From 57f4110c4912f4869332f8206ea55cb28df75d62 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
Date: Tue, 2 Sep 2025 13:15:32 +0200
Subject: [PATCH 1/2] Add version override
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Allow manual version setting when building. Useful for pre-release
testing builds when there's no tag yet.

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
---
 .github/workflows/release-buildx.yml          |  4 ++
 .github/workflows/release-compose.yml         |  5 ++
 .github/workflows/release-containerd.yml      |  5 ++
 .../workflows/release-credential-helpers.yml  |  5 ++
 .github/workflows/release-docker-cli.yml      |  5 ++
 .github/workflows/release-docker-engine.yml   |  5 ++
 .github/workflows/release-model.yml           |  5 ++
 docker-bake.hcl                               | 13 +++++
 hack/scripts/gen-ver.sh                       | 47 +++++++++++--------
 pkg/buildx/Dockerfile                         |  4 ++
 pkg/compose/Dockerfile                        |  4 ++
 pkg/containerd/Dockerfile                     |  5 ++
 pkg/credential-helpers/Dockerfile             |  5 ++
 pkg/docker-cli/Dockerfile                     |  5 ++
 pkg/docker-engine/Dockerfile                  |  4 ++
 pkg/model/Dockerfile                          |  4 ++
 16 files changed, 105 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/release-buildx.yml b/.github/workflows/release-buildx.yml
index 4f48fd99..b94a0eaf 100644
--- a/.github/workflows/release-buildx.yml
+++ b/.github/workflows/release-buildx.yml
@@ -11,6 +11,10 @@ on:
         description: 'Ref (e.g. v0.10.0)'
         required: true
         type: string
+      version:
+        description: 'Override default version'
+        required: false
+        type: string
       repo:
         description: 'Override default repo'
         required: false
diff --git a/.github/workflows/release-compose.yml b/.github/workflows/release-compose.yml
index 30e55b2f..0b593202 100644
--- a/.github/workflows/release-compose.yml
+++ b/.github/workflows/release-compose.yml
@@ -11,6 +11,10 @@ on:
         description: 'Ref (e.g. v2.15.1)'
         required: true
         type: string
+      version:
+        description: 'Override default version'
+        required: false
+        type: string
       repo:
         description: 'Override default repo'
         required: false
@@ -33,6 +37,7 @@ jobs:
       name: compose
       release: ${{ inputs.release }}
       envs: |
+        PKG_VERSION=${{ inputs.version }}
         PKG_REPO=${{ inputs.repo }}
         PKG_REF=${{ inputs.ref }}
     secrets: inherit
diff --git a/.github/workflows/release-containerd.yml b/.github/workflows/release-containerd.yml
index b42a5edc..4802f1a2 100644
--- a/.github/workflows/release-containerd.yml
+++ b/.github/workflows/release-containerd.yml
@@ -11,6 +11,10 @@ on:
         description: 'Ref (e.g. v1.6.15)'
         required: true
         type: string
+      version:
+        description: 'Override default version'
+        required: false
+        type: string
       repo:
         description: 'Override default repo'
         required: false
@@ -33,6 +37,7 @@ jobs:
       name: containerd
       release: ${{ inputs.release }}
       envs: |
+        PKG_VERSION=${{ inputs.version }}
         PKG_REPO=${{ inputs.repo }}
         PKG_REF=${{ inputs.ref }}
     secrets: inherit
diff --git a/.github/workflows/release-credential-helpers.yml b/.github/workflows/release-credential-helpers.yml
index 80c099f7..3f23b150 100644
--- a/.github/workflows/release-credential-helpers.yml
+++ b/.github/workflows/release-credential-helpers.yml
@@ -11,6 +11,10 @@ on:
         description: 'Ref (e.g. v1.7.0)'
         required: true
         type: string
+      version:
+        description: 'Override default version'
+        required: false
+        type: string
       repo:
         description: 'Override default repo'
         required: false
@@ -33,6 +37,7 @@ jobs:
       name: credential-helpers
       release: ${{ inputs.release }}
       envs: |
+        PKG_VERSION=${{ inputs.version }}
         PKG_REPO=${{ inputs.repo }}
         PKG_REF=${{ inputs.ref }}
     secrets: inherit
diff --git a/.github/workflows/release-docker-cli.yml b/.github/workflows/release-docker-cli.yml
index 014716fd..6f06deb3 100644
--- a/.github/workflows/release-docker-cli.yml
+++ b/.github/workflows/release-docker-cli.yml
@@ -11,6 +11,10 @@ on:
         description: 'Ref (e.g. v23.0.0)'
         required: true
         type: string
+      version:
+        description: 'Override default version'
+        required: false
+        type: string
       repo:
         description: 'Override default repo'
         required: false
@@ -33,6 +37,7 @@ jobs:
       name: docker-cli
       release: ${{ inputs.release }}
       envs: |
+        PKG_VERSION=${{ inputs.version }}
         PKG_REPO=${{ inputs.repo }}
         PKG_REF=${{ inputs.ref }}
     secrets: inherit
diff --git a/.github/workflows/release-docker-engine.yml b/.github/workflows/release-docker-engine.yml
index f0a35944..601274be 100644
--- a/.github/workflows/release-docker-engine.yml
+++ b/.github/workflows/release-docker-engine.yml
@@ -11,6 +11,10 @@ on:
         description: 'Ref (e.g. v23.0.0)'
         required: true
         type: string
+      version:
+        description: 'Override default version'
+        required: false
+        type: string
       repo:
         description: 'Override default repo'
         required: false
@@ -33,6 +37,7 @@ jobs:
       name: docker-engine
       release: ${{ inputs.release }}
       envs: |
+        PKG_VERSION=${{ inputs.version }}
         PKG_REPO=${{ inputs.repo }}
         PKG_REF=${{ inputs.ref }}
     secrets: inherit
diff --git a/.github/workflows/release-model.yml b/.github/workflows/release-model.yml
index 6adf5fce..ca284d7c 100644
--- a/.github/workflows/release-model.yml
+++ b/.github/workflows/release-model.yml
@@ -11,6 +11,10 @@ on:
         description: 'Ref (e.g. v0.1.30)'
         required: true
         type: string
+      version:
+        description: 'Override default version'
+        required: false
+        type: string
       repo:
         description: 'Override default repo'
         required: false
@@ -33,6 +37,7 @@ jobs:
       name: model
       release: ${{ inputs.release }}
       envs: |
+        PKG_VERSION=${{ inputs.version }}
         PKG_REPO=${{ inputs.repo }}
         PKG_REF=${{ inputs.ref }}
     secrets: inherit
diff --git a/docker-bake.hcl b/docker-bake.hcl
index f1cc6399..27a56c47 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -129,6 +129,11 @@ variable "PKG_RPM_RELEASE" {
   default = null
 }
 
+variable "PKG_VERSION" {
+  description = "Version of the package to build."
+  default = null
+}
+
 variable "NIGHTLY_BUILD" {
   description = "Set to 1 to enforce nightly build."
   default = null
@@ -491,6 +496,7 @@ target "_pkg-buildx" {
     GO_VERSION = GO_VERSION != null && GO_VERSION != "" ? GO_VERSION : "1.24.7" # https://github.com/docker/buildx/blob/0c747263ef1426f5fa217fcdb616eddf33da6c2d/Dockerfile#L3
     GO_IMAGE_VARIANT = GO_IMAGE_VARIANT != null && GO_IMAGE_VARIANT != "" ? GO_IMAGE_VARIANT : "bookworm"
     PKG_DEB_EPOCH = PKG_DEB_EPOCH != null && PKG_DEB_EPOCH != "" ? PKG_DEB_EPOCH : "5"
+    PKG_VERSION = PKG_VERSION != null ? PKG_VERSION : ""
   }
 }
 
@@ -502,6 +508,7 @@ target "_pkg-compose" {
     GO_VERSION = GO_VERSION != null && GO_VERSION != "" ? GO_VERSION : "1.23.12" # https://github.com/docker/compose/blob/c2cb0aef6bbbe1afc8c9e81267621655ac90c5f6/Dockerfile#L18
     GO_IMAGE_VARIANT = GO_IMAGE_VARIANT != null && GO_IMAGE_VARIANT != "" ? GO_IMAGE_VARIANT : "bookworm"
     PKG_DEB_EPOCH = PKG_DEB_EPOCH != null && PKG_DEB_EPOCH != "" ? PKG_DEB_EPOCH : "5"
+    PKG_VERSION = PKG_VERSION != null ? PKG_VERSION : ""
   }
 }
 
@@ -513,6 +520,7 @@ target "_pkg-containerd" {
     GO_VERSION = GO_VERSION != null && GO_VERSION != "" ? GO_VERSION : "1.24.7" # https://github.com/containerd/containerd/blame/822fb144732946f2a6f7998bfe748ed175674ade/.github/workflows/release.yml#L16
     GO_IMAGE_VARIANT = GO_IMAGE_VARIANT != null && GO_IMAGE_VARIANT != "" ? GO_IMAGE_VARIANT : "bookworm"
     PKG_DEB_EPOCH = PKG_DEB_EPOCH != null && PKG_DEB_EPOCH != "" ? PKG_DEB_EPOCH : "5"
+    PKG_VERSION = PKG_VERSION != null ? PKG_VERSION : ""
   }
 }
 
@@ -524,6 +532,7 @@ target "_pkg-credential-helpers" {
     GO_VERSION = GO_VERSION != null && GO_VERSION != "" ? GO_VERSION : "1.23.12" # https://github.com/docker/docker-credential-helpers/blob/f9d3010165b642df37215b1be945552f2c6f0e3b/Dockerfile#L3
     GO_IMAGE_VARIANT = GO_IMAGE_VARIANT != null && GO_IMAGE_VARIANT != "" ? GO_IMAGE_VARIANT : "bookworm"
     PKG_DEB_EPOCH = PKG_DEB_EPOCH != null && PKG_DEB_EPOCH != "" ? PKG_DEB_EPOCH : "5"
+    PKG_VERSION = PKG_VERSION != null ? PKG_VERSION : ""
   }
 }
 
@@ -535,6 +544,7 @@ target "_pkg-docker-cli" {
     GO_VERSION = GO_VERSION != null && GO_VERSION != "" ? GO_VERSION : "1.24.7" # https://github.com/docker/cli/blob/d16defd9e237a02e4e8b8710d9ce4a15472e60c8/Dockerfile#L11
     GO_IMAGE_VARIANT = GO_IMAGE_VARIANT != null && GO_IMAGE_VARIANT != "" ? GO_IMAGE_VARIANT : "bookworm"
     PKG_DEB_EPOCH = PKG_DEB_EPOCH != null && PKG_DEB_EPOCH != "" ? PKG_DEB_EPOCH : "5"
+    PKG_VERSION = PKG_VERSION != null ? PKG_VERSION : ""
   }
 }
 
@@ -546,6 +556,7 @@ target "_pkg-docker-engine" {
     GO_VERSION = GO_VERSION != null && GO_VERSION != "" ? GO_VERSION : "1.24.7" # https://github.com/moby/moby/blob/4b978319922166bab9116b3e60e716a62b9cf130/Dockerfile#L3
     GO_IMAGE_VARIANT = GO_IMAGE_VARIANT != null && GO_IMAGE_VARIANT != "" ? GO_IMAGE_VARIANT : "bookworm"
     PKG_DEB_EPOCH = PKG_DEB_EPOCH != null && PKG_DEB_EPOCH != "" ? PKG_DEB_EPOCH : "5"
+    PKG_VERSION = PKG_VERSION != null ? PKG_VERSION : ""
   }
 }
 
@@ -557,6 +568,7 @@ target "_pkg-model" {
     GO_VERSION = GO_VERSION != null && GO_VERSION != "" ? GO_VERSION : "1.24.7" # https://github.com/docker/model-cli/blob/301126afc8ef4b8330de56db5d2889ddbc978022/Dockerfile#L3
     GO_IMAGE_VARIANT = GO_IMAGE_VARIANT != null && GO_IMAGE_VARIANT != "" ? GO_IMAGE_VARIANT : "bookworm"
     PKG_DEB_EPOCH = PKG_DEB_EPOCH != null && PKG_DEB_EPOCH != "" ? PKG_DEB_EPOCH : "5"
+    PKG_VERSION = PKG_VERSION != null ? PKG_VERSION : ""
   }
 }
 
@@ -603,6 +615,7 @@ target "_common" {
     PKG_DEB_EPOCH = PKG_DEB_EPOCH
     PKG_RPM_BUILDFLAGS = PKG_RPM_BUILDFLAGS
     PKG_RPM_RELEASE = PKG_RPM_RELEASE
+    PKG_VERSION = PKG_VERSION
   }
 }
 
diff --git a/hack/scripts/gen-ver.sh b/hack/scripts/gen-ver.sh
index 016a25e3..e366b196 100755
--- a/hack/scripts/gen-ver.sh
+++ b/hack/scripts/gen-ver.sh
@@ -20,10 +20,15 @@ if [ -z "$srcdir" ]; then
   exit 1
 fi
 
-version=$(git -C "${srcdir}" describe --match 'v[0-9]*' --always --tags)
 commit="$(git --git-dir "${srcdir}/.git" rev-parse HEAD)"
 commitShort=${commit:0:7}
 
+if [ -n "$PKG_VERSION" ]; then
+  version="$PKG_VERSION"
+else
+  version=$(git -C "${srcdir}" describe --match 'v[0-9]*' --always --tags)
+fi
+
 # rpm "Release:" field ($rpmRelease) is used to set the "_release" macro, which
 # is an incremental number for builds of the same release (Version: / #rpmVersion).
 #
@@ -55,25 +60,27 @@ commitShort=${commit:0:7}
 # Docker 22.06.0-dev:     version=0.0.0~YYYYMMDDHHMMSS.gitHASH, release=0
 rpmRelease=1
 
-# if NIGHTLY_BUILD=1, or we have a "-dev" suffix or a commit not pointing to a
-# tag, this is a nightly build, and we'll create a pseudo version based on
-# commit-date and -sha.
-if [[ "$NIGHTLY_BUILD" == "1" ]] || [[ "$version" == *-dev ]] || [[ -z "$(git -C "${srcdir}" tag --points-at HEAD --sort -version:refname)" ]]; then
-  # based on golang's pseudo-version: https://groups.google.com/forum/#!topic/golang-dev/a5PqQuBljF4
-  #
-  # using a "pseudo-version" of the form v0.0.0-yyyymmddhhmmss-abcdefa,
-  # where the time is the commit time in UTC and the final suffix is the prefix
-  # of the commit hash. The time portion ensures that two pseudo-versions can
-  # be compared to determine which happened later, the commit hash identifes
-  # the underlying commit, and the v0.0.0- prefix identifies the pseudo-version
-  # as a pre-release before version v0.0.0, so that the go command prefers any
-  # tagged release over any pseudo-version.
-  gitUnix="$(git --git-dir "${srcdir}/.git" log -1 --pretty='%ct')"
-  gitDate="$(TZ=UTC date -u --date "@$gitUnix" +'%Y%m%d%H%M%S')"
-  # generated version is now something like 'v0.0.0-20180719213702-cd5e2db'
-  version="v0.0.0-${gitDate}-${commitShort}" # (using hyphens)
-  pkgVersion="v0.0.0~${gitDate}.${commitShort}"  # (using tilde and periods)
-  rpmRelease=0
+if [ -z "$PKG_VERSION" ]; then
+  # if NIGHTLY_BUILD=1, or we have a "-dev" suffix or a commit not pointing to a
+  # tag, this is a nightly build, and we'll create a pseudo version based on
+  # commit-date and -sha.
+  if [[ "$NIGHTLY_BUILD" == "1" ]] || [[ "$version" == *-dev ]] || [[ -z "$(git -C "${srcdir}" tag --points-at HEAD --sort -version:refname)" ]]; then
+    # based on golang's pseudo-version: https://groups.google.com/forum/#!topic/golang-dev/a5PqQuBljF4
+    #
+    # using a "pseudo-version" of the form v0.0.0-yyyymmddhhmmss-abcdefa,
+    # where the time is the commit time in UTC and the final suffix is the prefix
+    # of the commit hash. The time portion ensures that two pseudo-versions can
+    # be compared to determine which happened later, the commit hash identifes
+    # the underlying commit, and the v0.0.0- prefix identifies the pseudo-version
+    # as a pre-release before version v0.0.0, so that the go command prefers any
+    # tagged release over any pseudo-version.
+    gitUnix="$(git --git-dir "${srcdir}/.git" log -1 --pretty='%ct')"
+    gitDate="$(TZ=UTC date -u --date "@$gitUnix" +'%Y%m%d%H%M%S')"
+    # generated version is now something like 'v0.0.0-20180719213702-cd5e2db'
+    version="v0.0.0-${gitDate}-${commitShort}" # (using hyphens)
+    pkgVersion="v0.0.0~${gitDate}.${commitShort}"  # (using tilde and periods)
+    rpmRelease=0
+  fi
 fi
 
 # deb and rpm packages require a tilde (~) instead of a hyphen (-) as separator
diff --git a/pkg/buildx/Dockerfile b/pkg/buildx/Dockerfile
index 04304d54..3b40bb5c 100644
--- a/pkg/buildx/Dockerfile
+++ b/pkg/buildx/Dockerfile
@@ -62,6 +62,7 @@ RUN --mount=from=src,source=/src,target=/buildx \
 FROM src-base AS metadata-builder
 ARG PKG_REPO
 ARG PKG_REF
+ARG PKG_VERSION
 ARG NIGHTLY_BUILD
 RUN --mount=type=bind,from=scripts,source=gen-ver.sh,target=/usr/local/bin/gen-ver \
     --mount=type=bind,from=src,source=/src,target=/src <<EOT
@@ -107,6 +108,7 @@ ARG PKG_PACKAGER
 ARG PKG_DEB_BUILDFLAGS
 ARG PKG_DEB_REVISION
 ARG PKG_DEB_EPOCH
+ARG PKG_VERSION
 ARG SOURCE_DATE_EPOCH
 RUN --mount=type=bind,source=scripts/pkg-deb-build.sh,target=/usr/local/bin/pkg-deb-build \
     --mount=type=bind,from=scripts,source=gen-ver.sh,target=/usr/local/bin/gen-ver \
@@ -144,6 +146,7 @@ ARG PKG_REF
 ARG PKG_PACKAGER
 ARG PKG_RPM_BUILDFLAGS
 ARG PKG_RPM_RELEASE
+ARG PKG_VERSION
 ARG SOURCE_DATE_EPOCH
 RUN --mount=type=bind,source=scripts/pkg-rpm-build.sh,target=/usr/local/bin/pkg-rpm-build \
     --mount=type=bind,from=scripts,source=gen-ver.sh,target=/usr/local/bin/gen-ver \
@@ -167,6 +170,7 @@ ENV CGO_ENABLED="0"
 ARG NIGHTLY_BUILD
 ARG PKG_NAME
 ARG PKG_REF
+ARG PKG_VERSION
 WORKDIR /build
 ARG TARGETPLATFORM
 RUN --mount=type=bind,source=scripts/pkg-static-build.sh,target=/usr/local/bin/pkg-static-build \
diff --git a/pkg/compose/Dockerfile b/pkg/compose/Dockerfile
index b352c45c..a6bf621b 100644
--- a/pkg/compose/Dockerfile
+++ b/pkg/compose/Dockerfile
@@ -65,6 +65,7 @@ RUN --mount=from=src,source=/src,target=/compose \
 FROM src-base AS metadata-builder
 ARG PKG_REPO
 ARG PKG_REF
+ARG PKG_VERSION
 ARG NIGHTLY_BUILD
 RUN --mount=type=bind,from=scripts,source=gen-ver.sh,target=/usr/local/bin/gen-ver \
     --mount=type=bind,from=src,source=/src,target=/src <<EOT
@@ -110,6 +111,7 @@ ARG PKG_PACKAGER
 ARG PKG_DEB_BUILDFLAGS
 ARG PKG_DEB_REVISION
 ARG PKG_DEB_EPOCH
+ARG PKG_VERSION
 ARG SOURCE_DATE_EPOCH
 RUN --mount=type=bind,source=scripts/pkg-deb-build.sh,target=/usr/local/bin/pkg-deb-build \
     --mount=type=bind,from=scripts,source=gen-ver.sh,target=/usr/local/bin/gen-ver \
@@ -147,6 +149,7 @@ ARG PKG_REF
 ARG PKG_PACKAGER
 ARG PKG_RPM_BUILDFLAGS
 ARG PKG_RPM_RELEASE
+ARG PKG_VERSION
 ARG SOURCE_DATE_EPOCH
 RUN --mount=type=bind,source=scripts/pkg-rpm-build.sh,target=/usr/local/bin/pkg-rpm-build \
     --mount=type=bind,from=scripts,source=gen-ver.sh,target=/usr/local/bin/gen-ver \
@@ -170,6 +173,7 @@ ENV GO111MODULE="on"
 ENV CGO_ENABLED="0"
 ARG PKG_NAME
 ARG PKG_REF
+ARG PKG_VERSION
 ARG NIGHTLY_BUILD
 WORKDIR /build
 # download dependencies before "ARG TARGETPLATFORM" otherwise it will be cached
diff --git a/pkg/containerd/Dockerfile b/pkg/containerd/Dockerfile
index fe5e6413..05503c98 100644
--- a/pkg/containerd/Dockerfile
+++ b/pkg/containerd/Dockerfile
@@ -119,6 +119,7 @@ EOT
 FROM src-base AS metadata-builder
 ARG PKG_REPO
 ARG PKG_REF
+ARG PKG_VERSION
 ARG RUNC_REPO
 ARG RUNC_REF
 ARG RUNHCS_REPO
@@ -138,6 +139,7 @@ REPO=${PKG_REPO%.*}
 REF=${PKG_REF}
 VERSION=${GENVER_VERSION}
 COMMIT=${GENVER_COMMIT}
+PKG_VERSION=${PKG_VERSION}
 EOF
   [ -z "$RUNC_REF" ] && RUNC_REF=$(cat /src/script/setup/runc-version)
   for l in $(gen-ver "/runc-src"); do
@@ -190,6 +192,7 @@ ARG PKG_PACKAGER
 ARG PKG_DEB_BUILDFLAGS
 ARG PKG_DEB_REVISION
 ARG PKG_DEB_EPOCH
+ARG PKG_VERSION
 ARG SOURCE_DATE_EPOCH
 RUN --mount=type=bind,source=scripts/pkg-deb-build.sh,target=/usr/local/bin/pkg-deb-build \
     --mount=type=bind,from=scripts,source=gen-ver.sh,target=/usr/local/bin/gen-ver \
@@ -229,6 +232,7 @@ ARG PKG_REF
 ARG PKG_PACKAGER
 ARG PKG_RPM_BUILDFLAGS
 ARG PKG_RPM_RELEASE
+ARG PKG_VERSION
 ARG SOURCE_DATE_EPOCH
 RUN --mount=type=bind,source=scripts/pkg-rpm-build.sh,target=/usr/local/bin/pkg-rpm-build \
     --mount=type=bind,from=scripts,source=gen-ver.sh,target=/usr/local/bin/gen-ver \
@@ -255,6 +259,7 @@ ENV GO111MODULE="on"
 ENV CGO_ENABLED="1"
 ARG PKG_NAME
 ARG PKG_REF
+ARG PKG_VERSION
 ARG NIGHTLY_BUILD
 ARG RUNC_REF
 WORKDIR /build
diff --git a/pkg/credential-helpers/Dockerfile b/pkg/credential-helpers/Dockerfile
index 9719ed35..3ff86eac 100644
--- a/pkg/credential-helpers/Dockerfile
+++ b/pkg/credential-helpers/Dockerfile
@@ -66,6 +66,7 @@ RUN --mount=from=src,source=/src,target=/docker-credential-helpers \
 FROM src-base AS metadata-builder
 ARG PKG_REPO
 ARG PKG_REF
+ARG PKG_VERSION
 ARG NIGHTLY_BUILD
 RUN --mount=type=bind,from=scripts,source=gen-ver.sh,target=/usr/local/bin/gen-ver \
     --mount=type=bind,from=src,source=/src,target=/src <<EOT
@@ -110,6 +111,7 @@ ARG PKG_PACKAGER
 ARG PKG_DEB_BUILDFLAGS
 ARG PKG_DEB_REVISION
 ARG PKG_DEB_EPOCH
+ARG PKG_VERSION
 ARG SOURCE_DATE_EPOCH
 RUN --mount=type=bind,source=scripts/pkg-deb-build.sh,target=/usr/local/bin/pkg-deb-build \
     --mount=type=bind,from=scripts,source=gen-ver.sh,target=/usr/local/bin/gen-ver \
@@ -146,6 +148,7 @@ ARG PKG_REF
 ARG PKG_PACKAGER
 ARG PKG_RPM_BUILDFLAGS
 ARG PKG_RPM_RELEASE
+ARG PKG_VERSION
 ARG SOURCE_DATE_EPOCH
 RUN --mount=type=bind,source=scripts/pkg-rpm-build.sh,target=/usr/local/bin/pkg-rpm-build \
     --mount=type=bind,from=scripts,source=gen-ver.sh,target=/usr/local/bin/gen-ver \
@@ -169,6 +172,7 @@ ENV GO111MODULE="on"
 ENV CGO_ENABLED="1"
 ARG PKG_NAME
 ARG PKG_REF
+ARG PKG_VERSION
 ARG NIGHTLY_BUILD
 WORKDIR /build
 ARG TARGETPLATFORM
@@ -195,6 +199,7 @@ ENV GO111MODULE="on"
 ENV CGO_ENABLED="1"
 ARG PKG_NAME
 ARG PKG_REF
+ARG PKG_VERSION
 ARG NIGHTLY_BUILD
 WORKDIR /build
 ARG TARGETPLATFORM
diff --git a/pkg/docker-cli/Dockerfile b/pkg/docker-cli/Dockerfile
index 72eab837..96d3e840 100644
--- a/pkg/docker-cli/Dockerfile
+++ b/pkg/docker-cli/Dockerfile
@@ -68,6 +68,7 @@ RUN --mount=from=src,source=/src,target=/cli \
 FROM src-base AS metadata-builder
 ARG PKG_REPO
 ARG PKG_REF
+ARG PKG_VERSION
 ARG NIGHTLY_BUILD
 RUN --mount=type=bind,from=scripts,source=gen-ver.sh,target=/usr/local/bin/gen-ver \
     --mount=type=bind,from=src,source=/src,target=/src <<EOT
@@ -123,6 +124,7 @@ ARG PKG_PACKAGER
 ARG PKG_DEB_BUILDFLAGS
 ARG PKG_DEB_REVISION
 ARG PKG_DEB_EPOCH
+ARG PKG_VERSION
 ARG SOURCE_DATE_EPOCH
 RUN --mount=type=bind,source=scripts/pkg-deb-build.sh,target=/usr/local/bin/pkg-deb-build \
     --mount=type=bind,from=scripts,source=gen-ver.sh,target=/usr/local/bin/gen-ver \
@@ -159,6 +161,7 @@ ARG PKG_REF
 ARG PKG_PACKAGER
 ARG PKG_RPM_BUILDFLAGS
 ARG PKG_RPM_RELEASE
+ARG PKG_VERSION
 ARG SOURCE_DATE_EPOCH
 RUN --mount=type=bind,source=scripts/pkg-rpm-build.sh,target=/usr/local/bin/pkg-rpm-build \
     --mount=type=bind,from=scripts,source=gen-ver.sh,target=/usr/local/bin/gen-ver \
@@ -190,6 +193,7 @@ ARG DEBIAN_FRONTEND
 RUN apt-get install -y --no-install-recommends dpkg-dev clang lld llvm make pkg-config
 ARG PKG_NAME
 ARG PKG_REF
+ARG PKG_VERSION
 ARG NIGHTLY_BUILD
 WORKDIR /build
 ARG TARGETPLATFORM
@@ -210,6 +214,7 @@ ARG DEBIAN_FRONTEND
 RUN apt-get install -y --no-install-recommends dpkg-dev clang lld llvm make pkg-config
 ARG PKG_NAME
 ARG PKG_REF
+ARG PKG_VERSION
 ARG NIGHTLY_BUILD
 WORKDIR /build
 ARG TARGETPLATFORM
diff --git a/pkg/docker-engine/Dockerfile b/pkg/docker-engine/Dockerfile
index 5ad6d9e0..913c1586 100644
--- a/pkg/docker-engine/Dockerfile
+++ b/pkg/docker-engine/Dockerfile
@@ -65,6 +65,7 @@ RUN --mount=from=src,source=/src,target=/engine \
 FROM src-base AS metadata-builder
 ARG PKG_REPO
 ARG PKG_REF
+ARG PKG_VERSION
 ARG NIGHTLY_BUILD
 RUN --mount=type=bind,from=scripts,source=gen-ver.sh,target=/usr/local/bin/gen-ver \
     --mount=type=bind,from=src,source=/src,target=/src <<EOT
@@ -121,6 +122,7 @@ ARG PKG_PACKAGER
 ARG PKG_DEB_BUILDFLAGS
 ARG PKG_DEB_REVISION
 ARG PKG_DEB_EPOCH
+ARG PKG_VERSION
 ARG SOURCE_DATE_EPOCH
 RUN --mount=type=bind,source=scripts/pkg-deb-build.sh,target=/usr/local/bin/pkg-deb-build \
     --mount=type=bind,source=scripts/check-gomod.sh,target=/usr/local/bin/check-gomod \
@@ -160,6 +162,7 @@ ARG PKG_REF
 ARG PKG_PACKAGER
 ARG PKG_RPM_BUILDFLAGS
 ARG PKG_RPM_RELEASE
+ARG PKG_VERSION
 ARG SOURCE_DATE_EPOCH
 RUN --mount=type=bind,source=scripts/pkg-rpm-build.sh,target=/usr/local/bin/pkg-rpm-build \
     --mount=type=bind,source=scripts/check-gomod.sh,target=/usr/local/bin/check-gomod \
@@ -193,6 +196,7 @@ ARG DEBIAN_FRONTEND
 RUN apt-get install -y --no-install-recommends clang cmake gcc libc6-dev lld llvm make pkg-config
 ARG PKG_NAME
 ARG PKG_REF
+ARG PKG_VERSION
 ARG NIGHTLY_BUILD
 WORKDIR /build
 ARG TARGETPLATFORM
diff --git a/pkg/model/Dockerfile b/pkg/model/Dockerfile
index 041cd157..52cca849 100644
--- a/pkg/model/Dockerfile
+++ b/pkg/model/Dockerfile
@@ -62,6 +62,7 @@ RUN --mount=from=src,source=/src,target=/model \
 FROM src-base AS metadata-builder
 ARG PKG_REPO
 ARG PKG_REF
+ARG PKG_VERSION
 ARG NIGHTLY_BUILD
 RUN --mount=type=bind,from=scripts,source=gen-ver.sh,target=/usr/local/bin/gen-ver \
     --mount=type=bind,from=src,source=/src,target=/src <<EOT
@@ -107,6 +108,7 @@ ARG PKG_PACKAGER
 ARG PKG_DEB_BUILDFLAGS
 ARG PKG_DEB_REVISION
 ARG PKG_DEB_EPOCH
+ARG PKG_VERSION
 ARG SOURCE_DATE_EPOCH
 RUN --mount=type=bind,source=scripts/pkg-deb-build.sh,target=/usr/local/bin/pkg-deb-build \
     --mount=type=bind,from=scripts,source=gen-ver.sh,target=/usr/local/bin/gen-ver \
@@ -142,6 +144,7 @@ ARG PKG_REF
 ARG PKG_PACKAGER
 ARG PKG_RPM_BUILDFLAGS
 ARG PKG_RPM_RELEASE
+ARG PKG_VERSION
 ARG SOURCE_DATE_EPOCH
 RUN --mount=type=bind,source=scripts/pkg-rpm-build.sh,target=/usr/local/bin/pkg-rpm-build \
     --mount=type=bind,from=scripts,source=gen-ver.sh,target=/usr/local/bin/gen-ver \
@@ -164,6 +167,7 @@ ENV GO111MODULE="on"
 ENV CGO_ENABLED="0"
 ARG PKG_NAME
 ARG PKG_REF
+ARG PKG_VERSION
 ARG NIGHTLY_BUILD
 WORKDIR /build
 ARG TARGETPLATFORM

From d41fab7a137132f86bcb5f8ae61d2cca68bbc576 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Gronowski?= <pawel.gronowski@docker.com>
Date: Wed, 17 Sep 2025 13:01:39 +0200
Subject: [PATCH 2/2] Verify version
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
---
 pkg/buildx/verify.Dockerfile             | 37 ++++++++++++--
 pkg/compose/verify.Dockerfile            | 37 ++++++++++++--
 pkg/containerd/verify.Dockerfile         | 37 ++++++++++++--
 pkg/credential-helpers/verify.Dockerfile | 64 +++++++++++++++++++++---
 pkg/docker-cli/verify.Dockerfile         | 37 ++++++++++++--
 pkg/docker-engine/verify.Dockerfile      | 37 ++++++++++++--
 pkg/model/verify.Dockerfile              | 37 ++++++++++++--
 7 files changed, 261 insertions(+), 25 deletions(-)

diff --git a/pkg/buildx/verify.Dockerfile b/pkg/buildx/verify.Dockerfile
index bb781a5d..9c61b878 100644
--- a/pkg/buildx/verify.Dockerfile
+++ b/pkg/buildx/verify.Dockerfile
@@ -15,6 +15,7 @@
 # limitations under the License.
 
 ARG XX_VERSION="1.6.1"
+ARG PKG_VERSION
 
 ARG DISTRO_TYPE="deb"
 ARG DISTRO_IMAGE="debian:bookworm"
@@ -34,6 +35,7 @@ ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
 ARG TARGETPLATFORM
+ARG PKG_VERSION
 RUN --mount=from=bin,target=/build <<EOT
   set -e
   targetplatform=$(xx-info os)_$(xx-info arch)
@@ -53,7 +55,16 @@ RUN --mount=from=bin,target=/build <<EOT
     )
   done
   set -x
-  /usr/libexec/docker/cli-plugins/docker-buildx version
+  actual_version=$(/usr/libexec/docker/cli-plugins/docker-buildx version | awk '{print $2}' | sed 's/^v//')
+  echo "Detected version: $actual_version"
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$actual_version" != "$expected_version" ]; then
+      echo "ERROR: Version mismatch! Expected: $expected_version, Got: $actual_version"
+      exit 1
+    fi
+    echo "SUCCESS: Version verification passed"
+  fi
 EOT
 
 FROM base AS verify-rpm
@@ -62,6 +73,7 @@ ARG DISTRO_NAME
 ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
+ARG PKG_VERSION
 RUN --mount=type=bind,from=scripts,source=verify-rpm-init.sh,target=/usr/local/bin/verify-rpm-init \
   verify-rpm-init $DISTRO_NAME
 ARG TARGETPLATFORM
@@ -84,7 +96,16 @@ RUN --mount=from=bin,target=/build <<EOT
     )
   done
   set -x
-  /usr/libexec/docker/cli-plugins/docker-buildx version
+  actual_version=$(/usr/libexec/docker/cli-plugins/docker-buildx version | awk '{print $2}' | sed 's/^v//')
+  echo "Detected version: $actual_version"
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$actual_version" != "$expected_version" ]; then
+      echo "ERROR: Version mismatch! Expected: $expected_version, Got: $actual_version"
+      exit 1
+    fi
+    echo "SUCCESS: Version verification passed"
+  fi
 EOT
 
 FROM base AS verify-static
@@ -94,6 +115,7 @@ ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
 ARG TARGETPLATFORM
+ARG PKG_VERSION
 RUN --mount=from=bin,target=/build <<EOT
   set -e
   targetplatform=$(xx-info os)_$(xx-info arch)
@@ -112,7 +134,16 @@ RUN --mount=from=bin,target=/build <<EOT
     )
   done
   set -x
-  docker-buildx version
+  actual_version=$(docker-buildx version | awk '{print $2}' | sed 's/^v//')
+  echo "Detected version: $actual_version"
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$actual_version" != "$expected_version" ]; then
+      echo "ERROR: Version mismatch! Expected: $expected_version, Got: $actual_version"
+      exit 1
+    fi
+    echo "SUCCESS: Version verification passed"
+  fi
 EOT
 
 FROM verify-${DISTRO_TYPE}
diff --git a/pkg/compose/verify.Dockerfile b/pkg/compose/verify.Dockerfile
index 3cd9cd4c..96762bcd 100644
--- a/pkg/compose/verify.Dockerfile
+++ b/pkg/compose/verify.Dockerfile
@@ -15,6 +15,7 @@
 # limitations under the License.
 
 ARG XX_VERSION="1.6.1"
+ARG PKG_VERSION
 
 ARG DISTRO_TYPE="deb"
 ARG DISTRO_IMAGE="debian:bookworm"
@@ -34,6 +35,7 @@ ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
 ARG TARGETPLATFORM
+ARG PKG_VERSION
 RUN --mount=from=bin,target=/build <<EOT
   set -e
   targetplatform=$(xx-info os)_$(xx-info arch)
@@ -53,7 +55,16 @@ RUN --mount=from=bin,target=/build <<EOT
     )
   done
   set -x
-  /usr/libexec/docker/cli-plugins/docker-compose version
+  actual_version=$(/usr/libexec/docker/cli-plugins/docker-compose version | awk '{print $NF}' | sed 's/^v//')
+  echo "Detected version: $actual_version"
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$actual_version" != "$expected_version" ]; then
+      echo "ERROR: Version mismatch! Expected: $expected_version, Got: $actual_version"
+      exit 1
+    fi
+    echo "SUCCESS: Version verification passed"
+  fi
 EOT
 
 FROM base AS verify-rpm
@@ -62,6 +73,7 @@ ARG DISTRO_NAME
 ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
+ARG PKG_VERSION
 RUN --mount=type=bind,from=scripts,source=verify-rpm-init.sh,target=/usr/local/bin/verify-rpm-init \
   verify-rpm-init $DISTRO_NAME
 ARG TARGETPLATFORM
@@ -84,7 +96,16 @@ RUN --mount=from=bin,target=/build <<EOT
     )
   done
   set -x
-  /usr/libexec/docker/cli-plugins/docker-compose version
+  actual_version=$(/usr/libexec/docker/cli-plugins/docker-compose version | awk '{print $NF}' | sed 's/^v//')
+  echo "Detected version: $actual_version"
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$actual_version" != "$expected_version" ]; then
+      echo "ERROR: Version mismatch! Expected: $expected_version, Got: $actual_version"
+      exit 1
+    fi
+    echo "SUCCESS: Version verification passed"
+  fi
 EOT
 
 FROM base AS verify-static
@@ -94,6 +115,7 @@ ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
 ARG TARGETPLATFORM
+ARG PKG_VERSION
 RUN --mount=from=bin,target=/build <<EOT
   set -e
   targetplatform=$(xx-info os)_$(xx-info arch)
@@ -112,7 +134,16 @@ RUN --mount=from=bin,target=/build <<EOT
     )
   done
   set -x
-  docker-compose version
+  actual_version=$(docker-compose version | awk '{print $NF}' | sed 's/^v//')
+  echo "Detected version: $actual_version"
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$actual_version" != "$expected_version" ]; then
+      echo "ERROR: Version mismatch! Expected: $expected_version, Got: $actual_version"
+      exit 1
+    fi
+    echo "SUCCESS: Version verification passed"
+  fi
 EOT
 
 FROM verify-${DISTRO_TYPE}
diff --git a/pkg/containerd/verify.Dockerfile b/pkg/containerd/verify.Dockerfile
index 8f5be029..f789abb1 100644
--- a/pkg/containerd/verify.Dockerfile
+++ b/pkg/containerd/verify.Dockerfile
@@ -15,6 +15,7 @@
 # limitations under the License.
 
 ARG XX_VERSION="1.6.1"
+ARG PKG_VERSION
 
 ARG DISTRO_TYPE="deb"
 ARG DISTRO_IMAGE="debian:bookworm"
@@ -34,6 +35,7 @@ ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
 ARG TARGETPLATFORM
+ARG PKG_VERSION
 RUN --mount=from=bin,target=/build <<EOT
   set -e
   targetplatform=$(xx-info os)_$(xx-info arch)
@@ -54,8 +56,17 @@ RUN --mount=from=bin,target=/build <<EOT
   done
   set -x
   runc --version
-  containerd --version
+  actual_version=$(containerd --version | sed 's/containerd containerd.io //' | cut -d' ' -f1)
+  echo "Detected containerd version: $actual_version"
   containerd-shim-runc-v2 -v
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$actual_version" != "$expected_version" ]; then
+      echo "ERROR: Containerd version mismatch! Expected: $expected_version, Got: $actual_version"
+      exit 1
+    fi
+    echo "SUCCESS: Containerd version verification passed"
+  fi
 EOT
 
 FROM base AS verify-rpm
@@ -64,6 +75,7 @@ ARG DISTRO_NAME
 ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
+ARG PKG_VERSION
 RUN --mount=type=bind,from=scripts,source=verify-rpm-init.sh,target=/usr/local/bin/verify-rpm-init \
   verify-rpm-init $DISTRO_NAME
 ARG TARGETPLATFORM
@@ -87,8 +99,17 @@ RUN --mount=from=bin,target=/build <<EOT
   done
   set -x
   runc --version
-  containerd --version
+  actual_version=$(containerd --version | sed 's/containerd containerd.io //' | cut -d' ' -f1)
+  echo "Detected containerd version: $actual_version"
   containerd-shim-runc-v2 -v
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$actual_version" != "$expected_version" ]; then
+      echo "ERROR: Containerd version mismatch! Expected: $expected_version, Got: $actual_version"
+      exit 1
+    fi
+    echo "SUCCESS: Containerd version verification passed"
+  fi
 EOT
 
 FROM base AS verify-static
@@ -98,6 +119,7 @@ ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
 ARG TARGETPLATFORM
+ARG PKG_VERSION
 RUN --mount=from=bin,target=/build <<EOT
   set -e
   targetplatform=$(xx-info os)_$(xx-info arch)
@@ -117,8 +139,17 @@ RUN --mount=from=bin,target=/build <<EOT
   done
   set -x
   runc --version
-  containerd --version
+  actual_version=$(containerd --version | sed 's/containerd containerd.io //' | cut -d' ' -f1)
+  echo "Detected containerd version: $actual_version"
   containerd-shim-runc-v2 -v
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$actual_version" != "$expected_version" ]; then
+      echo "ERROR: Containerd version mismatch! Expected: $expected_version, Got: $actual_version"
+      exit 1
+    fi
+    echo "SUCCESS: Containerd version verification passed"
+  fi
 EOT
 
 FROM verify-${DISTRO_TYPE}
diff --git a/pkg/credential-helpers/verify.Dockerfile b/pkg/credential-helpers/verify.Dockerfile
index ebf516a9..14e3d004 100644
--- a/pkg/credential-helpers/verify.Dockerfile
+++ b/pkg/credential-helpers/verify.Dockerfile
@@ -15,6 +15,7 @@
 # limitations under the License.
 
 ARG XX_VERSION="1.6.1"
+ARG PKG_VERSION
 
 ARG DISTRO_TYPE="deb"
 ARG DISTRO_IMAGE="debian:bookworm"
@@ -34,6 +35,7 @@ ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
 ARG TARGETPLATFORM
+ARG PKG_VERSION
 RUN --mount=from=bin,target=/build <<EOT
   set -e
   targetplatform=$(xx-info os)_$(xx-info arch)
@@ -53,8 +55,22 @@ RUN --mount=from=bin,target=/build <<EOT
     )
   done
   set -x
-  docker-credential-pass version
-  docker-credential-secretservice version
+  pass_version=$(docker-credential-pass version)
+  secretservice_version=$(docker-credential-secretservice version)
+  echo "Detected docker-credential-pass version: $pass_version"
+  echo "Detected docker-credential-secretservice version: $secretservice_version"
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$pass_version" != "$expected_version" ]; then
+      echo "ERROR: docker-credential-pass version mismatch! Expected: $expected_version, Got: $pass_version"
+      exit 1
+    fi
+    if [ "$secretservice_version" != "$expected_version" ]; then
+      echo "ERROR: docker-credential-secretservice version mismatch! Expected: $expected_version, Got: $secretservice_version"
+      exit 1
+    fi
+    echo "SUCCESS: Credential helpers version verification passed"
+  fi
 EOT
 
 FROM base AS verify-rpm
@@ -63,6 +79,7 @@ ARG DISTRO_NAME
 ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
+ARG PKG_VERSION
 RUN --mount=type=bind,from=scripts,source=verify-rpm-init.sh,target=/usr/local/bin/verify-rpm-init \
   verify-rpm-init $DISTRO_NAME
 ARG TARGETPLATFORM
@@ -92,12 +109,30 @@ RUN --mount=from=bin,target=/build <<EOT
     )
   done
   set -x
-  docker-credential-secretservice version
+  secretservice_version=$(docker-credential-secretservice version)
+  echo "Detected docker-credential-secretservice version: $secretservice_version"
   case "$DISTRO_NAME" in
     # FIXME: skip pass credential helper smoke test for some distros
-    centos9|centos10|oraclelinux9|rhel*) ;;
-    *) docker-credential-pass version ;;
+    centos9|centos10|oraclelinux9|rhel*) 
+      pass_version=""
+      ;;
+    *) 
+      pass_version=$(docker-credential-pass version)
+      echo "Detected docker-credential-pass version: $pass_version"
+      ;;
   esac
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$secretservice_version" != "$expected_version" ]; then
+      echo "ERROR: docker-credential-secretservice version mismatch! Expected: $expected_version, Got: $secretservice_version"
+      exit 1
+    fi
+    if [ -n "$pass_version" ] && [ "$pass_version" != "$expected_version" ]; then
+      echo "ERROR: docker-credential-pass version mismatch! Expected: $expected_version, Got: $pass_version"
+      exit 1
+    fi
+    echo "SUCCESS: Credential helpers version verification passed"
+  fi
 EOT
 
 FROM base AS verify-static
@@ -107,6 +142,7 @@ ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
 ARG TARGETPLATFORM
+ARG PKG_VERSION
 RUN --mount=from=bin,target=/build <<EOT
   set -e
   targetplatform=$(xx-info os)_$(xx-info arch)
@@ -125,8 +161,22 @@ RUN --mount=from=bin,target=/build <<EOT
     )
   done
   set -x
-  docker-credential-pass version
-  docker-credential-secretservice version
+  pass_version=$(docker-credential-pass version)
+  secretservice_version=$(docker-credential-secretservice version)
+  echo "Detected docker-credential-pass version: $pass_version"
+  echo "Detected docker-credential-secretservice version: $secretservice_version"
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$pass_version" != "$expected_version" ]; then
+      echo "ERROR: docker-credential-pass version mismatch! Expected: $expected_version, Got: $pass_version"
+      exit 1
+    fi
+    if [ "$secretservice_version" != "$expected_version" ]; then
+      echo "ERROR: docker-credential-secretservice version mismatch! Expected: $expected_version, Got: $secretservice_version"
+      exit 1
+    fi
+    echo "SUCCESS: Credential helpers version verification passed"
+  fi
 EOT
 
 FROM verify-${DISTRO_TYPE}
diff --git a/pkg/docker-cli/verify.Dockerfile b/pkg/docker-cli/verify.Dockerfile
index 2d2f6242..14c6e0b3 100644
--- a/pkg/docker-cli/verify.Dockerfile
+++ b/pkg/docker-cli/verify.Dockerfile
@@ -15,6 +15,7 @@
 # limitations under the License.
 
 ARG XX_VERSION="1.6.1"
+ARG PKG_VERSION
 
 ARG DISTRO_TYPE="deb"
 ARG DISTRO_IMAGE="debian:bookworm"
@@ -34,6 +35,7 @@ ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
 ARG TARGETPLATFORM
+ARG PKG_VERSION
 RUN --mount=from=bin,target=/build <<EOT
   set -e
   targetplatform=$(xx-info os)_$(xx-info arch)
@@ -53,7 +55,16 @@ RUN --mount=from=bin,target=/build <<EOT
     )
   done
   set -x
-  docker --version
+  actual_version=$(docker --version | awk '{print $3}' | cut -d',' -f1)
+  echo "Detected docker CLI version: $actual_version"
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$actual_version" != "$expected_version" ]; then
+      echo "ERROR: Docker CLI version mismatch! Expected: $expected_version, Got: $actual_version"
+      exit 1
+    fi
+    echo "SUCCESS: Docker CLI version verification passed"
+  fi
 EOT
 
 FROM base AS verify-rpm
@@ -62,6 +73,7 @@ ARG DISTRO_NAME
 ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
+ARG PKG_VERSION
 RUN --mount=type=bind,from=scripts,source=verify-rpm-init.sh,target=/usr/local/bin/verify-rpm-init \
   verify-rpm-init $DISTRO_NAME
 ARG TARGETPLATFORM
@@ -84,7 +96,16 @@ RUN --mount=from=bin,target=/build <<EOT
     )
   done
   set -x
-  docker --version
+  actual_version=$(docker --version | awk '{print $3}' | cut -d',' -f1)
+  echo "Detected docker CLI version: $actual_version"
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$actual_version" != "$expected_version" ]; then
+      echo "ERROR: Docker CLI version mismatch! Expected: $expected_version, Got: $actual_version"
+      exit 1
+    fi
+    echo "SUCCESS: Docker CLI version verification passed"
+  fi
 EOT
 
 FROM base AS verify-static
@@ -94,6 +115,7 @@ ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
 ARG TARGETPLATFORM
+ARG PKG_VERSION
 RUN --mount=from=bin,target=/build <<EOT
   set -e
   targetplatform=$(xx-info os)_$(xx-info arch)
@@ -112,7 +134,16 @@ RUN --mount=from=bin,target=/build <<EOT
     )
   done
   set -x
-  docker --version
+  actual_version=$(docker --version | awk '{print $3}' | cut -d',' -f1)
+  echo "Detected docker CLI version: $actual_version"
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$actual_version" != "$expected_version" ]; then
+      echo "ERROR: Docker CLI version mismatch! Expected: $expected_version, Got: $actual_version"
+      exit 1
+    fi
+    echo "SUCCESS: Docker CLI version verification passed"
+  fi
 EOT
 
 FROM verify-${DISTRO_TYPE}
diff --git a/pkg/docker-engine/verify.Dockerfile b/pkg/docker-engine/verify.Dockerfile
index 3bceaaa8..f3cd3801 100644
--- a/pkg/docker-engine/verify.Dockerfile
+++ b/pkg/docker-engine/verify.Dockerfile
@@ -15,6 +15,7 @@
 # limitations under the License.
 
 ARG XX_VERSION="1.6.1"
+ARG PKG_VERSION
 
 ARG DISTRO_TYPE="deb"
 ARG DISTRO_IMAGE="debian:bookworm"
@@ -33,6 +34,7 @@ ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
 ARG TARGETPLATFORM
+ARG PKG_VERSION
 RUN --mount=from=bin,target=/build <<EOT
   set -e
   targetplatform=$(xx-info os)_$(xx-info arch)
@@ -52,7 +54,16 @@ RUN --mount=from=bin,target=/build <<EOT
     )
   done
   set -x
-  dockerd --version
+  actual_version=$(dockerd --version | awk '{print $3}' | cut -d',' -f1)
+  echo "Detected dockerd version: $actual_version"
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$actual_version" != "$expected_version" ]; then
+      echo "ERROR: Dockerd version mismatch! Expected: $expected_version, Got: $actual_version"
+      exit 1
+    fi
+    echo "SUCCESS: Dockerd version verification passed"
+  fi
 EOT
 
 FROM base AS verify-rpm
@@ -61,6 +72,7 @@ ARG DISTRO_NAME
 ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
+ARG PKG_VERSION
 RUN --mount=type=bind,from=scripts,source=verify-rpm-init.sh,target=/usr/local/bin/verify-rpm-init \
   verify-rpm-init $DISTRO_NAME
 ARG TARGETPLATFORM
@@ -83,7 +95,16 @@ RUN --mount=from=bin,target=/build <<EOT
     )
   done
   set -x
-  dockerd --version
+  actual_version=$(dockerd --version | awk '{print $3}' | cut -d',' -f1)
+  echo "Detected dockerd version: $actual_version"
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$actual_version" != "$expected_version" ]; then
+      echo "ERROR: Dockerd version mismatch! Expected: $expected_version, Got: $actual_version"
+      exit 1
+    fi
+    echo "SUCCESS: Dockerd version verification passed"
+  fi
 EOT
 
 FROM base AS verify-static
@@ -93,6 +114,7 @@ ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
 ARG TARGETPLATFORM
+ARG PKG_VERSION
 RUN --mount=from=bin,target=/build <<EOT
   set -e
   targetplatform=$(xx-info os)_$(xx-info arch)
@@ -111,7 +133,16 @@ RUN --mount=from=bin,target=/build <<EOT
     )
   done
   set -x
-  dockerd --version
+  actual_version=$(dockerd --version | awk '{print $3}' | cut -d',' -f1)
+  echo "Detected dockerd version: $actual_version"
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$actual_version" != "$expected_version" ]; then
+      echo "ERROR: Dockerd version mismatch! Expected: $expected_version, Got: $actual_version"
+      exit 1
+    fi
+    echo "SUCCESS: Dockerd version verification passed"
+  fi
 EOT
 
 FROM verify-${DISTRO_TYPE}
diff --git a/pkg/model/verify.Dockerfile b/pkg/model/verify.Dockerfile
index 955f7718..952a52d2 100644
--- a/pkg/model/verify.Dockerfile
+++ b/pkg/model/verify.Dockerfile
@@ -15,6 +15,7 @@
 # limitations under the License.
 
 ARG XX_VERSION="1.6.1"
+ARG PKG_VERSION
 
 ARG DISTRO_TYPE="deb"
 ARG DISTRO_IMAGE="debian:bookworm"
@@ -34,6 +35,7 @@ ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
 ARG TARGETPLATFORM
+ARG PKG_VERSION
 RUN --mount=from=bin,target=/build <<EOT
   set -e
   targetplatform=$(xx-info os)_$(xx-info arch)
@@ -53,7 +55,16 @@ RUN --mount=from=bin,target=/build <<EOT
     )
   done
   set -x
-  /usr/libexec/docker/cli-plugins/docker-model version
+  actual_version=$(/usr/libexec/docker/cli-plugins/docker-model version | grep -o 'v[0-9][^[:space:]]*' | head -1 | sed 's/^v//')
+  echo "Detected docker-model version: $actual_version"
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$actual_version" != "$expected_version" ]; then
+      echo "ERROR: Docker model version mismatch! Expected: $expected_version, Got: $actual_version"
+      exit 1
+    fi
+    echo "SUCCESS: Docker model version verification passed"
+  fi
 EOT
 
 FROM base AS verify-rpm
@@ -62,6 +73,7 @@ ARG DISTRO_NAME
 ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
+ARG PKG_VERSION
 RUN --mount=type=bind,from=scripts,source=verify-rpm-init.sh,target=/usr/local/bin/verify-rpm-init \
   verify-rpm-init $DISTRO_NAME
 ARG TARGETPLATFORM
@@ -84,7 +96,16 @@ RUN --mount=from=bin,target=/build <<EOT
     )
   done
   set -x
-  /usr/libexec/docker/cli-plugins/docker-model version
+  actual_version=$(/usr/libexec/docker/cli-plugins/docker-model version | grep -o 'v[0-9][^[:space:]]*' | head -1 | sed 's/^v//')
+  echo "Detected docker-model version: $actual_version"
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$actual_version" != "$expected_version" ]; then
+      echo "ERROR: Docker model version mismatch! Expected: $expected_version, Got: $actual_version"
+      exit 1
+    fi
+    echo "SUCCESS: Docker model version verification passed"
+  fi
 EOT
 
 FROM base AS verify-static
@@ -94,6 +115,7 @@ ARG DISTRO_RELEASE
 ARG DISTRO_ID
 ARG DISTRO_SUITE
 ARG TARGETPLATFORM
+ARG PKG_VERSION
 RUN --mount=from=bin,target=/build <<EOT
   set -e
   targetplatform=$(xx-info os)_$(xx-info arch)
@@ -112,7 +134,16 @@ RUN --mount=from=bin,target=/build <<EOT
     )
   done
   set -x
-  docker-model version
+  actual_version=$(docker-model version | grep -o 'v[0-9][^[:space:]]*' | head -1 | sed 's/^v//')
+  echo "Detected docker-model version: $actual_version"
+  if [ -n "$PKG_VERSION" ]; then
+    expected_version=$(echo "$PKG_VERSION" | sed 's/^v//')
+    if [ "$actual_version" != "$expected_version" ]; then
+      echo "ERROR: Docker model version mismatch! Expected: $expected_version, Got: $actual_version"
+      exit 1
+    fi
+    echo "SUCCESS: Docker model version verification passed"
+  fi
 EOT
 
 FROM verify-${DISTRO_TYPE}