Skip to content

feat(security): verify integrity of helper binaries#35

Merged
eve-rf merged 4 commits intorapidfort:mainfrom
pfarikrispy:pfarikrispy-checksums
Jan 23, 2026
Merged

feat(security): verify integrity of helper binaries#35
eve-rf merged 4 commits intorapidfort:mainfrom
pfarikrispy:pfarikrispy-checksums

Conversation

@pfarikrispy
Copy link
Contributor

@pfarikrispy pfarikrispy commented Dec 10, 2025

  • sort apk add packages for readability
  • verify SHA256 checksums of ECR helper binaries
  • verify checksums of GCR helper archives

Ideally, I would move the installing of these helpers into their own layer(s) and simply add another COPY --from=helpers to the final phase. This increases parallelism during builds, improves caching (maybe) and cleans up the final phase making is easier to read. But that can be another PR later ;)

@pfarikrispy
chore: sort apk arguments
c8096dc
@pfarikrispy
feast(security): add integrity check
a57ae9c 
When using `curl` to pull in assets, you should always verify available checksums before using the assets to help protect against supply chain compromises
@pfarikrispy
feat(security): add integrity verification
1ddd9c7 
use the SHA256 checksums for the ECR binary to verify their integrity and harden the supply chain
eve-rf
eve-rf reviewed Dec 22, 2025
View reviewed changes
@pfarikrispy
Update Dockerfile.buildah
10a8590 
Sort apk pkgs and correct line continuation
@eve-rf eve-rf merged commit d10069e into rapidfort:main Jan 23, 2026
18 of 20 checks passed
@eve-rf
Copy link
Contributor

eve-rf commented Jan 23, 2026

Thank you for the PR! Approved and merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eve-rf eve-rf eve-rf approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pfarikrispy @eve-rf