feat: add blake3 support

LICENSE

@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright 2019-2023 The zot project authors.
+   Copyright [yyyy] [name of copyright owner]
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

Makefile

@@ -24,6 +24,8 @@ CRICTL := $(TOOLSDIR)/bin/crictl
 CRICTL_VERSION := v1.26.1
 ACTION_VALIDATOR := $(TOOLSDIR)/bin/action-validator
 ACTION_VALIDATOR_VERSION := v0.5.3
+CRYPTO_TEST := $(TOOLSDIR)/bin/cryptotest
+CRYPTO_TEST_VERSION := 0.2.1
 ZUI_BUILD_PATH := ""
 ZUI_VERSION := commit-303dfb3
 ZUI_REPO_OWNER := project-zot
@@ -301,6 +303,13 @@ $(ACTION_VALIDATOR):
 	mv action-validator $(TOOLSDIR)/bin/action-validator
 	chmod +x $(TOOLSDIR)/bin/action-validator
 
+$(CRYPTO_TEST):
+	mkdir -p $(TOOLSDIR)/bin
+	curl -Lo registry-test.tar.gz https://github.com/shizhMSFT/registry-test/releases/download/v$(CRYPTO_TEST_VERSION)/registry-test_$(CRYPTO_TEST_VERSION)_linux_amd64.tar.gz
+	tar xvzf registry-test.tar.gz && rm registry-test.tar.gz
+	mv cryptotest $(TOOLSDIR)/bin/cryptotest
+	chmod +x $(TOOLSDIR)/bin/cryptotest
+
 .PHONY: check-gh-actions
 check-gh-actions: check-compatibility $(ACTION_VALIDATOR)
 	for i in $$(ls  .github/workflows/*); do $(ACTION_VALIDATOR) $$i; done
@@ -483,7 +492,7 @@ $(BATS):
 	rm -rf bats-core
 
 .PHONY: check-blackbox-prerequisites
-check-blackbox-prerequisites: check-linux check-skopeo $(BATS) $(REGCLIENT) $(ORAS) $(HELM) $(CRICTL) $(NOTATION) $(COSIGN) $(STACKER)
+check-blackbox-prerequisites: check-linux check-skopeo $(BATS) $(REGCLIENT) $(ORAS) $(HELM) $(CRICTL) $(NOTATION) $(COSIGN) $(STACKER) $(CRYPTO_TEST)
 	which skopeo && skopeo --version; \
 	which stacker && stacker --version; \
 	which regctl && regctl version; \

go.mod

@@ -314,6 +314,7 @@ require (
 	github.com/jtolds/gls v4.20.0+incompatible // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
 	github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f // indirect
 	github.com/knqyf263/go-deb-version v0.0.0-20241115132648-6f4aee6ccd23 // indirect
 	github.com/knqyf263/go-rpm-version v0.0.0-20220614171824-631e686d1075 // indirect
@@ -456,6 +457,7 @@ require (
 	github.com/yuin/gopher-lua v1.1.1 // indirect
 	github.com/zclconf/go-cty v1.16.2 // indirect
 	github.com/zclconf/go-cty-yaml v1.1.0 // indirect
+	github.com/zeebo/blake3 v0.2.4 // indirect
 	github.com/zeebo/errs v1.4.0 // indirect
 	github.com/zitadel/logging v0.6.2 // indirect
 	github.com/zitadel/schema v1.3.1 // indirect
@@ -533,3 +535,5 @@ require (
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )
+
+replace github.com/opencontainers/go-digest => github.com/project-zot/go-digest v0.0.0-20250501003621-612e7142c60b

go.sum

@@ -1575,6 +1575,8 @@ github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrD
 github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
 github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
+github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
+github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f h1:GvCU5GXhHq+7LeOzx/haG7HSIZokl3/0GkoUFzsRJjg=
 github.com/knqyf263/go-apk-version v0.0.0-20200609155635-041fdbb8563f/go.mod h1:q59u9px8b7UTj0nIjEjvmTWekazka6xIt6Uogz5Dm+8=
 github.com/knqyf263/go-deb-version v0.0.0-20241115132648-6f4aee6ccd23 h1:dWzdsqjh1p2gNtRKqNwuBvKqMNwnLOPLzVZT1n6DK7s=
@@ -1770,8 +1772,6 @@ github.com/open-policy-agent/opa v1.2.0 h1:88NDVCM0of1eO6Z4AFeL3utTEtMuwloFmWWU7
 github.com/open-policy-agent/opa v1.2.0/go.mod h1:30euUmOvuBoebRCcJ7DMF42bRBOPznvt0ACUMYDUGVY=
 github.com/opencontainers/distribution-spec/specs-go v0.0.0-20250123160558-a139cc423184 h1:4fMydcL7sQjWQPMmzTLpRtsKl5KQdZVNcvPoYwpr4G4=
 github.com/opencontainers/distribution-spec/specs-go v0.0.0-20250123160558-a139cc423184/go.mod h1:Va0IMqkjv62YSEytL4sgxrkiD9IzU0T0bX/ZZEtMnSQ=
-github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
-github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
 github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
 github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=
@@ -1824,6 +1824,8 @@ github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY=
 github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjzg=
+github.com/project-zot/go-digest v0.0.0-20250501003621-612e7142c60b h1:+hNMoRN8I3CvY9T/HJbm4eguU1l4rWRlL+U9n3GAsqE=
+github.com/project-zot/go-digest v0.0.0-20250501003621-612e7142c60b/go.mod h1:fD+VSSgkVpG1shrWHaX1XcWJmU0gfR+5qLbw0/UvE3k=
 github.com/project-zot/mockoidc v0.0.0-20240610203808-d69d9e02020a h1:525aNEKSyDcqJcawiGtA2NPNApJMta8bUe9SoYuhQ+o=
 github.com/project-zot/mockoidc v0.0.0-20240610203808-d69d9e02020a/go.mod h1:ltIE6ZO/czh/g4xdNQlFGkl7DAfaLLFYmitB4taA5ys=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
@@ -2124,9 +2126,14 @@ github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940 h1:4r45xpDWB6
 github.com/zclconf/go-cty-debug v0.0.0-20240509010212-0d6042c53940/go.mod h1:CmBdvvj3nqzfzJ6nTCIwDTPZ56aVGvDrmztiO5g3qrM=
 github.com/zclconf/go-cty-yaml v1.1.0 h1:nP+jp0qPHv2IhUVqmQSzjvqAWcObN0KBkUl2rWBdig0=
 github.com/zclconf/go-cty-yaml v1.1.0/go.mod h1:9YLUH4g7lOhVWqUbctnVlZ5KLpg7JAprQNgxSZ1Gyxs=
+github.com/zeebo/assert v1.3.0 h1:g7C04CbJuIDKNPFHmsk4hwZDO5O+kntRxzaUoNXj+IQ=
 github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
+github.com/zeebo/blake3 v0.2.4 h1:KYQPkhpRtcqh0ssGYcKLG1JYvddkEA8QwCM/yBqhaZI=
+github.com/zeebo/blake3 v0.2.4/go.mod h1:7eeQ6d2iXWRGF6npfaxl2CU+xy2Fjo2gxeyZGCRUjcE=
 github.com/zeebo/errs v1.4.0 h1:XNdoD/RRMKP7HD0UhJnIzUy74ISdGGxURlYG8HSWSfM=
 github.com/zeebo/errs v1.4.0/go.mod h1:sgbWHsvVuTPHcqJJGQ1WhI5KbWlHYz+2+2C/LSEtCw4=
+github.com/zeebo/pcg v1.0.1 h1:lyqfGeWiv4ahac6ttHs+I5hwtH/+1mrhlCtVNQM2kHo=
+github.com/zeebo/pcg v1.0.1/go.mod h1:09F0S9iiKrwn9rlI5yjLkmrug154/YRW6KnnXVDM/l4=
 github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
 github.com/zitadel/logging v0.6.2 h1:MW2kDDR0ieQynPZ0KIZPrh9ote2WkxfBif5QoARDQcU=
 github.com/zitadel/logging v0.6.2/go.mod h1:z6VWLWUkJpnNVDSLzrPSQSQyttysKZ6bCRongw0ROK4=

golangcilint.yaml

@@ -35,8 +35,7 @@ linters:
       threshold: 200
     gomoddirectives:
       replace-allow-list:
-        - github.com/gorilla/mux
-        - github.com/testcontainers/testcontainers-go
+        - github.com/opencontainers/go-digest
     mnd:
       checks:
         - argument

pkg/api/controller_test.go

@@ -13577,11 +13577,11 @@ func TestSupportedDigestAlgorithms(t *testing.T) {
 		verifyReturnedManifestDigest(t, client, baseURL, name, expectedDigestStr, expectedDigestStr)
 	})
 
-	Convey("Test SHA384 single-arch image", t, func() {
-		image := CreateImageWithDigestAlgorithm(godigest.SHA384).
+	Convey("Test BLAKE3 single-arch image", t, func() {
+		image := CreateImageWithDigestAlgorithm(godigest.Blake3).
 			RandomLayers(1, 10).DefaultConfig().Build()
 
-		name := "algo-sha384"
+		name := "algo-blake3"
 		tag := "singlearch"
 
 		err := UploadImage(image, baseURL, name, tag)
@@ -13663,15 +13663,15 @@ func TestSupportedDigestAlgorithms(t *testing.T) {
 			subImage2.ManifestDescriptor.Digest.String(), subImage2.ManifestDescriptor.Digest.String())
 	})
 
-	Convey("Test SHA384 multi-arch image", t, func() {
-		subImage1 := CreateImageWithDigestAlgorithm(godigest.SHA384).RandomLayers(1, 10).
+	Convey("Test BLAKE3 multi-arch image", t, func() {
+		subImage1 := CreateImageWithDigestAlgorithm(godigest.Blake3).RandomLayers(1, 10).
 			DefaultConfig().Build()
-		subImage2 := CreateImageWithDigestAlgorithm(godigest.SHA384).RandomLayers(1, 10).
+		subImage2 := CreateImageWithDigestAlgorithm(godigest.Blake3).RandomLayers(1, 10).
 			DefaultConfig().Build()
-		multiarch := CreateMultiarchWithDigestAlgorithm(godigest.SHA384).
+		multiarch := CreateMultiarchWithDigestAlgorithm(godigest.Blake3).
 			Images([]Image{subImage1, subImage2}).Build()
 
-		name := "algo-sha384"
+		name := "algo-blake3"
 		tag := "multiarch"
 
 		err := UploadMultiarchImage(multiarch, baseURL, name, tag)

pkg/storage/storage_test.go

@@ -414,10 +414,10 @@ func TestStorageAPIs(t *testing.T) {
 					So(len(digests), ShouldEqual, 2)
 				})
 
-				Convey("Full blob upload sha384", func() {
-					body := []byte("this blob will be hashed using sha384")
+				Convey("Full blob upload blake3", func() {
+					body := []byte("this blob will be hashed using blake3")
 					buf := bytes.NewBuffer(body)
-					digest := godigest.SHA384.FromBytes(body)
+					digest := godigest.Blake3.FromBytes(body)
 					upload, n, err := imgStore.FullBlobUpload("test", buf, digest)
 					So(err, ShouldBeNil)
 					So(n, ShouldEqual, len(body))

test/blackbox/hash.bats

@@ -0,0 +1,111 @@
+# Note: Intended to be run as "make run-blackbox-tests" or "make run-blackbox-ci"
+#       Makefile target installs & checks all necessary tooling
+#       Extra tools that are not covered in Makefile target needs to be added in verify_prerequisites()
+
+load helpers_zot
+
+function verify_prerequisites {
+    if [ ! $(command -v curl) ]; then
+        echo "you need to install curl as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    if [ ! $(command -v jq) ]; then
+        echo "you need to install jq as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    if [ ! $(command -v htpasswd) ]; then
+        echo "you need to install htpasswd as a prerequisite to running the tests" >&3
+        return 1
+    fi
+
+    return 0
+}
+
+function setup_file() {
+    # Verify prerequisites are available
+    if ! $(verify_prerequisites); then
+        exit 1
+    fi
+
+    # Download test data to folder common for the entire suite, not just this file
+    skopeo --insecure-policy copy --format=oci docker://ghcr.io/project-zot/test-images/busybox:1.36 oci:${TEST_DATA_DIR}/busybox:1.36
+
+    # Setup zot server
+    local zot_root_dir=${BATS_FILE_TMPDIR}/zot
+    local zot_config_file=${BATS_FILE_TMPDIR}/zot_config.json
+    local oci_data_dir=${BATS_FILE_TMPDIR}/oci
+    local zot_htpasswd_file=${BATS_FILE_TMPDIR}/htpasswd
+    mkdir -p ${zot_root_dir}
+    mkdir -p ${oci_data_dir}
+    zot_port=$(get_free_port)
+    echo ${zot_port} > ${BATS_FILE_TMPDIR}/zot.port
+    htpasswd -Bbn ${AUTH_USER} ${AUTH_PASS} >> ${zot_htpasswd_file}
+    cat > ${zot_config_file}<<EOF
+{
+    "distSpecVersion": "1.1.1",
+    "storage": {
+        "rootDirectory": "${zot_root_dir}"
+    },
+    "extensions": {
+        "search": {
+            "enable": true
+        },
+        "ui": {
+            "enable": true
+        }
+    },
+    "http": {
+        "address": "0.0.0.0",
+        "port": "${zot_port}",
+        "auth": {
+            "htpasswd": {
+                "path": "${zot_htpasswd_file}"
+            }
+        },
+        "accessControl": {
+            "repositories": {
+                "**": {
+                    "anonymousPolicy": ["read"],
+                    "policies": [
+                        {
+                            "users": [
+                                "${AUTH_USER}"
+                            ],
+                            "actions": [
+                                "read",
+                                "create",
+                                "update"
+                            ]
+                        }
+                    ]
+                }
+            }
+        }
+    },
+    "log": {
+        "level": "debug",
+        "output": "${BATS_FILE_TMPDIR}/zot.log"
+    }
+}
+EOF
+    git -C ${BATS_FILE_TMPDIR} clone https://github.com/project-zot/helm-charts.git
+    zot_serve ${ZOT_PATH} ${zot_config_file}
+    wait_zot_reachable ${zot_port}
+}
+
+function teardown() {
+    # conditionally printing on failure is possible from teardown but not from from teardown_file
+    cat ${BATS_FILE_TMPDIR}/zot.log
+}
+
+function teardown_file() {
+    zot_stop_all
+}
+
+@test "test various crypto hashes" {
+    zot_port=`cat ${BATS_FILE_TMPDIR}/zot.port`
+    run cryptotest --plain-http --registry 127.0.0.1:${zot_port}
+    [ "$status" -eq 0 ]
+}