From 9e6dfaf40bcfb29aa0c05d71d859f1999b093472 Mon Sep 17 00:00:00 2001 From: Henrik Jonsson Date: Sun, 10 Apr 2016 17:27:48 +0200 Subject: [PATCH 1/3] Also check sha256 checksums --- Dockerfile | 8 +++++--- sha256sums-unsigned-build.txt | 5 +++++ 2 files changed, 10 insertions(+), 3 deletions(-) create mode 100644 sha256sums-unsigned-build.txt diff --git a/Dockerfile b/Dockerfile index 90dbf13..9fea53a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ FROM debian -# TODO(hkjn): Use hkjn/arch as base. +# TODO(hkjn): Use alpine as base. MAINTAINER Henrik Jonsson @@ -9,7 +9,7 @@ ENV LANG C.UTF-8 ENV RELEASE_FILE tor-browser-linux64-${TOR_VERSION}_ALL.tar.xz ENV RELEASE_KEY 0x4E2C6E8793298290 ENV CHECKSUMS_FILE sha256sums-unsigned-build.txt -ENV CHECKSUMS_URL https://dist.torproject.org/torbrowser/${TOR_VERSION}/${CHECKSUMS_FILE} + ENV RELEASE_URL https://dist.torproject.org/torbrowser/${TOR_VERSION}/${RELEASE_FILE} RUN apt-get update && \ @@ -29,7 +29,8 @@ RUN useradd --create-home --home-dir $HOME user && \ chown -R user:user $HOME WORKDIR /usr/local/bin -# TODO(hkjn): Actually check ${CHECKSUMS_FILE}.asc against release binary. + +COPY $CHECKSUMS_FILE . RUN gpg --keyserver pgp.mit.edu --recv-keys $RELEASE_KEY RUN curl --fail -O -sSL ${RELEASE_URL} && \ curl --fail -O -sSL ${RELEASE_URL}.asc && \ @@ -37,6 +38,7 @@ RUN curl --fail -O -sSL ${RELEASE_URL} && \ curl --fail -O -sSL ${CHECKSUMS_URL}.asc && \ gpg --verify ${RELEASE_FILE}.asc && \ gpg --verify ${CHECKSUMS_FILE}.asc && \ + sha256sum -c sha256sums-unsigned-build.txt && \ tar --strip-components=1 -vxJf ${RELEASE_FILE} && \ rm -v ${RELEASE_FILE}* diff --git a/sha256sums-unsigned-build.txt b/sha256sums-unsigned-build.txt new file mode 100644 index 0000000..19a2a02 --- /dev/null +++ b/sha256sums-unsigned-build.txt @@ -0,0 +1,5 @@ +cbafa67fa269e8fa658c1ae3b3cd4d83bc8ce4dc8ee15c32fe5154588b69f5e7 mar-tools-linux64.zip +f53501217dc5bd567927015974d9e51d41c0d17d04d17e9a40e2d78b5d118f28 tor-browser-linux64-6.0a4-hardened_ALL.mar +f5224c78c3f0da2df4286a6e33a4afec3339a9d6848ff9b6480a42214b8bed8c tor-browser-linux64-6.0a4-hardened_ALL.tar.xz +f45addbb1b1f0a824cd6baa9bb07860e41f099771ebba2b62f9dbbffc784d6a8 tor-browser-linux64-debug.zip +243534e2b0c5f57094cc2b3aee0c399b71c9ccedc1cd949813299490bdfc7c2f tor-linux64-debug.zip From d76d67b0f19c5b57ee8056fd45b1b791ba45d507 Mon Sep 17 00:00:00 2001 From: Henrik Jonsson Date: Wed, 13 Apr 2016 05:21:13 +0200 Subject: [PATCH 2/3] No need to download checksums file since we include it in repo --- Dockerfile | 3 --- 1 file changed, 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9fea53a..d9bb1d4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,10 +34,7 @@ COPY $CHECKSUMS_FILE . RUN gpg --keyserver pgp.mit.edu --recv-keys $RELEASE_KEY RUN curl --fail -O -sSL ${RELEASE_URL} && \ curl --fail -O -sSL ${RELEASE_URL}.asc && \ - curl --fail -O -sSL ${CHECKSUMS_URL} && \ - curl --fail -O -sSL ${CHECKSUMS_URL}.asc && \ gpg --verify ${RELEASE_FILE}.asc && \ - gpg --verify ${CHECKSUMS_FILE}.asc && \ sha256sum -c sha256sums-unsigned-build.txt && \ tar --strip-components=1 -vxJf ${RELEASE_FILE} && \ rm -v ${RELEASE_FILE}* From 130e1701d67ca3867ac1ff1127bed5d287ed98df Mon Sep 17 00:00:00 2001 From: Henrik Jonsson Date: Wed, 13 Apr 2016 05:44:35 +0200 Subject: [PATCH 3/3] Remove checksums for files we don't use --- sha256sums-unsigned-build.txt | 4 ---- 1 file changed, 4 deletions(-) diff --git a/sha256sums-unsigned-build.txt b/sha256sums-unsigned-build.txt index 19a2a02..3ec35c0 100644 --- a/sha256sums-unsigned-build.txt +++ b/sha256sums-unsigned-build.txt @@ -1,5 +1 @@ -cbafa67fa269e8fa658c1ae3b3cd4d83bc8ce4dc8ee15c32fe5154588b69f5e7 mar-tools-linux64.zip -f53501217dc5bd567927015974d9e51d41c0d17d04d17e9a40e2d78b5d118f28 tor-browser-linux64-6.0a4-hardened_ALL.mar f5224c78c3f0da2df4286a6e33a4afec3339a9d6848ff9b6480a42214b8bed8c tor-browser-linux64-6.0a4-hardened_ALL.tar.xz -f45addbb1b1f0a824cd6baa9bb07860e41f099771ebba2b62f9dbbffc784d6a8 tor-browser-linux64-debug.zip -243534e2b0c5f57094cc2b3aee0c399b71c9ccedc1cd949813299490bdfc7c2f tor-linux64-debug.zip