🔒️ Add sha384sum checks for 1.8.6 installation steps (#1922)

Author: shnizzedy

.github/Dockerfiles/AFNI.23.0.07-bionic.Dockerfile

@@ -3,37 +3,39 @@ USER root
 
 # install AFNI
 COPY dev/docker_data/required_afni_pkgs.txt /opt/required_afni_pkgs.txt
-RUN if [ -f /usr/lib/x86_64-linux-gnu/mesa/libGL.so.1.2.0]; then \
+COPY dev/docker_data/checksum/AFNI.23.0.07.sha384 /tmp/AFNI.23.0.07.sha384
+RUN if [ -f /usr/lib/x86_64-linux-gnu/mesa/libGL.so.1.2.0 ]; then \
         ln -svf /usr/lib/x86_64-linux-gnu/mesa/libGL.so.1.2.0 /usr/lib/x86_64-linux-gnu/libGL.so.1; \
-    fi && \
-    libs_path=/usr/lib/x86_64-linux-gnu && \
-    if [ -f $libs_path/libgsl.so.23 ]; then \
-        ln -svf $libs_path/libgsl.so.23 $libs_path/libgsl.so.19 && \
-        ln -svf $libs_path/libgsl.so.23 $libs_path/libgsl.so.0; \
+    fi \
+    && libs_path=/usr/lib/x86_64-linux-gnu \
+    && if [ -f $libs_path/libgsl.so.23 ]; then \
+        ln -svf $libs_path/libgsl.so.23 $libs_path/libgsl.so.19 \
+    &&  ln -svf $libs_path/libgsl.so.23 $libs_path/libgsl.so.0; \
     elif [ -f $libs_path/libgsl.so.23.0.0 ]; then \
-        ln -svf $libs_path/libgsl.so.23.0.0 $libs_path/libgsl.so.19 && \
-        ln -svf $libs_path/libgsl.so.23.0.0 $libs_path/libgsl.so.0; \
+       ln -svf $libs_path/libgsl.so.23.0.0 $libs_path/libgsl.so.19 \
+    &&  ln -svf $libs_path/libgsl.so.23.0.0 $libs_path/libgsl.so.0; \
     elif [ -f $libs_path/libgsl.so ]; then \
         ln -svf $libs_path/libgsl.so $libs_path/libgsl.so.0; \
-    fi && \
-    LD_LIBRARY_PATH=/usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH && \
-    export LD_LIBRARY_PATH && \
-    apt-get update && apt-get install -y libglw1-mesa-dev && \
-    AFNI_VERSION="23.0.07" && \
-    curl -LOJ https://github.com/afni/afni/archive/AFNI_${AFNI_VERSION}.tar.gz && \
-    mkdir /opt/afni && \
-    tar -xvf afni-AFNI_${AFNI_VERSION}.tar.gz -C /opt/afni --strip-components 1 && \
-    rm -rf afni-AFNI_${AFNI_VERSION}.tar.gz && \
-    cd /opt/afni/src && \
-    sed '/^INSTALLDIR =/c INSTALLDIR = /opt/afni' Makefile.linux_ubuntu_16_64 > Makefile && \
-    make vastness && make cleanest && \
-    cd /opt/afni && \
+    fi \
+    && LD_LIBRARY_PATH=/usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH \
+    && export LD_LIBRARY_PATH \
+    && apt-get update && apt-get install -y libglw1-mesa-dev \
+    && AFNI_VERSION="23.0.07" \
+    && curl -LOJ https://github.com/afni/afni/archive/AFNI_${AFNI_VERSION}.tar.gz \
+    && sha384sum --check /tmp/AFNI.23.0.07.sha384 \
+    && mkdir /opt/afni \
+    && tar -xvf afni-AFNI_${AFNI_VERSION}.tar.gz -C /opt/afni --strip-components 1 \
+    && rm -rf afni-AFNI_${AFNI_VERSION}.tar.gz \
+    && cd /opt/afni/src \
+    && sed '/^INSTALLDIR =/c INSTALLDIR = /opt/afni' Makefile.linux_ubuntu_16_64 > Makefile \
+    && make vastness && make cleanest \
+    && cd /opt/afni \
     # filter down to required packages
-    ls > full_ls && \
-    sed 's/linux_openmp_64\///g' /opt/required_afni_pkgs.txt | sort > required_ls && \
-    comm -2 -3 full_ls required_ls | xargs rm -rf full_ls required_ls && \
-    apt-get remove -y libglw1-mesa-dev && \
-    ldconfig
+    ls > full_ls \
+    && sed 's/linux_openmp_64\///g' /opt/required_afni_pkgs.txt | sort > required_ls \
+    && comm -2 -3 full_ls required_ls | xargs rm -rf full_ls required_ls \
+    && apt-get remove -y libglw1-mesa-dev \
+    && ldconfig
 
 # set up AFNI
 ENV PATH=/opt/afni:$PATH
@@ -43,9 +45,9 @@ ENTRYPOINT ["/bin/bash"]
 # Link libraries for Singularity images
 RUN ldconfig
 
-RUN apt-get clean && \
-    apt-get autoremove -y && \
-    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+RUN apt-get clean \
+    && apt-get autoremove -y \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 FROM scratch
 LABEL org.opencontainers.image.description "NOT INTENDED FOR USE OTHER THAN AS A STAGE IMAGE IN A MULTI-STAGE BUILD \

.github/Dockerfiles/ANTs.2.4.3.Python3.10-bionic.Dockerfile

@@ -1,14 +1,14 @@
 FROM ghcr.io/fcp-indi/c-pac/ubuntu:python3.10-bionic-non-free as ANTs
 
 USER root
+COPY dev/docker_data/checksum/ANTs.2.4.3.sha384 /tmp/checksum.sha384
 RUN curl -sL https://github.com/ANTsX/ANTs/releases/download/v2.4.3/ants-2.4.3-ubuntu-18.04-X64-gcc.zip -o /tmp/ANTs.zip \
+  && curl -sL https://s3-eu-west-1.amazonaws.com/pfigshare-u-files/3133832/Oasis.zip -o /tmp/Oasis.zip \
+  && sha384sum --check /tmp/checksum.sha384 \
   && unzip /tmp/ANTs.zip -d /tmp \
   && mkdir /usr/lib/ants \
   && mv /tmp/ants-2.4.3/* /usr/lib/ants \
-  && curl -fsSL --retry 5 https://dl.dropbox.com/s/gwf51ykkk5bifyj/ants-Linux-centos6_x86_64-v2.3.4.tar.gz \
-    | tar -xz -C /usr/lib/ants --strip-components 1 \
   && mkdir /ants_template \
-  && curl -sL https://s3-eu-west-1.amazonaws.com/pfigshare-u-files/3133832/Oasis.zip -o /tmp/Oasis.zip \
   && unzip /tmp/Oasis.zip -d /tmp \
   && mv /tmp/MICCAI2012-Multi-Atlas-Challenge-Data /ants_template/oasis
 

.github/Dockerfiles/FSL.6.0.6.4-Python3.10-bionic.Dockerfile

@@ -31,33 +31,26 @@ ENV FSLDIR=/usr/share/fsl/6.0 \
     TZ=America/New_York
 
 # Installing and setting up FSL
+COPY dev/docker_data/checksum/FSL.6.0.6.4.sha384 /tmp/checksum.sha384
 RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime \
     &&  echo $TZ > /etc/timezone \
     && apt-get update \
     && apt-get install -y tclsh wish \
     && echo "Downloading FSL ..." \
     && mkdir -p /usr/share/fsl/6.0 \
-    && curl -sSL --retry 5 https://fsl.fmrib.ox.ac.uk/fsldownloads/fsl-6.0.4-centos6_64.tar.gz \
-    | tar zx -C /usr/share/fsl/6.0 --strip-components=1 \
+    && curl -sSL --retry 5 https://fsl.fmrib.ox.ac.uk/fsldownloads/fsl-6.0.4-centos6_64.tar.gz -o /tmp/fsl.tar.gz \
+    && sha384sum --check /tmp/checksum.sha384 \
+    && tar zx -C /usr/share/fsl/6.0 --strip-components=1 \
     --exclude=fsl/bin/mist \
     --exclude=fsl/bin/possum \
     --exclude=fsl/data/possum \
     --exclude=fsl/data/mist \
-    --exclude=fsl/data/first \
+    --exclude=fsl/data/first -f /tmp/fsl.tar.gz \
     && ln -s /usr/share/fsl/6.0 /usr/share/fsl/5.0 \
     && if [ -f /usr/lib/x86_64-linux-gnu/mesa/libGL.so.1.2.0]; then \
         ln -svf /usr/lib/x86_64-linux-gnu/mesa/libGL.so.1.2.0 /usr/lib/x86_64-linux-gnu/libGL.so.1; \
     fi \
-    && ldconfig \
-    && curl -sL http://fcon_1000.projects.nitrc.org/indi/cpac_resources.tar.gz -o /tmp/cpac_resources.tar.gz \
-    && tar xfz /tmp/cpac_resources.tar.gz -C /tmp \
-    && cp -n /tmp/cpac_image_resources/MNI_3mm/* $FSLDIR/data/standard \
-    && cp -n /tmp/cpac_image_resources/MNI_4mm/* $FSLDIR/data/standard \
-    && cp -n /tmp/cpac_image_resources/symmetric/* $FSLDIR/data/standard \
-    && cp -n /tmp/cpac_image_resources/HarvardOxford-lateral-ventricles-thr25-2mm.nii.gz $FSLDIR/data/atlases/HarvardOxford \
-    && cp -nr /tmp/cpac_image_resources/tissuepriors/2mm $FSLDIR/data/standard/tissuepriors \
-    && cp -nr /tmp/cpac_image_resources/tissuepriors/3mm $FSLDIR/data/standard/tissuepriors \
-    && chmod -R ugo+r $FSLDIR/data/standard
+    && ldconfig
 
 ENTRYPOINT ["/bin/bash"]
 

.github/Dockerfiles/FSL.data.Dockerfile

@@ -3,8 +3,10 @@ FROM ghcr.io/fcp-indi/c-pac/ubuntu:bionic-non-free AS FSL
 USER root
 
 # install CPAC resources into FSL
+COPY dev/docker_data/checksum/FSL.data.sha384 /tmp/checksum.sha384
 RUN mkdir -p /fsl_data/atlases/HarvordOxford fsl_data/standard/tissuepriors \
     && curl -sL http://fcon_1000.projects.nitrc.org/indi/cpac_resources.tar.gz -o /tmp/cpac_resources.tar.gz \
+    && sha384sum --check /tmp/checksum.sha384 \
     && tar xfz /tmp/cpac_resources.tar.gz -C /tmp \
     && cp -n /tmp/cpac_image_resources/MNI_3mm/* /fsl_data/standard \
     && cp -n /tmp/cpac_image_resources/MNI_4mm/* /fsl_data/standard \

.github/Dockerfiles/ICA-AROMA.0.4.4-beta-bionic.Dockerfile

@@ -2,9 +2,12 @@ FROM ghcr.io/fcp-indi/c-pac/ubuntu:bionic-non-free AS ICA-AROMA
 USER root
 
 # install ICA-AROMA
-RUN mkdir -p /opt/ICA-AROMA
-RUN curl -sL https://github.com/rhr-pruim/ICA-AROMA/archive/v0.4.4-beta.tar.gz | tar -xzC /opt/ICA-AROMA --strip-components 1
-RUN chmod +x /opt/ICA-AROMA/ICA_AROMA.py
+COPY dev/docker_data/checksum/ICA-AROMA.0.4.4.sha384 /tmp/checksum.sha384
+RUN mkdir -p /opt/ICA-AROMA \
+    && curl -sL https://github.com/rhr-pruim/ICA-AROMA/archive/v0.4.4-beta.tar.gz -o /tmp/ICA-AROMA.tar.gz \
+    && sha384sum --check /tmp/checksum.sha384 \
+    && tar -xzC /opt/ICA-AROMA --strip-components 1 -f /tmp/ICA-AROMA.tar.gz \
+    && chmod +x /opt/ICA-AROMA/ICA_AROMA.py
 ENV PATH=/opt/ICA-AROMA:$PATH
 
 ENTRYPOINT ["/bin/bash"]

.github/Dockerfiles/Ubuntu.Python3.10-bionic-non-free.Dockerfile

@@ -124,13 +124,19 @@ RUN apt-get update \
 
 # install Python dependencies
 COPY requirements.txt /opt/requirements.txt
-RUN curl -sS https://bootstrap.pypa.io/get-pip.py | python3.10 \
+COPY dev/docker_data/get-pip_23.0.1.py /tmp/get-pip.py
+COPY dev/docker_data/github_git-lfs.list /etc/apt/sources.list.d/github_git-lfs.list
+COPY dev/docker_data/checksum/Python3.10-bionic.sha384 /tmp/checksum.sha384
+RUN python3.10 /tmp/get-pip.py \
     && pip install --upgrade pip setuptools \
     && pip install -r /opt/requirements.txt \
     # install git-lfs
-    && curl -s https://packagecloud.io/install/repositories/github/git-lfs/script.deb.sh | bash \
+    && curl -fsSL https://packagecloud.io/github/git-lfs/gpgkey | gpg --dearmor > /etc/apt/trusted.gpg.d/github_git-lfs-archive-keyring.gpg \
+    && sha384sum --check /tmp/checksum.sha384 \
+    && apt-get update \
     && apt-get install -y --no-install-recommends git-lfs \
-    && git lfs install
+    && git lfs install \
+    && rm /tmp/get-pip.py /tmp/checksum.sha384
 
 COPY --from=c-pac_templates /cpac_templates /cpac_templates
 COPY --from=dcan-hcp /opt/dcan-tools/pipeline/global /opt/dcan-tools/pipeline/global
@@ -148,5 +154,5 @@ RUN ldconfig && \
     apt-get autoremove -y && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
-# # set user
+# Set user
 USER c-pac_user

.github/Dockerfiles/base-lite.Dockerfile

@@ -16,6 +16,7 @@
 # License along with C-PAC. If not, see <https://www.gnu.org/licenses/>.
 FROM ghcr.io/fcp-indi/c-pac/afni:23.0.07-bionic as AFNI
 FROM ghcr.io/fcp-indi/c-pac/ants:2.4.3.python3.10-bionic as ANTs
+FROM ghcr.io/fcp-indi/c-pac/c3d:1.0.0-bionic as c3d
 FROM ghcr.io/fcp-indi/c-pac/connectome-workbench:1.5.0.neurodebian-bionic as connectome-workbench
 FROM ghcr.io/fcp-indi/c-pac/fsl:6.0.6.4-python3.10-bionic as FSL
 FROM ghcr.io/fcp-indi/c-pac/ica-aroma:0.4.4-beta-bionic as ICA-AROMA
@@ -43,14 +44,12 @@ ENV POSSUMDIR=${FSLDIR}/6.0 \
     PATH=${FSLDIR}/bin:$PATH
 COPY --from=FSL /usr/bin/tclsh /usr/bin/tclsh
 COPY --from=FSL /usr/bin/wish /usr/bin/wish
-COPY --from=FSL /usr/share/fsl /usr/share/fsl
+COPY --from=FSL /usr/share/fsl/ /usr/share/fsl/
 COPY --from=FSL /lib/x86_64-linux-gnu/lib*so* /lib/x86_64-linux-gnu/
 
 # Installing and setting up c3d
-RUN mkdir -p /opt/c3d && \
-    curl -sSL "http://downloads.sourceforge.net/project/c3d/c3d/1.0.0/c3d-1.0.0-Linux-x86_64.tar.gz" \
-    | tar -xzC /opt/c3d --strip-components 1
-ENV C3DPATH /opt/c3d
+COPY --from=c3d /opt/c3d/ opt/c3d/
+ENV C3DPATH /opt/c3d/
 ENV PATH $C3DPATH/bin:$PATH
 
 # Installing AFNI

.github/Dockerfiles/c3d.1.0.0-bionic.Dockerfile

@@ -2,9 +2,11 @@ FROM ghcr.io/fcp-indi/c-pac/ubuntu:bionic-non-free as c3d
 USER root
 
 # Installing and setting up c3d
+COPY dev/docker_data/checksum/c3d.1.0.0.sha384 /tmp/checksum.sha384
 RUN mkdir -p /opt/c3d && \
-    curl -sSL "http://downloads.sourceforge.net/project/c3d/c3d/1.0.0/c3d-1.0.0-Linux-x86_64.tar.gz" \
-    | tar -xzC /opt/c3d --strip-components 1
+    curl -sSL "http://downloads.sourceforge.net/project/c3d/c3d/1.0.0/c3d-1.0.0-Linux-x86_64.tar.gz" -o /tmp/c3d.tar.gz \
+    && sha384sum --check /tmp/checksum.sha384 \
+    && tar -xzC /opt/c3d --strip-components 1 -f /tmp/c3d.tar.gz
 ENV C3DPATH /opt/c3d/
 ENV PATH $C3DPATH/bin:$PATH
 

.github/Dockerfiles/connectome-workbench.1.5.0.neurodebian-bionic.Dockerfile

@@ -2,7 +2,9 @@ FROM ghcr.io/fcp-indi/c-pac/ubuntu:python3.10-bionic-non-free as base
 
 USER root
 
+COPY dev/docker_data/checksum/connectome-workbench.1.5.0.sha384 /tmp/checksum.sha384
 RUN curl -sSL "https://www.humanconnectome.org/storage/app/media/workbench/workbench-linux64-v1.5.0.zip" -o /opt/workbench.zip \
+  && sha384sum --check /tmp/checksum.sha384 \
   && unzip /opt/workbench.zip -d /opt \
   && rm -rf /opt/workbench.zip
 ENV PATH $PATH:/opt/workbench/bin_linux64

.github/Dockerfiles/msm.2.0-bionic.Dockerfile

@@ -3,32 +3,34 @@ FROM neurodebian:bionic-non-free as MSM
 
 ARG DEBIAN_FRONTEND=noninteractive
 
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
       curl \
-      libexpat1-dev && \
-    apt-get autoremove -y && \
-    apt-get autoclean -y
+      libexpat1-dev \
+    && apt-get autoremove -y \
+    && apt-get autoclean -y
 
 #---------------------
 # Install MSM Binaries
 #---------------------
-RUN mkdir /opt/msm
-RUN curl -ksSL --retry 5 https://www.doc.ic.ac.uk/~ecr05/MSM_HOCR_v2/MSM_HOCR_v2-download.tgz | tar zx -C /opt
-RUN mv /opt/homes/ecr05/MSM_HOCR_v2/* /opt/msm/
-RUN rm -rf /opt/homes /opt/msm/MacOSX /opt/msm/Centos
-RUN chmod +x /opt/msm/Ubuntu/*
-ENV MSMBINDIR=/opt/msm/Ubuntu \
-    PATH=$PATH:/opt/msm/Ubuntu
+COPY dev/docker_data/checksum/msm.2.0.sha384 /tmp/checksum.sha384
+RUN mkdir /opt/msm \
+    && curl -ksSL --retry 5 https://www.doc.ic.ac.uk/~ecr05/MSM_HOCR_v2/MSM_HOCR_v2-download.tgz -o msm.tgz \
+    && sha384sum --check /tmp/checksum.sha384 \
+    && tar zx -C /opt -f msm.tgz \
+    && mv /opt/homes/ecr05/MSM_HOCR_v2/* /opt/msm/ \
+    && rm -rf /opt/homes /opt/msm/MacOSX /opt/msm/Centos \
+    && chmod +x /opt/msm/Ubuntu/* \
+    && MSMBINDIR=/opt/msm/Ubuntu \
+       PATH=$PATH:/opt/msm/Ubuntu
 
 ENTRYPOINT ["/bin/bash"]
 
 # Link libraries for Singularity images
-RUN ldconfig
-
-RUN apt-get clean && \
-    apt-get autoremove -y && \
-    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+RUN ldconfig \
+    && apt-get clean \
+    && apt-get autoremove -y \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 FROM scratch
 LABEL org.opencontainers.image.description "NOT INTENDED FOR USE OTHER THAN AS A STAGE IMAGE IN A MULTI-STAGE BUILD \