Skip to content

Commit 0018c16

Browse files
wajawaja
committed
Replacing ADD by download and checking nginx-keyring.gpg
Fixing CIS-DI-0009 (See https://github.com/goodwithtech/dockle/blob/master/CHECKPOINT.md#cis-di-0009)
1 parent 477decd commit 0018c16

File tree

1 file changed

+7
-1
lines changed

1 file changed

+7
-1
lines changed

Dockerfile

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,9 +46,15 @@ RUN \
4646
ARG FROM
4747
FROM ${FROM} AS main
4848

49+
ARG NGINX_KEYRING_SHA256_SUM=7d3d5a7adf37e17d6882e2f6f55324b9a8f978ef3c99c50fe801af67c9847c91
4950
COPY docker/unit.list /etc/apt/sources.list.d/unit.list
50-
ADD --chmod=444 --chown=0:0 https://unit.nginx.org/keys/nginx-keyring.gpg /usr/share/keyrings/nginx-keyring.gpg
5151
RUN export DEBIAN_FRONTEND=noninteractive \
52+
&& curl -fsSL https://unit.nginx.org/keys/nginx-keyring.gpg -o /usr/share/keyrings/nginx-keyring.gpg \
53+
&& echo "Verifying integrity of nginx-keyring.gpg ..." \
54+
&& echo "${NGINX_KEYRING_SHA256_SUM} /usr/share/keyrings/nginx-keyring.gpg" | sha256sum -c -\
55+
|| (echo "Error: checksum verification of nginx-keyring.gpg failed!" && exit 1) \
56+
&& chmod 444 /usr/share/keyrings/nginx-keyring.gpg \
57+
&& chown 0:0 /usr/share/keyrings/nginx-keyring.gpg \
5258
&& apt-get update -qq \
5359
&& apt-get upgrade \
5460
--yes -qq --no-install-recommends \

0 commit comments

Comments
 (0)