Files
0x4C33 57b07fa2ac Verify kernel archive integrity (#1703)
Closes https://github.com/apple/container/issues/1687

The default kernel archive is downloaded from a remote release URL
during first-run setup and via `container system kernel set
--recommended`. Previously, the archive contents were not verified after
download, so integrity depended on HTTPS and the release artifact
remaining unchanged.

This change adds digest verification for kernel archives. The
recommended/default kernel now has pinned digest metadata using an
algorithm-prefixed value such as `sha256:<hex>`. `container system
kernel set --tar` accepts `--digest`; remote tar URLs require it, and
local tar archives can also be verified before unpacking and
installation.

The system config also supports `kernel.digest`, and a custom
`kernel.url` must provide a digest for that archive.
2026-07-13 13:04:39 -07:00
..