Also check sha256 checksums

Dockerfile

@@ -1,6 +1,6 @@
 FROM debian
 
-# TODO(hkjn): Use hkjn/arch as base.
+# TODO(hkjn): Use alpine as base.
 
 MAINTAINER Henrik Jonsson <me@hkjn.me>
 
@@ -9,7 +9,7 @@ ENV LANG C.UTF-8
 ENV RELEASE_FILE tor-browser-linux64-${TOR_VERSION}_ALL.tar.xz
 ENV RELEASE_KEY 0x4E2C6E8793298290
 ENV CHECKSUMS_FILE sha256sums-unsigned-build.txt
-ENV CHECKSUMS_URL https://dist.torproject.org/torbrowser/${TOR_VERSION}/${CHECKSUMS_FILE}
+
 ENV RELEASE_URL https://dist.torproject.org/torbrowser/${TOR_VERSION}/${RELEASE_FILE}
 
 RUN apt-get update && \
@@ -29,7 +29,8 @@ RUN useradd --create-home --home-dir $HOME user && \
     chown -R user:user $HOME
 
 WORKDIR /usr/local/bin
-# TODO(hkjn): Actually check ${CHECKSUMS_FILE}.asc against release binary.
+
+COPY $CHECKSUMS_FILE .
 RUN gpg --keyserver pgp.mit.edu --recv-keys $RELEASE_KEY
 RUN curl --fail -O -sSL ${RELEASE_URL} && \
     curl --fail -O -sSL ${RELEASE_URL}.asc && \
@@ -37,6 +38,7 @@ RUN curl --fail -O -sSL ${RELEASE_URL} && \
     curl --fail -O -sSL ${CHECKSUMS_URL}.asc && \
     gpg --verify ${RELEASE_FILE}.asc && \
     gpg --verify ${CHECKSUMS_FILE}.asc && \
+    sha256sum -c sha256sums-unsigned-build.txt && \
     tar --strip-components=1 -vxJf ${RELEASE_FILE} && \
     rm -v ${RELEASE_FILE}*