Incompatible change of OCM-Component-Descriptor-Normalisation between OCM-CLI v0.18.0 vs v0.19.0

[ccwienk]

Context

Our delivery-setup encompasses the replication of OCM-Component-Descriptors between multiple OCM-Repositories (dev, staging, ..). We sign our root component-descriptors at the "left-most" OCM-Repository, and validate signatures after replication into "downstream" OCM-Repositories to ensure integrity of replicated contents.

After upgrading from OCM-CLI v0.18.0 to v0.19.0, validation failed for downstream OCM-Repositories (while, interestingly, consistently not failing for the "left-most" OCM-Repository). I assume this deviance might stem from normalisation(s) that happened during downstream replication.

At any rate, it can consistently be shown that ocm hash componentversions command outputs different hash-digests for the same componentversion.

Reproducer

Assuming ocm-v0.18.0 and ocm-v0.19.0 are available from PATH, and are copies of OCM-CLI equal to respective version-suffixed, and furthermore assuming OCM-CLI is provided w/ required credentials, the following script will yield different hash-digests:

ocm-v0.18.0 \
 ocm hash componentversions \
 --output yaml \
--lookup OCIRegistry::europe-docker.pkg.dev/sap-se-gcp-k8s-delivery/releases-staging-private \
  github.com/gardener/gardener:v1.110.1

# digest: b40006cb7a995be00fdc9c5f85cc4239ee7387288697a9ce2e29482a579bf66d

ocm-v0.19.0 \
 ocm hash componentversions \
 --output yaml \
--lookup OCIRegistry::europe-docker.pkg.dev/sap-se-gcp-k8s-delivery/releases-staging-private \
  github.com/gardener/gardener:v1.110.1

# digest: a2d421e0ede2f34905a1006872e07017d2cd435a0680f3f378a593a5c7ade097

Wheareas the following calls (same assumptions as before) will yield equal digests (as expected):

ocm-v0.18.0 \
 ocm hash componentversions \
 --output yaml \
--lookup OCIRegistry::europe-docker.pkg.dev/sap-se-gcp-k8s-delivery/releases-private \
  github.com/gardener/gardener:v1.110.1

# digest: b40006cb7a995be00fdc9c5f85cc4239ee7387288697a9ce2e29482a579bf66d

ocm-v0.19.0 \
 ocm hash componentversions \
 --output yaml \
--lookup OCIRegistry::europe-docker.pkg.dev/sap-se-gcp-k8s-delivery/releases-private \
  github.com/gardener/gardener:v1.110.1

# digest: b40006cb7a995be00fdc9c5f85cc4239ee7387288697a9ce2e29482a579bf66d

The OCM-Repository from the second two-tuple of commands is the "left-most" OCM-Repository, whereas the OCM-Repository from the first two-tuple of commands is target of replication (from left-most repository).

Observed behaviour:

OCM-CLI v0.19.0 and v0.18.0 will yield different normalisations / hash-digests for equal component-descriptor-trees (see above)

Expected behaviour:

OCM-CLI v0.19.0 and v0.18.0 should yield equal normalisations / hash-digest for equal component-descriptor-tree.

[jakobmoellerdev]

Im assuming this is due to #1026
However Im struggling what to recommend now.
There should be an output argument for the normalized component descriptor called outfile in ocm hash which you can use to compare the two results. would be great if you could check the diff between them and let me know what youre regressing on.