[rust-launcher] Simplify image validation by accepting manifest hash directly #2627
Description
Background
The Rust tee-launcher currently stores and validates MPC images using the config digest (image ID from docker inspect). To pull an image by digest, the launcher must:
- Authenticate with Docker Hub (
auth.docker.io/token) - Iterate through image tags, fetching manifests with retry logic
- Handle multi-arch image indexes (find amd64/linux platform)
- Match the config digest against the approved hash
- Extract the manifest digest from the
Docker-Content-Digestresponse header - Pull by manifest digest
This is ~150 lines of registry API code (get_manifest_digest in main.rs).
Now that we have reproducible Docker builds, the manifest digest is deterministic — it can be known at voting time. If the contract stored manifest digests instead of (or in addition to) config digests, the launcher could skip the registry API entirely and just docker pull image@sha256:<manifest_hash>, then verify the config digest locally after pulling.
Reference: gilcu3's comment on PR #2621
User Story
As a launcher developer, I want to simplify the image validation flow so there is less code to maintain and fewer external API calls that can fail.
Acceptance Criteria
- Evaluate whether the contract should store manifest digests, config digests, or both
- If manifest digests: update voting flow and contract storage
- Simplify
get_manifest_digestto direct pull-by-digest - Verify the config digest locally after pulling
- Remove or simplify registry auth/retry code
Resources & Additional Notes
- Current implementation:
get_manifest_digest()incrates/tee-launcher/src/main.rs - PR feat: add Rust tee-launcher crate #2621 (Rust launcher crate)
- This is a follow-up optimization, not a blocker for the initial launcher release