Inconsistent digest + tag handling in helm 4 install with OCI Chart

[maboehm]

What happened?

I tried many different references with unexpected results:

For reference, the tag in the registry is 1.4.2, and digest is sha256:aef46c66a7f2d5a12a7e3f54a64790daf5c9a9e66af3f46955efdaa6c900341d. A tag v1.4.2 does NOT exist.

# tag only
$ helm4 upgrade --install nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress:1.4.2
# works

# tag with "v"
$ helm4 upgrade --install nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress:v1.4.2
Error: failed to perform "FetchReference" on source: ghcr.io/nginxinc/charts/nginx-ingress:v1.4.2: not found

# digest only
$ helm4 upgrade --install nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress@sha256:aef46c66a7f2d5a12a7e3f54a64790daf5c9a9e66af3f46955efdaa6c900341d
# works

# tag without "v" and digest 
$ helm4 upgrade --install nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress:1.4.2@sha256:aef46c66a7f2d5a12a7e3f54a64790daf5c9a9e66af3f46955efdaa6c900341d
Error: encoding/hex: invalid byte: U+0073 's'

# tag with "v" and digest
$ helm4 upgrade --install nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress:v1.4.2@sha256:aef46c66a7f2d5a12a7e3f54a64790daf5c9a9e66af3f46955efdaa6c900341d
# works

# tag + wrong digest
$ helm4 upgrade --install nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress:1.4.2@sha256:aef46c66a7f2d5a12a7e3f54a64790daf5c9a9e66af3f46955efdaa6c9003xxx
Error: invalid reference: invalid digest "sha256:aef46c66a7f2d5a12a7e3f54a64790daf5c9a9e66af3f46955efdaa6c9003xxx": invalid checksum digest format
# unexpected, but very nice

# Wrong tag + digest
$ helm4 upgrade --install nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress:v1.4.2xxx@sha256:aef46c66a7f2d5a12a7e3f54a64790daf5c9a9e66af3f46955efdaa6c900341d
# works

What did you expect to happen?

More consistency:

• tag+digest should work. Why does it only work with an invalid tag?
• if specifying a wrong digest gets validated, the reverse should also be true. If the tag points to a different digest this should cause an error
  • actually, most client usually ignore the tag entirely if a digest is present. But as-is the helm4 implementation is inconsistent.

How can we reproduce it (as minimally and precisely as possible)?

See my sample commands above.

Helm version

Details

$ helm4 version
version.BuildInfo{Version:"v4.0.1", GitCommit:"12500dd401faa7629f30ba5d5bff36287f3e94d3", GitTreeState:"clean", GoVersion:"go1.25.4", KubeClientVersion:"v1.34"}```
</details>


### Kubernetes version

<details>

```console
$ kubectl version
Client Version: v1.34.1
Kustomize Version: v5.7.1
Server Version: v1.34.0```

</details>

[banjoh]

I'm able to reproduce this inconsistency

[banjoh]

I created https://github.com/helm/helm/pull/31601/files PR which addresses

# tag without "v" and digest 
$ helm4 upgrade --install nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress:1.4.2@sha256:aef46c66a7f2d5a12a7e3f54a64790daf5c9a9e66af3f46955efdaa6c900341d
Error: encoding/hex: invalid byte: U+0073 's'

Here is the test

helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress:1.4.2@sha256:aef46c66a7f2d5a12a7e3f54a64790daf5c9a9e66af3f46955efdaa6c900341d
Pulled: ghcr.io/nginxinc/charts/nginx-ingress@sha256:aef46c66a7f2d5a12a7e3f54a64790daf5c9a9e66af3f46955efdaa6c900341d
Digest: sha256:aef46c66a7f2d5a12a7e3f54a64790daf5c9a9e66af3f46955efdaa6c900341d

As for a successfull pull when the tag is wrong (v1.4.2@sha256:aef46c6...), the digest is given preference. This seems to be an intentional behaviour

[banjoh]

You can test the build of #31601 PR to see if it works as you would want.

[maboehm]

Thanks for looking into it so quickly!

This seems to be an intentional behaviour

Ah, I looked at my error output more closely again - (invalid checksum digest format). This is expected, as x is not a hex character. So the better test cases are:

# digest that does not exist
$ helm4 upgrade --install nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress:v1.4.2@sha256:bd28166722efb54ff4645f9de175f5db319b38cb5f1a95ade626e53c93cbcaaa

Error: failed to perform "FetchReference" on source: ghcr.io/nginxinc/charts/nginx-ingress@sha256:bd28166722efb54ff4645f9de175f5db319b38cb5f1a95ade626e53c93cbcaaa: not found
# as expected, digest does not exist

# the digest actually points to v1.4.1
$ helm4 upgrade --install nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress:v1.4.2@sha256:bd28166722efb54ff4645f9de175f5db319b38cb5f1a95ade626e53c93cbc6eb

$ helm4 list
NAME         	NAMESPACE	REVISION	UPDATED                             	STATUS  	CHART              	APP VERSION
nginx-ingress	default  	9       	2025-12-03 15:22:02.417585 +0100 CET	deployed	nginx-ingress-1.4.1	3.7.1

So I guess this is the same way most clients behave - when both are present the tag is simply ignored.

[maboehm]

I checked out your change and ran

go run ./cmd/helm upgrade --install nginx-ingress oci://ghcr.io/nginxinc/charts/nginx-ingress:1.4.2@sha256:aef46c66a7f2d5a12a7e3f54a64790daf5c9a9e66af3f46955efdaa6c900341d

Sucessfully, so I guess your PR resolves this.

[banjoh]

Awesome!