Upgrade security of Dockerfile

* Use https to retrieve archive from Rakudo server * Retrieve PGP signature from Rakudo server (https) * Retrieve PGP public key over hkps and using full fingerprint * Verify archive using signature (explicitly with gpg2)
Raku · Aug 9, 2018 · 33cba95 · georgy7 · Oct 18, 2018 · tianon
1 parent 048e15a
commit 33cba95
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -12,13 +12,22 @@ RUN buildDeps=' \
         libencode-perl \
         make \
     ' \
+    url="https://rakudo.org/downloads/star/rakudo-star-${rakudo_version}.tar.gz" \
+    keyserver='hkps.pool.sks-keyservers.net' \
+    keyfp='ECF8B611205B447E091246AF959E3D6197190DD5' \
     tmpdir="$(mktemp -d)" \
     && set -x \
+    && export GNUPGHOME="$tmpdir" \
     && apt-get update \
     && apt-get --yes install --no-install-recommends $buildDeps \
     && rm -rf /var/lib/apt/lists/* \
     && mkdir ${tmpdir}/rakudo \
-    && curl -fsSL http://rakudo.org/downloads/star/rakudo-star-${rakudo_version}.tar.gz -o ${tmpdir}/rakudo.tar.gz \
+    \
+    && curl -fsSL ${url}.asc -o ${tmpdir}/rakudo.tar.gz.asc \
+    && curl -fsSL $url -o ${tmpdir}/rakudo.tar.gz \
+    && gpg2 --keyserver $keyserver --recv-keys $keyfp \
+    && gpg2 --batch --verify ${tmpdir}/rakudo.tar.gz.asc ${tmpdir}/rakudo.tar.gz \
+    \
     && tar xzf ${tmpdir}/rakudo.tar.gz --strip-components=1 -C ${tmpdir}/rakudo \
     && ( \
         cd ${tmpdir}/rakudo \