fix sha512 checksum for ubuntu-22.04

[sebastian-luna-valero]

Summary

sha512 check sum computed on build time:

### BUILD-IMAGE: SUCCESS - qcow: Ubuntu.22.04-2025.01.27.qcow2 sha512sum: 556cb503eeabb8678a33d90ae70cbf37c15dfe4a94a18fa5c28085671cab211137f7809ddb1b769be2c81acf26e26877a1235a21645984e6cb83cfccf69357f4
### BUILD ENDED

xref #103

For some reason a different checksum was added:

fedcloud-vmi-templates/ubuntu/appdb/ubuntu-22.04.yaml

Line 7 in 13295a9

sha512: "17d3ee51f7a393905e63168ebb82f9d9f28316065edd6ccdca25fd8d84dc2ebddb6c2de2484dfb6220ac55a14045ffb006fe9c919475a6f83f6b2a65cde1f2ee"

---

Related issue :

[enolfc]

LGTM

[brucellino]

If the checksum changes, then the image has changed, but we have no idea what has happened to make this change. Is there no insight into the provenance? I would have at least expected a different date? This feels like a bit of a security bypass? Is there any attestation on that upstream image that says it's passed some sort of check?

[sebastian-luna-valero]

The checksum added to this PR is the one computed in #103 when the VMI was built. Check out the last lines of the build log in: #103 (comment)

This is what I mean above: #104 (comment)

The missing piece for me is where the wrong checksum is coming from?

[enolfc]

The missing piece for me is where the wrong checksum is coming from?

We need better provenance, we should not call all images the same while they are being produced (should we use the commit sha?) and the merge in this repo should be the one that generates the file for appdb including the shasum (or when appdb is not there, the upload to registry)