Skip to content

Commit 14a1f5e

Browse files
bgauduchbgauduch
authored
Sig checksum validation (#20)
* ✨ added terraform pgp signature * 🐳 added signature and checksum validation * 🔥 removed unecessary exclusion in dockerignore * 🐳 updated shasum validation on debian dockerfile, updated readme * 🐳 fixed terraform shasum validation in alpine dockerfile * 🐳 removed leftover env var * 🐳 reordered packages for clarity, move no install recommend flag to install command for debian * 🐳 updated debian dockerfile sha validation to match the alpine one
1 parent 0a5de63 commit 14a1f5e

File tree

5 files changed

+59
-12
lines changed

5 files changed

+59
-12
lines changed

.dockerignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
11
# explicitely exclude all files from the build context
22
# (each file needed in the Dockefile need to be included manually)
33
*
4+
!hashicorp.asc

README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -31,8 +31,8 @@ This image gives you the flexibility to be used for development or as a base ima
3131
## What's inside ?
3232
Tools included:
3333

34-
* [Azure CLI](https://azure.microsoft.com), see available version on the [pip repository](https://pypi.org/project/azure-cli/)
35-
* [Terraform CLI](https://www.terraform.io/), see available versions on the [project release page](https://github.com/hashicorp/terraform/releases)
34+
* [Azure CLI](https://docs.microsoft.com/cli/azure/?view=azure-cli-latest), see available version on the [pip repository](https://pypi.org/project/azure-cli/)
35+
* [Terraform CLI](https://www.terraform.io/docs/commands/index.html), see available versions on the [project release page](https://github.com/hashicorp/terraform/releases)
3636

3737
<p align="center">
3838
<a href="https://azure.microsoft.com"><img width="200" src="https://github.com/Zenika/terraform-azure-cli/raw/master/resources/azure-logo.png"></a>

alpine.Dockerfile

Lines changed: 13 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,9 +8,15 @@ ARG TERRAFORM_VERSION
88
RUN apk update
99
RUN apk add curl=7.64.0-r1
1010
RUN apk add unzip=6.0-r4
11-
RUN curl -sSL https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip -o terraform-${TERRAFORM_VERSION}.zip
12-
# FIXME: validate terraform signature & checksum
13-
RUN unzip -j terraform-${TERRAFORM_VERSION}.zip
11+
RUN apk add gnupg=2.2.12-r0
12+
RUN curl -Os https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS
13+
RUN curl -Os https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip
14+
RUN curl -Os https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.sig
15+
COPY hashicorp.asc hashicorp.asc
16+
RUN gpg --import hashicorp.asc
17+
RUN gpg --verify terraform_${TERRAFORM_VERSION}_SHA256SUMS.sig terraform_${TERRAFORM_VERSION}_SHA256SUMS
18+
RUN grep terraform_${TERRAFORM_VERSION}_linux_amd64.zip terraform_${TERRAFORM_VERSION}_SHA256SUMS | sha256sum -c -
19+
RUN unzip -j terraform_${TERRAFORM_VERSION}_linux_amd64.zip
1420

1521
# Install az CLI using PIP
1622
FROM alpine:3.9.4 as azure-cli
@@ -28,7 +34,10 @@ RUN pip3 install azure-cli==${AZURE_CLI_VERSION}
2834

2935
# Build final image
3036
FROM alpine:3.9.4
31-
RUN apk --no-cache add python3=3.6.8-r2 bash=4.4.19-r1 ca-certificates=20190108-r0 \
37+
RUN apk --no-cache add \
38+
bash=4.4.19-r1 \
39+
ca-certificates=20190108-r0 \
40+
python3=3.6.8-r2 \
3241
&& ln -s /usr/bin/python3 /usr/bin/python
3342
COPY --from=terraform /terraform /usr/bin/terraform
3443
COPY --from=azure-cli /usr/bin/az* /usr/bin/

debian.Dockerfile

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -8,9 +8,15 @@ ARG TERRAFORM_VERSION
88
RUN apt-get update
99
RUN apt-get install -y curl=7.52.1-5+deb9u9
1010
RUN apt-get install -y unzip=6.0-21+deb9u1
11-
RUN curl -sSL https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip -o terraform-${TERRAFORM_VERSION}.zip
12-
# FIXME: validate terraform signature & checksum
13-
RUN unzip -j terraform-${TERRAFORM_VERSION}.zip
11+
RUN apt-get install -y gnupg=2.1.18-8~deb9u4
12+
RUN curl -Os https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS
13+
RUN curl -Os https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip
14+
RUN curl -Os https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_SHA256SUMS.sig
15+
COPY hashicorp.asc hashicorp.asc
16+
RUN gpg --import hashicorp.asc
17+
RUN gpg --verify terraform_${TERRAFORM_VERSION}_SHA256SUMS.sig terraform_${TERRAFORM_VERSION}_SHA256SUMS
18+
RUN grep terraform_${TERRAFORM_VERSION}_linux_amd64.zip terraform_${TERRAFORM_VERSION}_SHA256SUMS | sha256sum -c -
19+
RUN unzip -j terraform_${TERRAFORM_VERSION}_linux_amd64.zip
1420

1521
# Install az CLI using PIP
1622
FROM debian:stretch-20190506-slim as azure-cli-pip
@@ -26,9 +32,10 @@ RUN pip3 install cryptography==2.6.1
2632

2733
# Build final image
2834
FROM debian:stretch-20190506-slim
29-
RUN apt-get update --no-install-recommends \
30-
# TODO: Handle potential download issue when adding multiples packages with APT
31-
&& apt-get install -y python3=3.5.3-1 ca-certificates=20161130+nmu1+deb9u1 \
35+
RUN apt-get update \
36+
&& apt-get install -y --no-install-recommends \
37+
ca-certificates=20161130+nmu1+deb9u1 \
38+
python3=3.5.3-1 \
3239
&& apt-get clean \
3340
&& rm -rf /var/lib/apt/lists/* \
3441
&& ln -s /usr/bin/python3 /usr/bin/python

hashicorp.asc

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
-----BEGIN PGP PUBLIC KEY BLOCK-----
2+
Version: GnuPG v1
3+
4+
mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f
5+
W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq
6+
fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA
7+
3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca
8+
KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k
9+
SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1
10+
cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JATgEEwECACIFAlMORM0CGwMG
11+
CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFGFLYc0j/xMyWIIAIPhcVqiQ59n
12+
Jc07gjUX0SWBJAxEG1lKxfzS4Xp+57h2xxTpdotGQ1fZwsihaIqow337YHQI3q0i
13+
SqV534Ms+j/tU7X8sq11xFJIeEVG8PASRCwmryUwghFKPlHETQ8jJ+Y8+1asRydi
14+
psP3B/5Mjhqv/uOK+Vy3zAyIpyDOMtIpOVfjSpCplVRdtSTFWBu9Em7j5I2HMn1w
15+
sJZnJgXKpybpibGiiTtmnFLOwibmprSu04rsnP4ncdC2XRD4wIjoyA+4PKgX3sCO
16+
klEzKryWYBmLkJOMDdo52LttP3279s7XrkLEE7ia0fXa2c12EQ0f0DQ1tGUvyVEW
17+
WmJVccm5bq25AQ0EUw5EzQEIANaPUY04/g7AmYkOMjaCZ6iTp9hB5Rsj/4ee/ln9
18+
wArzRO9+3eejLWh53FoN1rO+su7tiXJA5YAzVy6tuolrqjM8DBztPxdLBbEi4V+j
19+
2tK0dATdBQBHEh3OJApO2UBtcjaZBT31zrG9K55D+CrcgIVEHAKY8Cb4kLBkb5wM
20+
skn+DrASKU0BNIV1qRsxfiUdQHZfSqtp004nrql1lbFMLFEuiY8FZrkkQ9qduixo
21+
mTT6f34/oiY+Jam3zCK7RDN/OjuWheIPGj/Qbx9JuNiwgX6yRj7OE1tjUx6d8g9y
22+
0H1fmLJbb3WZZbuuGFnK6qrE3bGeY8+AWaJAZ37wpWh1p0cAEQEAAYkBHwQYAQIA
23+
CQUCUw5EzQIbDAAKCRBRhS2HNI/8TJntCAClU7TOO/X053eKF1jqNW4A1qpxctVc
24+
z8eTcY8Om5O4f6a/rfxfNFKn9Qyja/OG1xWNobETy7MiMXYjaa8uUx5iFy6kMVaP
25+
0BXJ59NLZjMARGw6lVTYDTIvzqqqwLxgliSDfSnqUhubGwvykANPO+93BBx89MRG
26+
unNoYGXtPlhNFrAsB1VR8+EyKLv2HQtGCPSFBhrjuzH3gxGibNDDdFQLxxuJWepJ
27+
EK1UbTS4ms0NgZ2Uknqn1WRU1Ki7rE4sTy68iZtWpKQXZEJa0IGnuI2sSINGcXCJ
28+
oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C
29+
=LYpS
30+
-----END PGP PUBLIC KEY BLOCK-----

0 commit comments

Comments
 (0)