Question posted in 
Update: This appears to be a bug in docker, which I’ve reported here. I’ll update this if/when it gets fixed.
Update 2: Not a bug, just wrong docs. See accepted answer for more info
I’ve got a Dockerfile that uses the ADD command to download a tarball to install into the container. I’m trying to use the --checksum argument to have it validate the download, but it seems to only want to use the sha256 agorithm, even when I specify sha512 like so:
ADD --checksum=sha512:theverylongsha512hashgoeshereblahblahblah https://url.for/the_tarball/the_tarball-1.33.7.tar.gz the_tarball-1.33.7.tar.gz
The docs appear to say this should work, but when I run docker build, I end up with an error like this:
> [16/29] ADD --checksum=sha512:3d425c5a102d441da33030949ba5ec22e388ed0529c298a1984d62486d4924806949708b834229206ee5a36ba30f6de6d09989019e5790a8b665539f9489efd5 https://github.com/ArtifexSoftware/ghostpdl-downloads/releases/download/gs10040/ghostscript-10.04.0.tar.gz ghostscript-10.04.0.tar.gz:
------
ERROR: failed to solve: digest mismatch sha256:c764dfbb7b13fc71a7a05c634e014f9bb1fb83b899fe39efc0b6c3522a9998b1: sha512:3d425c5a102d441da33030949ba5ec22e388ed0529c298a1984d62486d4924806949708b834229206ee5a36ba30f6de6d09989019e5790a8b665539f9489efd5
The part after the ------ makes me think that it’s computing a sha256 hash and trying to compare it to the sha512 has I provided (which obviously won’t work). I sort of confirmed this by manually computing the sha256 hash for the file and swapping that in (with a sha256: prefix) and that passed.
Some of the packages I’m using only publish sha512 hashes. I’m sure I could just manually compute the 256 hashes for everything if that’s the only viable option, but I wanted to check to see if I’m missing some step.
my docker version:
➜ docker --version
Docker version 26.0.0, build 2ae903e
and I’m doing this on Macos 12.7, running Docker Desktop 4.29 (I guess I’ll try updating, but I don’t really expect that’ll help update: as expected, updating my Docker Desktop to 4.35 didn’t solve the issue)
2
Answers
As mentioned in the question, I submitted a bug to docker about this, and the docker team got on it quite quickly. Unfortunately, the outcome is that it's not actually a bug in docker, rather the docs were wrong about what algorithms are supported. Only
sha256is supported, the reason was explained in this older comment.The gist being that the
checksumoption doesn't just run a full checksum on the downloaded artefact, it's integrated with docker's own layer hashing system, which (I assume) only uses sha256.A change to the docs has been submitted already (though as of this writing it's not live)
I'm probably massively oversimplifying or misrepresenting some details here, but that's a Good Enough™ explanation for me. If you need to know more than a very surface answer to the question "why can't I use other checksum algorithms in
ADDin a Dockerfile", please don't rely on this answer and look into it more deeply.If you need to perform a checksum on a build artifact with a different algorithm than
sha256, you can't do it withADD --checksum. To do that, see @DazWilkin's answerI’m able to repro your issue.
I suspect that Docker does not calculate checksums for any value other than
sha256.You could implement the intended behavior: