From af73f01b021980a4ba7fdf6c762f845ac72e55a8 Mon Sep 17 00:00:00 2001
From: Steffen Neubauer <steffen@garden.io>
Date: Thu, 13 Jul 2023 16:18:42 +0200
Subject: [PATCH] improvement: verify downloads using sha256 in Dockerfiles

Fixes #3993
---
 images/buildkit/Dockerfile        | 27 +++++++++++-----------
 images/circleci-runner/Dockerfile | 15 ++++++++-----
 images/k8s-sync/Dockerfile        | 11 ++++-----
 images/k8s-util/Dockerfile        |  5 +++--
 images/skopeo/Dockerfile          | 14 +++++++-----
 support/alpine.Dockerfile         | 20 +++++++++++------
 support/buster.Dockerfile         | 37 ++++++++++++++++---------------
 7 files changed, 73 insertions(+), 56 deletions(-)

diff --git a/images/buildkit/Dockerfile b/images/buildkit/Dockerfile
index c1c10c54ab..aac8966788 100644
--- a/images/buildkit/Dockerfile
+++ b/images/buildkit/Dockerfile
@@ -1,23 +1,22 @@
-FROM moby/buildkit:v0.10.5@sha256:ca9d86324a000a0cc6d93ae9d0d5a9df750a194d0d43644c3a71fc6230ceba44 as deps
+FROM moby/buildkit:v0.10.5@sha256:ca9d86324a000a0cc6d93ae9d0d5a9df750a194d0d43644c3a71fc6230ceba44 as buildkit
 
-RUN apk add --no-cache curl
+RUN apk add --no-cache wget
 
 # ECR credential helper
-RUN cd /tmp && \
-  curl -O https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.6.0/linux-amd64/docker-credential-ecr-login && \
+RUN cd /usr/local/bin && \
+  wget https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.6.0/linux-amd64/docker-credential-ecr-login && \
+  echo "af805202cb5d627dde2e6d4be1f519b195fd5a3a35ddc88d5010b4a4e5a98dd8  docker-credential-ecr-login" | sha256sum -c && \
   chmod +x docker-credential-ecr-login
 
 # GCR credential helper
-RUN curl -fsSL "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v2.0.1/docker-credential-gcr_linux_amd64-2.0.1.tar.gz" \
-  | tar xz --to-stdout ./docker-credential-gcr \
-  > /tmp/docker-credential-gcr && chmod +x /tmp/docker-credential-gcr
-
-FROM moby/buildkit:v0.10.5@sha256:ca9d86324a000a0cc6d93ae9d0d5a9df750a194d0d43644c3a71fc6230ceba44 as buildkit
-
-COPY --from=deps /tmp/docker-credential-ecr-login /usr/local/bin/docker-credential-ecr-login
-COPY --from=deps /tmp/docker-credential-gcr /usr/local/bin/docker-credential-gcr
+RUN wget "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v2.0.1/docker-credential-gcr_linux_amd64-2.0.1.tar.gz" && \
+  echo "90837d1d9cf16809a60d5c7891d7d0b8445b1978ad43187032a0ca93bda49ed5  docker-credential-gcr_linux_amd64-2.0.1.tar.gz" | sha256sum -c && \
+  tar xzf docker-credential-gcr_linux_amd64-2.0.1.tar.gz --to-stdout ./docker-credential-gcr \
+  > /usr/local/bin/docker-credential-gcr && \
+  chmod +x /usr/local/bin/docker-credential-gcr && \
+  rm docker-credential-gcr_linux_amd64-2.0.1.tar.gz
 
 FROM moby/buildkit:v0.10.5-rootless@sha256:3a5eca9b8d5d0e6cdcd0e756d607bf7386cd1b61950daf63afadee79b43ba8bf as buildkit-rootless
 
-COPY --from=deps /tmp/docker-credential-ecr-login /usr/local/bin/docker-credential-ecr-login
-COPY --from=deps /tmp/docker-credential-gcr /usr/local/bin/docker-credential-gcr
+COPY --from=buildkit /usr/local/bin/docker-credential-ecr-login /usr/local/bin/docker-credential-ecr-login
+COPY --from=buildkit /usr/local/bin/docker-credential-gcr /usr/local/bin/docker-credential-gcr
diff --git a/images/circleci-runner/Dockerfile b/images/circleci-runner/Dockerfile
index dc7174d726..6851141ab7 100644
--- a/images/circleci-runner/Dockerfile
+++ b/images/circleci-runner/Dockerfile
@@ -16,6 +16,7 @@ RUN sudo apt-get update && sudo apt-get install -qq -y --no-install-recommends \
 RUN cd /tmp && \
   git clone https://github.com/xerub/ldid.git && \
   cd ldid && \
+  git checkout db74fea4424ddf8b217a0a8f98bcdc0d8ff29908 && \
   git submodule update --init && \
   ./make.sh && \
   sudo cp -f ./ldid /usr/local/bin/ldid
@@ -35,7 +36,10 @@ COPY --from=ghr /usr/bin/ghr /usr/bin/
 # install gh
 # NOTE: We pin to this version because the latest version does not support the fine-grained access tokens for editing issues (https://github.com/cli/cli/issues/6680)
 # When the issue has been resolved, we can go back to installing the latest version of gh.
-RUN wget https://github.com/cli/cli/releases/download/v2.14.7/gh_2.14.7_linux_amd64.deb && sudo dpkg -i gh_2.14.7_linux_amd64.deb && rm gh_2.14.7_linux_amd64.deb
+RUN wget https://github.com/cli/cli/releases/download/v2.14.7/gh_2.14.7_linux_amd64.deb && \
+  echo "b7ee6f6eb9fb75621bad26b8de7cf457700c33d2f93065a73a77bb3a7a135036  gh_2.14.7_linux_amd64.deb" | sha256sum -c && \
+  sudo dpkg -i gh_2.14.7_linux_amd64.deb && \
+  rm gh_2.14.7_linux_amd64.deb
 
 # install gcloud
 ENV CLOUDSDK_PYTHON=python3
@@ -45,7 +49,8 @@ RUN sudo ln -s /usr/lib/google-cloud-sdk/bin/* /usr/local/bin/ \
   && cd / && gcloud version # make sure it works
 
 # install kubectl
-RUN curl -o kubectl curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.17.0/bin/linux/amd64/kubectl \
-  && chmod +x kubectl \
-  && sudo mv kubectl /usr/local/bin/ \
-  && cd / && kubectl version --client=true # make sure it works
+RUN wget -O kubectl https://storage.googleapis.com/kubernetes-release/release/v1.17.0/bin/linux/amd64/kubectl && \
+  echo "6e0aaaffe5507a44ec6b1b8a0fb585285813b78cc045f8804e70a6aac9d1cb4c  kubectl" | sha256sum -c && \
+  chmod +x kubectl && \
+  sudo mv kubectl /usr/local/bin/ && \
+  cd / && kubectl version --client=true # make sure it works
diff --git a/images/k8s-sync/Dockerfile b/images/k8s-sync/Dockerfile
index 6104676389..e1250d5cdd 100644
--- a/images/k8s-sync/Dockerfile
+++ b/images/k8s-sync/Dockerfile
@@ -1,12 +1,13 @@
 FROM alpine:3.15.4@sha256:a777c9c66ba177ccfea23f2a216ff6721e78a662cd17019488c417135299cd89
 
-RUN apk add --no-cache curl
+RUN apk add --no-cache wget
 
 # Get mutagen agent
-RUN curl -fsSL "https://github.com/mutagen-io/mutagen/releases/download/v0.15.0/mutagen_linux_amd64_v0.15.0.tar.gz" \
-  | tar xz --to-stdout mutagen-agents.tar.gz \
-  | tar xz --to-stdout linux_amd64 \
-  > /usr/local/bin/mutagen-agent && \
+RUN wget "https://github.com/mutagen-io/mutagen/releases/download/v0.15.0/mutagen_linux_amd64_v0.15.0.tar.gz" && \
+  echo "dd4a0b6fa8b36232108075d2c740d563ec945d8e872c749ad027fa1b241a8b07  mutagen_linux_amd64_v0.15.0.tar.gz" | sha256sum -c && \
+  tar xzf mutagen_linux_amd64_v0.15.0.tar.gz --to-stdout mutagen-agents.tar.gz \
+  | tar xz --to-stdout linux_amd64 > /usr/local/bin/mutagen-agent && \
+  rm mutagen_linux_amd64_v0.15.0.tar.gz && \
   chmod +x /usr/local/bin/mutagen-agent && \
   mkdir -p /.garden && \
   ln -s /usr/local/bin/mutagen-agent /.garden/mutagen-agent
diff --git a/images/k8s-util/Dockerfile b/images/k8s-util/Dockerfile
index 695e21ba83..2a4e125170 100644
--- a/images/k8s-util/Dockerfile
+++ b/images/k8s-util/Dockerfile
@@ -1,9 +1,10 @@
 ARG BASE_IMAGE
 FROM ${BASE_IMAGE}
 
-RUN apk add --no-cache rsync skopeo
+RUN apk add --no-cache wget rsync skopeo
 RUN cd /usr/local/bin && \
-  curl -O https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.6.0/linux-amd64/docker-credential-ecr-login && \
+  wget https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.6.0/linux-amd64/docker-credential-ecr-login && \
+  echo "af805202cb5d627dde2e6d4be1f519b195fd5a3a35ddc88d5010b4a4e5a98dd8  docker-credential-ecr-login" | sha256sum -c && \
   chmod +x docker-credential-ecr-login
 
 RUN adduser -g 1000 -D user && \
diff --git a/images/skopeo/Dockerfile b/images/skopeo/Dockerfile
index ddf04f3b77..4d62936c9a 100644
--- a/images/skopeo/Dockerfile
+++ b/images/skopeo/Dockerfile
@@ -1,10 +1,14 @@
 FROM danifernandezs/skopeo:1.41.0-alpine3.10.3@sha256:3063f966f2752491ba2c3acb0e903a001c586e0fb5f404b8e8c3ac1f9e93c9f2
 
-RUN apk add --no-cache curl
+RUN apk add --no-cache wget
 RUN cd /usr/local/bin && \
-  curl -O https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.6.0/linux-amd64/docker-credential-ecr-login && \
+  wget https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/0.6.0/linux-amd64/docker-credential-ecr-login && \
+  echo "af805202cb5d627dde2e6d4be1f519b195fd5a3a35ddc88d5010b4a4e5a98dd8  docker-credential-ecr-login" | sha256sum -c && \
   chmod +x docker-credential-ecr-login
 
-RUN curl -fsSL "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v2.0.1/docker-credential-gcr_linux_amd64-2.0.1.tar.gz" \
-  | tar xz --to-stdout ./docker-credential-gcr \
-  > /usr/local/bin/docker-credential-gcr && chmod +x /usr/local/bin/docker-credential-gcr
+RUN wget "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v2.0.1/docker-credential-gcr_linux_amd64-2.0.1.tar.gz" && \
+  echo "90837d1d9cf16809a60d5c7891d7d0b8445b1978ad43187032a0ca93bda49ed5  docker-credential-gcr_linux_amd64-2.0.1.tar.gz" | sha256sum -c && \
+  tar xzf docker-credential-gcr_linux_amd64-2.0.1.tar.gz --to-stdout ./docker-credential-gcr \
+  > /usr/local/bin/docker-credential-gcr && \
+  chmod +x /usr/local/bin/docker-credential-gcr && \
+  rm docker-credential-gcr_linux_amd64-2.0.1.tar.gz
diff --git a/support/alpine.Dockerfile b/support/alpine.Dockerfile
index 800b7602f0..e18929ee24 100644
--- a/support/alpine.Dockerfile
+++ b/support/alpine.Dockerfile
@@ -55,9 +55,10 @@ WORKDIR /project
 FROM python:3.11-alpine@sha256:4e8e9a59bf1b3ca8e030244bc5f801f23e41e37971907371da21191312087a07 AS aws-builder
 
 ENV AWSCLI_VERSION=2.11.18
+ENV AWSCLI_SHA256="b09bee1a52a1dc8c3f5e904195933fd27583f867276dd0deefc53358b9074b9d"
 
 RUN apk add --no-cache \
-  curl \
+  wget \
   make \
   cmake \
   gcc \
@@ -65,14 +66,17 @@ RUN apk add --no-cache \
   libc-dev \
   libffi-dev \
   openssl-dev
-RUN curl https://awscli.amazonaws.com/awscli-$AWSCLI_VERSION.tar.gz | tar -xz
+RUN wget https://awscli.amazonaws.com/awscli-$AWSCLI_VERSION.tar.gz && \
+  echo "$AWSCLI_SHA256  awscli-$AWSCLI_VERSION.tar.gz" | sha256sum -c && \
+  tar -xzf awscli-$AWSCLI_VERSION.tar.gz
 RUN cd awscli-$AWSCLI_VERSION \
   && ./configure --bindir=/usr/local/bin --prefix=/aws-cli/ --with-download-deps --with-install-type=portable-exe \
   && make \
   && make install
-RUN curl -o aws-iam-authenticator https://amazon-eks.s3.us-west-2.amazonaws.com/1.15.10/2020-02-22/bin/linux/amd64/aws-iam-authenticator \
-  && chmod +x ./aws-iam-authenticator \
-  && mv ./aws-iam-authenticator /usr/bin/
+RUN wget -O aws-iam-authenticator https://amazon-eks.s3.us-west-2.amazonaws.com/1.15.10/2020-02-22/bin/linux/amd64/aws-iam-authenticator && \
+  echo "fe958eff955bea1499015b45dc53392a33f737630efd841cd574559cc0f41800  aws-iam-authenticator" | sha256sum -c && \
+  chmod +x ./aws-iam-authenticator && \
+  mv ./aws-iam-authenticator /usr/bin/
 
 #
 # garden-aws-base
@@ -100,8 +104,10 @@ FROM garden-alpine-base-root as garden-azure-base
 WORKDIR /
 ENV AZURE_CLI_VERSION=2.48.1
 
-RUN wget -O requirements.txt https://raw.githubusercontent.com/Azure/azure-cli/azure-cli-$AZURE_CLI_VERSION/src/azure-cli/requirements.py3.Linux.txt
-RUN wget -O trim_sdk.py https://raw.githubusercontent.com/Azure/azure-cli/azure-cli-$AZURE_CLI_VERSION/scripts/trim_sdk.py
+RUN wget -O requirements.txt https://raw.githubusercontent.com/Azure/azure-cli/azure-cli-$AZURE_CLI_VERSION/src/azure-cli/requirements.py3.Linux.txt && \
+  echo "c552be7337282c28b28cded6bd8d4b64247ddd2c4faf59042555fcc478405afb  requirements.txt" | sha256sum -c
+RUN wget -O trim_sdk.py https://raw.githubusercontent.com/Azure/azure-cli/azure-cli-$AZURE_CLI_VERSION/scripts/trim_sdk.py && \
+  echo "2e6292f5285b4fcedbe8efd77309fade550667d1c502a6ffa078f1aa97942c64  trim_sdk.py" | sha256sum -c
 
 RUN apk add py3-virtualenv openssl-dev libffi-dev build-base python3-dev
 RUN python3 -m virtualenv /azure-cli
diff --git a/support/buster.Dockerfile b/support/buster.Dockerfile
index 529c0991ca..f2dac7870e 100644
--- a/support/buster.Dockerfile
+++ b/support/buster.Dockerfile
@@ -5,25 +5,26 @@ ARG VARIANT=root
 FROM node:18.15.0-buster-slim@sha256:b89966598ea8c38c37543823e54f3ff36c067d90f935085796cbd077a98c4ff8 as buster-base-root
 
 # system dependencies
-RUN set -ex; \
-  apt-get update; \
+RUN apt-get update && \
   apt-get install -y --no-install-recommends \
-  apt-transport-https \
-  bash \
-  ca-certificates \
-  curl \
-  gnupg2 \
-  git \
-  gzip \
-  openssl \
-  rsync \
-  software-properties-common; \
-  \
-  curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -; \
-  add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"; \
-  apt-get update; \
-  apt-get install -y docker-ce-cli; \
-  rm -rf /var/lib/apt/lists/*;
+    apt-transport-https \
+    bash \
+    ca-certificates \
+    curl \
+    gnupg2 \
+    git \
+    gzip \
+    openssl \
+    rsync \
+    software-properties-common && \
+  install -m 0755 -d /etc/apt/keyrings && \
+  curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg && \
+  chmod a+r /etc/apt/keyrings/docker.gpg && \
+  echo \
+  "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
+  "$(. /etc/os-release && echo "$VERSION_CODENAME")" stable" > /etc/apt/sources.list.d/docker.list && \
+  apt-get update && \
+  apt-get install docker-ce-cli -y
 
 ENV USER=root
 ENV HOME=/root