Conversation
There was a problem hiding this comment.
Pull request overview
Adds a pinned SHA-256 checksum validation step for the downloaded mc (MinIO client) binary in the Docker image to improve supply-chain integrity/reproducibility.
Changes:
- Introduce
MC_SUMbuild argument with expected SHA-256 formc - Add
sha256sum -cvalidation before markingmcexecutable
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Dockerfile
Outdated
| @@ -1,9 +1,14 @@ | |||
| FROM cypress/base:16 | |||
There was a problem hiding this comment.
based on:
we additionally need to be validating base package.
additionally link out to a "final" form of utilizing dp.apps.rancher.io of our goal, but this as an intermediate step
| FROM cypress/base:16 | |
| # TODO: https://github.com/harvester/tests/issues/2540 | |
| # this is cypress/base:16 | |
| FROM cypress/base@sha256:f4d5f616e83ee6f37913ea18bc1bc4f483bd49b3d7353d04a555af034087b9ff |
There was a problem hiding this comment.
Good catch.
| @@ -1,9 +1,14 @@ | |||
| FROM cypress/base:16 | |||
|
|
|||
| ARG MC_SUM=01f866e9c5f9b87c2b09116fa5d7c06695b106242d829a8bb32990c00312e891 | |||
There was a problem hiding this comment.
can we add a comment to reference the minio version?
additionally I believe double quotes need to wrap the arg
additionally we should be making sure it's not "latest".
| ARG MC_SUM=01f866e9c5f9b87c2b09116fa5d7c06695b106242d829a8bb32990c00312e891 | |
| # checksum from https://dl.min.io/aistor/mc/release/linux-amd64/mc.RELEASE.2026-03-12T04-18-55Z.sha256sum | |
| # for minio client version: mc.RELEASE.2026-03-12T04-18-55Z | |
| ARG MC_SUM="c9500a16f76884f6a1ac60cda91afd7efdf8b5acda43d6ae8b07579ff91500cf" |
There was a problem hiding this comment.
Good catch. I'll do that.
There was a problem hiding this comment.
Although I don't think we need to quote the checksum according to this. We'll check the main repo with a jenkins test run first to verify that it's working in general before merging.
There was a problem hiding this comment.
yeah sounds good if we don't have to wrap double quotes around it & it parses it correctly that's awesome 😄
Dockerfile
Outdated
| RUN apt-get update | ||
| RUN apt-get install -y git | ||
|
|
||
| ADD https://dl.min.io/client/mc/release/linux-amd64/mc /usr/local/bin/mc |
There was a problem hiding this comment.
not latest, but we need a specific version, pinning versions for "everything"
| ADD https://dl.min.io/client/mc/release/linux-amd64/mc /usr/local/bin/mc | |
| # this is for version minio mc: mc.RELEASE.2026-03-12T04-18-55Z | |
| # this is for version mino mc from: https://dl.min.io/aistor/mc/release/linux-amd64/mc.RELEASE.2026-03-12T04-18-55Z | |
| ADD https://dl.min.io/aistor/mc/release/linux-amd64/mc.RELEASE.2026-03-12T04-18-55Z /usr/local/bin/mc |
Dockerfile
Outdated
|
|
||
| ADD https://dl.min.io/client/mc/release/linux-amd64/mc /usr/local/bin/mc | ||
| # This runs the checksum and won't add the executable if the checksum doesn't match | ||
| RUN echo "${!MC_SUM} /usr/local/bin/mc" | sha256sum -c \ |
There was a problem hiding this comment.
| RUN echo "${!MC_SUM} /usr/local/bin/mc" | sha256sum -c \ | |
| RUN echo "${MC_SUM} /usr/local/bin/mc" | sha256sum -c \ |
removing space
noahgildersleeve
force-pushed
the
checksum-fix
branch
2 times, most recently
from
14c0dc4 to
0472c26
Compare
Signed-off-by: Noah Gildersleeve <noah.gildersleeve@suse.com> fixed syntax Signed-off-by: Noah Gildersleeve <noah.gildersleeve@suse.com> fixed a bad bash substitution Signed-off-by: Noah Gildersleeve <noah.gildersleeve@suse.com> removed dupe chmod command Signed-off-by: Noah Gildersleeve <noah.gildersleeve@suse.com> fixed typo Signed-off-by: Noah Gildersleeve <noah.gildersleeve@suse.com>
noahgildersleeve
force-pushed
the
checksum-fix
branch
from
0472c26 to
14903ce
Compare
| ADD https://dl.min.io/client/mc/release/linux-amd64/mc /usr/local/bin/mc | ||
| RUN chmod +x /usr/local/bin/mc | ||
| # Validate the downloaded binary and abort the build if the checksum doesn't match | ||
| RUN echo "${MC_SUM} /usr/local/bin/mc" | sha256sum -c \ |
There was a problem hiding this comment.
same as, #56 (comment)
removing that space
Signed-off-by: Noah Gildersleeve <noah.gildersleeve@suse.com>
fixed syntax
Which issue(s) this PR fixes:
What this PR does / why we need it:
This will pin the checksum for mc
Test Result - fixed the following test cases: