tor: verify arm tarball

2025-04-20 04:19:18 +00:00 · 2016-05-08 13:05:53 +02:00 · 2016-05-08 13:05:53 +02:00 · 9972f82fab
commit 9972f82fab
parent 8a10b28fe3
1 changed files with 11 additions and 3 deletions
--- a/tor/Dockerfile
+++ b/tor/Dockerfile
@ -1,14 +1,14 @@
 FROM alpine:3.3

-ARG ARM_VERSION=1.4.5.0
 ARG TOR_VERSION=0.2.7.6
 ARG TOR_USER_ID=45553
+ARG ARM_VERSION=1.4.5.0
+
 ARG GPG_Mathewson="B35B F85B F194 89D0 4E28  C33C 2119 4EBB 1657 33EA"
+ARG GPG_Johnson="6827 8CC5 DD2D 1E85 C4E4  5AD9 0445 B7AB 9ABB EEC6"

 ENV TERM=xterm

-VOLUME /usr/local/etc/tor /tordata
-
 RUN BUILD_DEPS=" \
    libevent-dev \
    openssl-dev \
@ -35,10 +35,18 @@ RUN BUILD_DEPS=" \
 && adduser -h /var/run/tor -D -s /sbin/nologin -u ${TOR_USER_ID} tor \
 && cd /tmp \
 && wget -q https://www.atagar.com/arm/resources/static/arm-${ARM_VERSION}.tar.bz2  \
+ && wget -q https://www.atagar.com/arm/resources/static/arm-${ARM_VERSION}.tar.bz2.asc \
+ && gpg --keyserver pgp.mit.edu --recv-keys 0x9ABBEEC6 \
+ && FINGERPRINT="$(LANG=C gpg --verify arm-${ARM_VERSION}.tar.bz2.asc arm-${ARM_VERSION}.tar.bz2 2>&1 \
+  | sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \
+ && if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \
+ && if [ "${FINGERPRINT}" != "${GPG_Johnson}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
 && tar xjf /tmp/arm-${ARM_VERSION}.tar.bz2 && cd arm && ./install \
 && apk del ${BUILD_DEPS} \
 && rm -rf /var/cache/apk/* /tmp/*

+VOLUME /usr/local/etc/tor /tordata
 EXPOSE 9001 9030
 USER tor
+
 ENTRYPOINT [ "tor" ]