dockerfile: clarify that checksum works with HTTPS

[dvdksn]

Docs and error message didn't indicate whether checksum was supported for HTTPS.

• Addresses docker/docs#20159

[dvdksn]

@tonistiigi yeah I thought about something like that, but it doesn't work with Git URLs afaict. I guess Git URLs could still use HTTP however so the current description isn't super clear about that either.

Actually, I checked the Git URL over HTTP case, and it seems there's a bug. Trying to do ADD --checksum of a git@ URL prints an error.

Dockerfile:5
--------------------
   3 |     FROM scratch
   4 | >>> ADD --checksum=sha256:1005882735b796c332de70ff8f210ddd77d1c31ae03e6b0949b4480ad3f12804 git@github.com:docker/buildx.git /
   5 |     
--------------------
ERROR: checksum can't be specified for non-HTTP sources

But changing that URL to https://github.com/docker/buildx.git doesn't print the error (but still doesn't do any checksum validation).

[tonistiigi]

Yes, I didn't think about the Git case. You can't add checksum to Git even if it is HTTP git URL (you can set a commit sha that behaves like a checksum but that is part of the URL).

But changing that URL to https://github.com/docker/buildx.git doesn't print the error (but still doesn't do any checksum validation).

@AkihiroSuda Can you take a look? Looks like https://github.com/moby/buildkit/blob/v0.14.1/frontend/dockerfile/dockerfile2llb/convert.go#L1352-L1354 needs to do a Git URL check first.

[AkihiroSuda]

Yes, I didn't think about the Git case. You can't add checksum to Git even if it is HTTP git URL (you can set a commit sha that behaves like a checksum but that is part of the URL).

But changing that URL to https://github.com/docker/buildx.git doesn't print the error (but still doesn't do any checksum validation).

@AkihiroSuda Can you take a look? Looks like https://github.com/moby/buildkit/blob/v0.14.1/frontend/dockerfile/dockerfile2llb/convert.go#L1352-L1354 needs to do a Git URL check first.

• https://github.com/moby/buildkit/pull/5085