Fix Containers digest test failures and align digest validation closer to OCI spec#53933
Merged
lbussell merged 7 commits intodotnet:mainfrom Apr 17, 2026
Merged
Conversation
github-actions
Bot
added
the
Area-Containers
lbussell
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
Fixes container digest-related unit test failures by tightening digest parsing/validation to use an anchored OCI-spec-based regex and by centralizing digest validation in DigestUtils.
Changes:
- Introduces
ReferenceParser.AnchoredDigestRegexp(anchored + capturing groups) and updates digest grammar to align with the OCI image-spec. - Moves digest validation to
DigestUtils.GetEncoded(...)and updates call sites to use the new API/method names. - Updates/adds unit tests to validate
DigestUtilsbehavior and uses valid SHA-256 digests in registry tests.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| test/Microsoft.NET.Build.Containers.UnitTests/RegistryTests.cs | Replaces placeholder digests with valid SHA-256 digests so blob download tests exercise realistic inputs. |
| test/Microsoft.NET.Build.Containers.UnitTests/DigestUtilsTests.cs | Adds focused tests for digest parsing/validation and SHA-256 digest/hash helpers. |
| test/Microsoft.NET.Build.Containers.UnitTests/ContentStoreTests.cs | Narrows ContentStore tests now that digest format validation is owned by DigestUtils. |
| src/Containers/Microsoft.NET.Build.Containers/Tasks/CreateImageIndex.cs | Uses DigestUtils.GetEncoded to extract the encoded SHA for local-registry blob paths. |
| src/Containers/Microsoft.NET.Build.Containers/ReferenceParser.cs | Adds anchored digest regex with capture groups and updates digest grammar components. |
| src/Containers/Microsoft.NET.Build.Containers/ManifestV2.cs | Switches to renamed digest helper (ComputeSha256Digest). |
| src/Containers/Microsoft.NET.Build.Containers/LocalDaemons/DockerCli.cs | Uses renamed digest helpers and GetEncoded when computing blob paths. |
| src/Containers/Microsoft.NET.Build.Containers/ImageBuilder.cs | Uses renamed SHA-256 helpers (ComputeSha256, FormatSha256Digest). |
| src/Containers/Microsoft.NET.Build.Containers/DigestUtils.cs | Implements centralized digest validation via anchored parsing + registered-algorithm enforcement. |
| src/Containers/Microsoft.NET.Build.Containers/ContentStore.cs | Replaces direct regex validation/substr logic with DigestUtils.GetEncoded. |
baronfel
approved these changes
Apr 16, 2026
Member
baronfel
left a comment
baronfel
left a comment
There was a problem hiding this comment.
This is a delight to read. Thanks for the refactoring and complete doc comments!
mthalman
reviewed
Apr 17, 2026
mthalman
approved these changes
Apr 17, 2026
mthalman
approved these changes
Apr 17, 2026
Member
Author
|
/ba-g All failures appear to be instances of #53869 |
marcpopMSFT
added a commit
that referenced
this pull request
Apr 17, 2026
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
marcpopMSFT
added a commit
that referenced
this pull request
Apr 17, 2026
… from #53933 and additional test fixes # Conflicts: # src/Containers/Microsoft.NET.Build.Containers/ContentStore.cs # src/Containers/Microsoft.NET.Build.Containers/DigestUtils.cs # src/Containers/Microsoft.NET.Build.Containers/LocalDaemons/DockerCli.cs # src/Containers/Microsoft.NET.Build.Containers/ManifestV2.cs # src/Containers/Microsoft.NET.Build.Containers/Registry/Registry.cs # test/dotnet.Tests/CommandTests/Run/GivenDotnetRunBuildsCsProj.cs # test/dotnet.Tests/CommandTests/Run/GivenDotnetRunBuildsVbProj.cs # test/dotnet.Tests/CommandTests/Run/RunCommandTests.cs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR fixes #53918.
The root cause is that #53724 used the wrong regex for digest validation.
It used
ReferenceParser.DigestRegexp.IsMatch(digestString)to validate the digest, which was not anchored. This caused multiple tests to fail.This PR contains several changes:
AnchoredDigestRegexp) toReferenceParser.cswhich captures the encoded value as well as the algorithm.ReferenceParser.csto adhere strictly to the OCI spec instead of the golang reference implementation. This is a slight departure from the existing code inReferenceParser.cs.ContentStore.cstoDigestUtils.cs.ContentStore.cs. That type of change is out of scope for this PR which is just intending to get tests passing again. The limitation is called out in the code.DigestUtils.csto be more technically accurate.DigestUtilsinstead ofContentStoreas appropriate.Permalinks to all referenced specs are contained in the doc comments in the code.
It is worth noting that these are all band-aid fixes. The long term fix is Use Oras .NET library for interacting with OCI registries in Microsoft.NET.Build.Containers (dotnet/sdk#53691). The ORAS .NET library does better at validating digests, validating content, and adhering to the OCI spec.