From f0a96358301e9d16274d19985e190a90440e6f6b Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sat, 2 Mar 2019 19:19:46 +0100
Subject: [PATCH] Add some verification logic for dockerize

Since we download the binary each time, we should make sure that it's
trustable. Since there is no signatur by the developer, we do the
cheaper version of simply using a sha256sum.
---
 alpine/Dockerfile | 14 +++++++++-----
 debian/Dockerfile | 11 ++++++++---
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/alpine/Dockerfile b/alpine/Dockerfile
index f6ee432..8ee1445 100644
--- a/alpine/Dockerfile
+++ b/alpine/Dockerfile
@@ -12,11 +12,15 @@ ENV NODE_ENV=production
 # PhantomJS is broken on alpine and crashes CodiMD
 ENV CMD_ALLOW_PDF_EXPORT=false
 
-RUN apk add --no-cache --virtual .download wget  ca-certificates && \
-    wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz && \
-    tar -C /usr/local/bin -xzvf dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz && \
-    rm dockerize-alpine-linux-amd64-$DOCKERIZE_VERSION.tar.gz && \
-    apk del .download
+RUN true \
+    && apk add --no-cache --virtual .download wget ca-certificates \
+    && echo "dddbf178ecfd55fa6670b01ac08fef63ef9490212426b9fab8a602345409da8f dockerize-alpine-linux-amd64-${DOCKERIZE_VERSION}.tar.gz" > dockerize_checksum \
+    && wget https://github.com/jwilder/dockerize/releases/download/${DOCKERIZE_VERSION}/dockerize-alpine-linux-amd64-${DOCKERIZE_VERSION}.tar.gz \
+    && sha256sum -c dockerize_checksum \
+    && tar -C /usr/local/bin -xzvf dockerize-alpine-linux-amd64-${DOCKERIZE_VERSION}.tar.gz \
+    && rm dockerize-linux-amd64-${DOCKERIZE_VERSION}.tar.gz dockerize_checksum \
+    && apk del .download \
+    && true
 
 ENV GOSU_VERSION 1.11
 COPY resources/gosu-gpg.key /tmp/gosu.key
diff --git a/debian/Dockerfile b/debian/Dockerfile
index 2d77c5d..a9b75e7 100644
--- a/debian/Dockerfile
+++ b/debian/Dockerfile
@@ -9,9 +9,14 @@ ENV DEBIAN_FRONTEND noninteractive
 ENV DOCKERIZE_VERSION v0.6.1
 ENV NODE_ENV=production
 
-RUN wget https://github.com/jwilder/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz && \
-    tar -C /usr/local/bin -xzvf dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz && \
-    rm dockerize-linux-amd64-$DOCKERIZE_VERSION.tar.gz
+
+RUN true \
+    && echo "1fa29cd41a5854fd5423e242f3ea9737a50a8c3bcf852c9e62b9eb02c6ccd370 dockerize-linux-amd64-${DOCKERIZE_VERSION}.tar.gz" > dockerize_checksum \
+    && wget https://github.com/jwilder/dockerize/releases/download/${DOCKERIZE_VERSION}/dockerize-linux-amd64-${DOCKERIZE_VERSION}.tar.gz \
+    && sha256sum -c dockerize_checksum \
+    && tar -C /usr/local/bin -xzvf dockerize-linux-amd64-${DOCKERIZE_VERSION}.tar.gz \
+    && rm dockerize-linux-amd64-${DOCKERIZE_VERSION}.tar.gz dockerize_checksum \
+    && true
 
 ENV GOSU_VERSION 1.11
 COPY resources/gosu-gpg.key /tmp/gosu.key
-- 
GitLab