From d5e389ccd67f263df382225f77cebdd1c452d681 Mon Sep 17 00:00:00 2001 From: Yifei Zhang Date: Thu, 2 May 2024 04:55:11 +0000 Subject: [PATCH] Merged in CLIP-1872-integrate-sha256-check (pull request #163) CLIP-1872: Verify sha256 checksum after downloading tar.gz. * CLIP-1872: Verify sha256 checksum after downloading tar.gz. * CLIP-1872: Ignored cd in hadolint. Approved-by: Eugene Ivantsov --- .hadolint.yaml | 1 + Dockerfile | 6 +++++- Dockerfile.ubi | 6 +++++- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/.hadolint.yaml b/.hadolint.yaml index 591d3c7..f5c8ac8 100644 --- a/.hadolint.yaml +++ b/.hadolint.yaml @@ -1,5 +1,6 @@ ignored: - DL3002 # root user in UBI Dockerfile + - DL3003 # cd in the RUN instruction - DL3005 # Package upgrades - DL3017 # Package upgrades - DL3006 # Version tagging diff --git a/Dockerfile b/Dockerfile index 05d3bed..2ce0cb8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -42,7 +42,11 @@ RUN groupadd --gid ${RUN_GID} ${RUN_GROUP} \ && useradd --uid ${RUN_UID} --gid ${RUN_GID} --home-dir ${CONFLUENCE_HOME} --shell /bin/bash ${RUN_USER} \ && echo PATH=$PATH > /etc/environment \ && mkdir -p ${CONFLUENCE_INSTALL_DIR} \ - && curl -L --silent ${DOWNLOAD_URL} | tar -xz --strip-components=1 -C "${CONFLUENCE_INSTALL_DIR}" \ + && curl -fsSL ${DOWNLOAD_URL} -o /tmp/atlassian-confluence-${CONFLUENCE_VERSION}.tar.gz \ + && curl -fsSL ${DOWNLOAD_URL}.sha256 -o /tmp/atlassian-confluence-${CONFLUENCE_VERSION}.tar.gz.sha256 \ + && set -e; cd /tmp && sha256sum -c atlassian-confluence-${CONFLUENCE_VERSION}.tar.gz.sha256 \ + && tar -xf /tmp/atlassian-confluence-${CONFLUENCE_VERSION}.tar.gz --strip-components=1 -C "${CONFLUENCE_INSTALL_DIR}" \ + && rm /tmp/atlassian-confluence* \ && chmod -R 550 ${CONFLUENCE_INSTALL_DIR}/ \ && chown -R ${RUN_USER}:root ${CONFLUENCE_INSTALL_DIR}/ \ && for dir in logs temp work; do \ diff --git a/Dockerfile.ubi b/Dockerfile.ubi index 7a20bc6..e26d218 100644 --- a/Dockerfile.ubi +++ b/Dockerfile.ubi @@ -42,7 +42,11 @@ RUN groupadd --gid ${RUN_GID} ${RUN_GROUP} \ && useradd --uid ${RUN_UID} --gid ${RUN_GID} --home-dir ${CONFLUENCE_HOME} --shell /bin/bash ${RUN_USER} \ && echo PATH=$PATH > /etc/environment \ && mkdir -p ${CONFLUENCE_INSTALL_DIR} \ - && curl -L --silent ${DOWNLOAD_URL} | tar -xz --strip-components=1 -C "${CONFLUENCE_INSTALL_DIR}" \ + && curl -fsSL ${DOWNLOAD_URL} -o /tmp/atlassian-confluence-${CONFLUENCE_VERSION}.tar.gz \ + && curl -fsSL ${DOWNLOAD_URL}.sha256 -o /tmp/atlassian-confluence-${CONFLUENCE_VERSION}.tar.gz.sha256 \ + && set -e; cd /tmp && sha256sum -c atlassian-confluence-${CONFLUENCE_VERSION}.tar.gz.sha256 \ + && tar -xf /tmp/atlassian-confluence-${CONFLUENCE_VERSION}.tar.gz --strip-components=1 -C "${CONFLUENCE_INSTALL_DIR}" \ + && rm /tmp/atlassian-confluence* \ && chmod -R 550 ${CONFLUENCE_INSTALL_DIR}/ \ && chown -R ${RUN_USER}:root ${CONFLUENCE_INSTALL_DIR}/ \ && for dir in logs temp work; do \