Update c/image and c/common to latest, c/buildah to main

... to include https://github.com/containers/image/pull/2173,
https://github.com/containers/common/pull/1731
and https://github.com/containers/buildah/pull/5143 .

Signed-off-by: Miloslav Trmač <mitr@redhat.com>

vendor/github.com/containers/buildah/add.go

@@ -22,6 +22,7 @@ import (
 	"github.com/containers/storage/pkg/fileutils"
 	"github.com/containers/storage/pkg/idtools"
 	"github.com/hashicorp/go-multierror"
+	digest "github.com/opencontainers/go-digest"
 	"github.com/opencontainers/runc/libcontainer/userns"
 	"github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/sirupsen/logrus"
@@ -35,6 +36,9 @@ type AddAndCopyOptions struct {
 	// newly-added content, potentially overriding permissions which would
 	// otherwise be set to 0:0.
 	Chown string
+	// Checksum is a standard container digest string (e.g. <algorithm>:<digest>)
+	// and is the expected hash of the content being copied.
+	Checksum string
 	// PreserveOwnership, if Chown is not set, tells us to avoid setting
 	// ownership of copied items to 0:0, instead using whatever ownership
 	// information is already set.  Not meaningful for remote sources or
@@ -77,7 +81,7 @@ func sourceIsRemote(source string) bool {
 }
 
 // getURL writes a tar archive containing the named content
-func getURL(src string, chown *idtools.IDPair, mountpoint, renameTarget string, writer io.Writer, chmod *os.FileMode) error {
+func getURL(src string, chown *idtools.IDPair, mountpoint, renameTarget string, writer io.Writer, chmod *os.FileMode, srcDigest digest.Digest) error {
 	url, err := url.Parse(src)
 	if err != nil {
 		return err
@@ -110,7 +114,7 @@ func getURL(src string, chown *idtools.IDPair, mountpoint, renameTarget string,
 	}
 	// Figure out the size of the content.
 	size := response.ContentLength
-	responseBody := response.Body
+	var responseBody io.Reader = response.Body
 	if size < 0 {
 		// Create a temporary file and copy the content to it, so that
 		// we can figure out how much content there is.
@@ -130,6 +134,11 @@ func getURL(src string, chown *idtools.IDPair, mountpoint, renameTarget string,
 		}
 		responseBody = f
 	}
+	var digester digest.Digester
+	if srcDigest != "" {
+		digester = srcDigest.Algorithm().Digester()
+		responseBody = io.TeeReader(responseBody, digester.Hash())
+	}
 	// Write the output archive.  Set permissions for compatibility.
 	tw := tar.NewWriter(writer)
 	defer tw.Close()
@@ -161,6 +170,12 @@ func getURL(src string, chown *idtools.IDPair, mountpoint, renameTarget string,
 		return fmt.Errorf("writing content from %q to tar stream: %w", src, err)
 	}
 
+	if digester != nil {
+		if responseDigest := digester.Digest(); responseDigest != srcDigest {
+			return fmt.Errorf("unexpected response digest for %q: %s, want %s", src, responseDigest, srcDigest)
+		}
+	}
+
 	return nil
 }
 
@@ -392,9 +407,16 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption
 		var wg sync.WaitGroup
 		if sourceIsRemote(src) {
 			pipeReader, pipeWriter := io.Pipe()
+			var srcDigest digest.Digest
+			if options.Checksum != "" {
+				srcDigest, err = digest.Parse(options.Checksum)
+				if err != nil {
+					return fmt.Errorf("invalid checksum flag: %w", err)
+				}
+			}
 			wg.Add(1)
 			go func() {
-				getErr = getURL(src, chownFiles, mountPoint, renameTarget, pipeWriter, chmodDirsFiles)
+				getErr = getURL(src, chownFiles, mountPoint, renameTarget, pipeWriter, chmodDirsFiles, srcDigest)
 				pipeWriter.Close()
 				wg.Done()
 			}()
@@ -441,6 +463,10 @@ func (b *Builder) Add(destination string, extract bool, options AddAndCopyOption
 			continue
 		}
 
+		if options.Checksum != "" {
+			return fmt.Errorf("checksum flag is not supported for local sources")
+		}
+
 		// Dig out the result of running glob+stat on this source spec.
 		var localSourceStat *copier.StatsForGlob
 		for _, st := range localSourceStats {