrimSpace(string(expectedGitSHA)), pred.BuildDefinition.ResolvedDependencies[2].Digest[format])
 				} else {
 					require.Equal(t, 2, len(pred.BuildDefinition.ResolvedDependencies), "%+v", pred.BuildDefinition.ResolvedDependencies)
 
 					require.Equal(t, expBase, pred.BuildDefinition.ResolvedDependencies[0].URI)
 					require.NotEmpty(t, pred.BuildDefinition.ResolvedDependencies[0].Digest["sha256"])
 
 					require.Equal(t, expectedURL+"/.git#v1", pred.BuildDefinition.ResolvedDependencies[1].URI)
-					require.Equal(t, strings.TrimSpace(string(expectedGitSHA)), pred.BuildDefinition.ResolvedDependencies[1].Digest["sha1"])
+					require.Equal(t, strings.TrimSpace(string(expectedGitSHA)), pred.BuildDefinition.ResolvedDependencies[1].Digest[format])
 				}
 
 				require.Equal(t, 0, len(pred.BuildDefinition.ExternalParameters.Request.Locals))
@@ -574,15 +587,15 @@ COPY myapp.Dockerfile /
 					require.NotEmpty(t, pred.Materials[1].Digest["sha256"])
 
 					require.Equal(t, expectedURL+"/.git#v1", pred.Materials[2].URI)
-					require.Equal(t, strings.TrimSpace(string(expectedGitSHA)), pred.Materials[2].Digest["sha1"])
+					require.Equal(t, strings.TrimSpace(string(expectedGitSHA)), pred.Materials[2].Digest[format])
 				} else {
 					require.Equal(t, 2, len(pred.Materials), "%+v", pred.Materials)
 
 					require.Equal(t, expBase, pred.Materials[0].URI)
 					require.NotEmpty(t, pred.Materials[0].Digest["sha256"])
 
 					require.Equal(t, expectedURL+"/.git#v1", pred.Materials[1].URI)
-					require.Equal(t, strings.TrimSpace(string(expectedGitSHA)), pred.Materials[1].Digest["sha1"])
+					require.Equal(t, strings.TrimSpace(string(expectedGitSHA)), pred.Materials[1].Digest[format])
 				}
 
 				require.Equal(t, 0, len(pred.Invocation.Parameters.Locals))

frontend/dockerfile/dockerfile_test.go

@@ -94,7 +94,8 @@ var allTests = integration.TestFuncs(
 	testCacheReleased,
 	testDockerignore,
 	testDockerignoreInvalid,
-	testDockerfileFromGit,
+	testDockerfileFromGitSHA1,
+	testDockerfileFromGitSHA256,
 	testMultiStageImplicitFrom,
 	testMultiStageCaseInsensitive,
 	testLabels,
@@ -4808,7 +4809,15 @@ ADD --chmod=10000 foo /
 	require.ErrorContains(t, err, "invalid chmod parameter: '10000'. it should be octal string and between 0 and 07777")
 }
 
-func testDockerfileFromGit(t *testing.T, sb integration.Sandbox) {
+func testDockerfileFromGitSHA1(t *testing.T, sb integration.Sandbox) {
+	testDockerfileFromGit(t, sb, "sha1")
+}
+
+func testDockerfileFromGitSHA256(t *testing.T, sb integration.Sandbox) {
+	testDockerfileFromGit(t, sb, "sha256")
+}
+
+func testDockerfileFromGit(t *testing.T, sb integration.Sandbox, format string) {
 	integration.SkipOnPlatform(t, "windows")
 	f := getFrontend(t, sb)
 
@@ -4824,8 +4833,12 @@ COPY --from=build foo bar
 	err := os.WriteFile(filepath.Join(gitDir, "Dockerfile"), []byte(dockerfile), 0600)
 	require.NoError(t, err)
 
+	initOptions := ""
+	if format == "sha256" {
+		initOptions = " --object-format=sha256"
+	}
 	err = runShell(gitDir,
-		"git init",
+		"git init"+initOptions,
 		"git config --local user.email test",
 		"git config --local user.name test",
 		"git add Dockerfile",

solver/llbsolver/provenance/predicate.go

@@ -40,10 +40,8 @@ func slsaMaterials(srcs provenancetypes.Sources) ([]slsa.ProvenanceMaterial, err
 
 	for _, s := range srcs.Git {
 		out = append(out, slsa.ProvenanceMaterial{
-			URI: s.URL,
-			Digest: slsa.DigestSet{
-				"sha1": s.Commit,
-			},
+			URI:    s.URL,
+			Digest: digestSetForCommit(s.Commit),
 		})
 	}
 
@@ -59,14 +57,22 @@ func slsaMaterials(srcs provenancetypes.Sources) ([]slsa.ProvenanceMaterial, err
 	return out, nil
 }
 
+func digestSetForCommit(commit string) slsa.DigestSet {
+	dset := slsa.DigestSet{}
+	if len(commit) == 64 {
+		dset["sha256"] = commit
+	} else {
+		dset["sha1"] = commit
+	}
+	return dset
+}
+
 func findMaterial(srcs provenancetypes.Sources, uri string) (*slsa.ProvenanceMaterial, bool) {
 	for _, s := range srcs.Git {
 		if s.URL == uri {
 			return &slsa.ProvenanceMaterial{
-				URI: s.URL,
-				Digest: slsa.DigestSet{
-					"sha1": s.Commit,
-				},
+				URI:    s.URL,
+				Digest: digestSetForCommit(s.Commit),
 			}, true
 		}
 	}

source/git/source.go

@@ -105,7 +105,7 @@ func (gs *gitSource) Identifier(scheme, ref string, attrs map[string]string, pla
 }
 
 // needs to be called with repo lock
-func (gs *gitSource) mountRemote(ctx context.Context, remote string, authArgs []string, g session.Group) (target string, release func() error, retErr error) {
+func (gs *gitSource) mountRemote(ctx context.Context, remote string, authArgs []string, sha256 bool, g session.Group) (target string, release func() error, retErr error) {
 	sis, err := searchGitRemote(ctx, gs.cache, remote)
 	if err != nil {
 		return "", nil, errors.Wrapf(err, "failed to search metadata for %s", urlutil.RedactCredentials(remote))
@@ -171,7 +171,11 @@ func (gs *gitSource) mountRemote(ctx context.Context, remote string, authArgs []
 		// implied default to suppress "hint:" output about not having a
 		// default initial branch name set which otherwise spams unit
 		// test logs.
-		if _, err := git.Run(ctx, "-c", "init.defaultBranch=master", "init", "--bare"); err != nil {
+		args := []string{"-c", "init.defaultBranch=master", "init", "--bare"}
+		if sha256 {
+			args = append(args, "--object-format=sha256")
+		}
+		if _, err := git.Run(ctx, args...); err != nil {
 			return "", nil, errors.Wrapf(err, "failed to init repo at %s", dir)
 		}
 
@@ -198,6 +202,7 @@ type gitSourceHandler struct {
 	*gitSource
 	src      GitIdentifier
 	cacheKey string
+	sha256   bool
 	sm       *session.Manager
 	authArgs []string
 }
@@ -376,29 +381,30 @@ func (gs *gitSourceHandler) CacheKey(ctx context.Context, g session.Group, index
 	if refCommitFullHash != "" {
 		cacheKey := gs.shaToCacheKey(refCommitFullHash, ref2)
 		gs.cacheKey = cacheKey
+		gs.sha256 = len(refCommitFullHash) == 64
 		// gs.src.Checksum is verified when checking out the commit
 		return cacheKey, refCommitFullHash, nil, true, nil
 	}
 
 	gs.getAuthToken(ctx, g)
 
-	git, cleanup, err := gs.gitCli(ctx, g)
+	tmpGit, cleanup, err := gs.emptyGitCli(ctx, g)
 	if err != nil {
 		return "", "", nil, false, err
 	}
 	defer cleanup()
 
 	ref := gs.src.Ref
 	if ref == "" {
-		ref, err = getDefaultBranch(ctx, git, gs.src.Remote)
+		ref, err = getDefaultBranch(ctx, tmpGit, gs.src.Remote)
 		if err != nil {
 			return "", "", nil, false, err
 		}
 	}
 
 	// TODO: should we assume that remote tag is immutable? add a timer?
 
-	buf, err := git.Run(ctx, "ls-remote", "origin", ref, ref+"^{}")
+	buf, err := tmpGit.Run(ctx, "ls-remote", gs.src.Remote, ref, ref+"^{}")
 	if err != nil {
 		return "", "", nil, false, errors.Wrapf(err, "failed to fetch remote %s", urlutil.RedactCredentials(remote))
 	}
@@ -445,6 +451,7 @@ func (gs *gitSourceHandler) CacheKey(ctx context.Context, g session.Group, index
 	}
 	cacheKey := gs.shaToCacheKey(sha, usedRef)
 	gs.cacheKey = cacheKey
+	gs.sha256 = len(sha) == 64
 	return cacheKey, sha, nil, true, nil
 }
 
@@ -475,15 +482,18 @@ func (gs *gitSourceHandler) Snapshot(ctx context.Context, g session.Group) (out
 	gs.locker.Lock(gs.src.Remote)
 	defer gs.locker.Unlock(gs.src.Remote)
 
-	git, cleanup, err := gs.gitCli(ctx, g)
+	git, cleanup, err := gs.emptyGitCli(ctx, g)
 	if err != nil {
 		return nil, err
 	}
 	defer cleanup()
-	gitDir, err := git.GitDir(ctx)
+
+	gitDir, unmountGitDir, err := gs.mountRemote(ctx, gs.src.Remote, gs.authArgs, gs.sha256, g)
 	if err != nil {
 		return nil, err
 	}
+	defer unmountGitDir()
+	git = git.New(gitutil.WithGitDir(gitDir))
 
 	ref := gs.src.Ref
 	if ref == "" {
@@ -581,7 +591,11 @@ func (gs *gitSourceHandler) Snapshot(ctx context.Context, g session.Group) (out
 			return nil, err
 		}
 		checkoutGit := git.New(gitutil.WithWorkTree(checkoutDir), gitutil.WithGitDir(checkoutDirGit))
-		_, err = checkoutGit.Run(ctx, "-c", "init.defaultBranch=master", "init")
+		args := []string{"-c", "init.defaultBranch=master", "init"}
+		if gs.sha256 {
+			args = append(args, "--object-format=sha256")
+		}
+		_, err = checkoutGit.Run(ctx, args...)
 		if err != nil {
 			return nil, err
 		}
@@ -713,7 +727,7 @@ func (gs *gitSourceHandler) Snapshot(ctx context.Context, g session.Group) (out
 	return snap, nil
 }
 
-func (gs *gitSourceHandler) gitCli(ctx context.Context, g session.Group, opts ...gitutil.Option) (*gitutil.GitCLI, func() error, error) {
+func (gs *gitSourceHandler) emptyGitCli(ctx context.Context, g session.Group, opts ...gitutil.Option) (*gitutil.GitCLI, func() error, error) {
 	var cleanups []func() error
 	cleanup := func() error {
 		var err error
@@ -727,13 +741,6 @@ func (gs *gitSourceHandler) gitCli(ctx context.Context, g session.Group, opts ..
 	}
 	var err error
 
-	gitDir, unmountGitDir, err := gs.mountRemote(ctx, gs.src.Remote, gs.authArgs, g)
-	if err != nil {
-		cleanup()
-		return nil, nil, err
-	}
-	cleanups = append(cleanups, unmountGitDir)
-
 	var sock string
 	if gs.src.MountSSHSock != "" {
 		var unmountSock func() error
@@ -757,7 +764,6 @@ func (gs *gitSourceHandler) gitCli(ctx context.Context, g session.Group, opts ..
 	}
 
 	opts = append([]gitutil.Option{
-		gitutil.WithGitDir(gitDir),
 		gitutil.WithArgs(gs.authArgs...),
 		gitutil.WithSSHAuthSock(sock),
 		gitutil.WithSSHKnownHosts(knownHosts),