Also check sha256 checksums

Dockerfile

@@ -1,6 +1,6 @@
 FROM debian
 
-# TODO(hkjn): Use hkjn/arch as base.
+# TODO(hkjn): Use alpine as base.
 
 MAINTAINER Henrik Jonsson <me@hkjn.me>
 
@@ -9,7 +9,7 @@ ENV LANG C.UTF-8
 ENV RELEASE_FILE tor-browser-linux64-${TOR_VERSION}_ALL.tar.xz
 ENV RELEASE_KEY 0x4E2C6E8793298290
 ENV CHECKSUMS_FILE sha256sums-unsigned-build.txt
-ENV CHECKSUMS_URL https://dist.torproject.org/torbrowser/${TOR_VERSION}/${CHECKSUMS_FILE}
+
 ENV RELEASE_URL https://dist.torproject.org/torbrowser/${TOR_VERSION}/${RELEASE_FILE}
 
 RUN apt-get update && \
@@ -29,7 +29,8 @@ RUN useradd --create-home --home-dir $HOME user && \
     chown -R user:user $HOME
 
 WORKDIR /usr/local/bin
-# TODO(hkjn): Actually check ${CHECKSUMS_FILE}.asc against release binary.
+
+COPY $CHECKSUMS_FILE .
 RUN gpg --keyserver pgp.mit.edu --recv-keys $RELEASE_KEY
 RUN curl --fail -O -sSL ${RELEASE_URL} && \
     curl --fail -O -sSL ${RELEASE_URL}.asc && \
@@ -37,6 +38,7 @@ RUN curl --fail -O -sSL ${RELEASE_URL} && \
     curl --fail -O -sSL ${CHECKSUMS_URL}.asc && \
     gpg --verify ${RELEASE_FILE}.asc && \
     gpg --verify ${CHECKSUMS_FILE}.asc && \
+    sha256sum -c sha256sums-unsigned-build.txt && \
     tar --strip-components=1 -vxJf ${RELEASE_FILE} && \
     rm -v ${RELEASE_FILE}*
 

sha256sums-unsigned-build.txt

@@ -0,0 +1,5 @@
+cbafa67fa269e8fa658c1ae3b3cd4d83bc8ce4dc8ee15c32fe5154588b69f5e7  mar-tools-linux64.zip
+f53501217dc5bd567927015974d9e51d41c0d17d04d17e9a40e2d78b5d118f28  tor-browser-linux64-6.0a4-hardened_ALL.mar
+f5224c78c3f0da2df4286a6e33a4afec3339a9d6848ff9b6480a42214b8bed8c  tor-browser-linux64-6.0a4-hardened_ALL.tar.xz
+f45addbb1b1f0a824cd6baa9bb07860e41f099771ebba2b62f9dbbffc784d6a8  tor-browser-linux64-debug.zip
+243534e2b0c5f57094cc2b3aee0c399b71c9ccedc1cd949813299490bdfc7c2f  tor-linux64-debug.zip