Skip to content

Commit d10069e

Browse files
eve-rfeve-rf
authored
Merge pull request #35 from pfarikrispy/pfarikrispy-checksums
feat(security): verify integrity of helper binaries
2 parents ca32adc + 10a8590 commit d10069e

File tree

1 file changed

+45
-14
lines changed

1 file changed

+45
-14
lines changed

Dockerfile.buildah

Lines changed: 45 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,9 @@ RUN apk update && apk add gnutls
5454

5555
# Install runtime dependencies for Buildah
5656
RUN apk add --no-cache \
57+
aardvark-dns \
5758
bash \
59+
buildah \
5860
ca-certificates \
5961
crun \
6062
curl \
@@ -63,16 +65,14 @@ RUN apk add --no-cache \
6365
gpgme \
6466
iptables \
6567
ip6tables \
68+
jq \
6669
libseccomp \
70+
netavark \
6771
ostree \
6872
shadow \
6973
shadow-uidmap \
7074
slirp4netns \
71-
netavark \
72-
aardvark-dns \
73-
xz \
74-
jq \
75-
buildah && \
75+
xz && \
7676
update-ca-certificates && \
7777
chmod u+s /usr/bin/newuidmap /usr/bin/newgidmap
7878

@@ -110,26 +110,57 @@ COPY configs/buildah/containers.conf /home/${KIMIA_USER}/.config/containers/cont
110110
# =============================================================================
111111

112112
# AWS ECR credential helper
113-
RUN ECR_VERSION=$(curl -s https://api.github.com/repos/awslabs/amazon-ecr-credential-helper/releases/latest | grep '"tag_name"' | cut -d'"' -f4 | sed 's/^v//') && \
113+
RUN ECR_VERSION=$(curl -fsSL https://api.github.com/repos/awslabs/amazon-ecr-credential-helper/releases/latest | grep '"tag_name"' | cut -d'"' -f4 | sed 's/^v//') && \
114114
ARCH=$(case ${TARGETARCH} in \
115115
"amd64") echo "amd64" ;; \
116116
"arm64") echo "arm64" ;; \
117117
*) echo "amd64" ;; \
118118
esac) && \
119-
curl -fsSL "https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${ECR_VERSION}/linux-${ARCH}/docker-credential-ecr-login" \
120-
-o /usr/local/bin/docker-credential-ecr-login && \
121-
chmod +x /usr/local/bin/docker-credential-ecr-login
119+
# Define file names and URLs
120+
BINARY_NAME="docker-credential-ecr-login" && \
121+
CHECKSUM_NAME="${BINARY_NAME}.sha256" && \
122+
DOWNLOAD_URL="https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${ECR_VERSION}/linux-${ARCH}" && \
123+
\
124+
# Download binary and checksum to current directory
125+
curl -fsSL -O "${DOWNLOAD_URL}/${BINARY_NAME}" && \
126+
curl -fsSL -O "${DOWNLOAD_URL}/${CHECKSUM_NAME}" && \
127+
\
128+
# Verify Integrity directly using the provided file
129+
sha256sum -c "${CHECKSUM_NAME}" && \
130+
\
131+
# Install
132+
mv "${BINARY_NAME}" /usr/local/bin/docker-credential-ecr-login && \
133+
chmod +x /usr/local/bin/docker-credential-ecr-login && \
134+
\
135+
# Cleanup
136+
rm "${CHECKSUM_NAME}"
122137

123138
# Google GCR/GAR credential helper
124-
RUN GCR_VERSION=$(curl -s https://api.github.com/repos/GoogleCloudPlatform/docker-credential-gcr/releases/latest | grep '"tag_name"' | cut -d'"' -f4 | sed 's/^v//') && \
139+
RUN GCR_VERSION=$(curl -fsSL https://api.github.com/repos/GoogleCloudPlatform/docker-credential-gcr/releases/latest | grep '"tag_name"' | cut -d'"' -f4 | sed 's/^v//') && \
125140
ARCH=$(case ${TARGETARCH} in \
126141
"amd64") echo "amd64" ;; \
127142
"arm64") echo "arm64" ;; \
128143
*) echo "amd64" ;; \
129144
esac) && \
130-
curl -fsSL "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v${GCR_VERSION}/docker-credential-gcr_linux_${ARCH}-${GCR_VERSION}.tar.gz" \
131-
| tar xz -C /usr/local/bin/ docker-credential-gcr && \
132-
chmod +x /usr/local/bin/docker-credential-gcr
145+
# Define file names and URLs
146+
BINARY_ARCHIVE="docker-credential-gcr_linux_${ARCH}-${GCR_VERSION}.tar.gz" && \
147+
CHECKSUMS_FILE="checksums.txt" && \
148+
RELEASE_URL="https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v${GCR_VERSION}" && \
149+
\
150+
# Download binary and checksums
151+
curl -fsSL -O "${RELEASE_URL}/${BINARY_ARCHIVE}" && \
152+
curl -fsSL -O "${RELEASE_URL}/${CHECKSUMS_FILE}" && \
153+
\
154+
# Verify Integrity: Grep the specific file hash and pipe to sha256sum
155+
# Using '-c -' reads the hash/filename pair from standard input
156+
grep "${BINARY_ARCHIVE}" "${CHECKSUMS_FILE}" | sha256sum -c - && \
157+
\
158+
# Extract and Install
159+
tar -xzf "${BINARY_ARCHIVE}" -C /usr/local/bin/ docker-credential-gcr && \
160+
chmod +x /usr/local/bin/docker-credential-gcr && \
161+
\
162+
# Cleanup artifacts to keep layer minimal
163+
rm "${BINARY_ARCHIVE}" "${CHECKSUMS_FILE}"
133164

134165
# =============================================================================
135166
# Environment Configuration
@@ -187,4 +218,4 @@ LABEL org.opencontainers.image.licenses="Apache-2.0"
187218
ENTRYPOINT ["/usr/local/bin/kimia"]
188219

189220
# Default command shows help
190-
CMD ["--help"]
221+
CMD ["--help"]

0 commit comments

Comments
 (0)