Support SHA512 hash for image verification

[simcod]

Description

When a machine image is retrieved, its integrity is checked. Currently this is done with an md5 hash file next to the image file. This PR adds support for a sha512 checksum file. Thus, md5 and sha512 checksum files can be used for image verification. If both are present, sha512 will be used.

[majst01]

This would raise a lot of work in other repos like, metal-images, metal-image-cache and potentially others.

I would rather prefer that we try to move over to use OCI images. This format already includes signing and is a more commonly used format for such use-cases.

[majst01]

Will merge after i validated #148 in our test environment !

[majst01]

Maybe this also helps in this respect:

https://github.blog/changelog/2025-03-18-github-actions-now-supports-a-digest-for-validating-your-artifacts-at-runtime/

Should at least be noted in the Readme.md

[robertvolkmann]

Any plan to merge or to close it?

[majst01]

Any plan to merge or to close it?

There are still no sha256 checksum generated, still interested in this but this must be done first.

[robertvolkmann]

There are still no sha256 checksum generated, still interested in this but this must be done first.

@mac641 are you interested to look into it?

[mac641]

There are still no sha256 checksum generated, still interested in this but this must be done first.

@mac641 are you interested to look into it?

Yes, it reads interesting. I'll see what I can do.

[majst01]

There are still no sha256 checksum generated, still interested in this but this must be done first.

@mac641 are you interested to look into it?

Yes, it reads interesting. I'll see what I can do.

I am not sure if this is worth the effort, i would rather prefer to make metal-hammer able to pull metal-images as oci artifacts. This would also solve the signature check problem and must not be done for two algorithms as here

[majst01]

There are still no sha256 checksum generated, still interested in this but this must be done first.

@mac641 are you interested to look into it?

Yes, it reads interesting. I'll see what I can do.

I am not sure if this is worth the effort, i would rather prefer to make metal-hammer able to pull metal-images as oci artifacts. This would also solve the signature check problem and must not be done for two algorithms as here

Made a small sample here: #169 which should not be used as a real PR but as showcase how this could be achieved.

if someone has spare time, raise your hands :-)

[mac641]

There are still no sha256 checksum generated, still interested in this but this must be done first.

@mac641 are you interested to look into it?

Yes, it reads interesting. I'll see what I can do.

I am not sure if this is worth the effort, i would rather prefer to make metal-hammer able to pull metal-images as oci artifacts. This would also solve the signature check problem and must not be done for two algorithms as here

Made a small sample here: #169 which should not be used as a real PR but as showcase how this could be achieved.

if someone has spare time, raise your hands :-)

Me ✋