owncloud: enhanced tarball verification

2025-04-19 20:09:16 +00:00 · 2016-05-08 21:48:15 +02:00 · 2016-05-08 21:48:15 +02:00 · a30d3a7907
commit a30d3a7907
parent ac398e3eac
1 changed files with 27 additions and 19 deletions
--- a/owncloud/Dockerfile
+++ b/owncloud/Dockerfile
@ -1,9 +1,11 @@
 FROM alpine:edge
 MAINTAINER Wonderfall <wonderfall@schrodinger.io>

-ARG VERSION=9.0.2
-ARG APCU=5.1.3
-ARG APCUBC=1.0.3
+ARG OWNCLOUD_VERSION=9.0.2
+ARG APCU_VERSION=5.1.3
+ARG APCUBC_VERSION=1.0.3
+
+ARG GPG_owncloud="E303 6906 AD9F 3080 7351  FAC3 2D5D 5E97 F697 8A26"

 ENV GID=991 UID=991

@ -44,21 +46,27 @@ RUN echo "@commuedge http://nl.alpinelinux.org/alpine/edge/community" >> /etc/ap
    php7-dev@testing \
    php7-pear@testing \
 && mkdir /owncloud && cd /tmp \
- && wget -q https://download.owncloud.org/community/owncloud-$VERSION.tar.bz2 \
- && wget -q https://download.owncloud.org/community/owncloud-$VERSION.tar.bz2.sha256 \
- && wget -q https://download.owncloud.org/community/owncloud-$VERSION.tar.bz2.asc \
- && wget -q https://pecl.php.net/get/apcu-$APCU.tgz \
- && wget -q https://pecl.php.net/get/apcu_bc-$APCUBC.tgz \
+ && OWNCLOUD_TARBALL="owncloud-${OWNCLOUD_VERSION}.tar.bz2" \
+ && wget -q https://download.owncloud.org/community/${OWNCLOUD_TARBALL} \
+ && wget -q https://download.owncloud.org/community/${OWNCLOUD_TARBALL}.sha256 \
+ && wget -q https://download.owncloud.org/community/${OWNCLOUD_TARBALL}.asc \
 && wget -q https://owncloud.org/owncloud.asc \
- && sha256sum -c owncloud-$VERSION.tar.bz2.sha256 \
- && gpg --import owncloud.asc \
- && gpg --verify owncloud-$VERSION.tar.bz2.asc \
- && tar xjf /tmp/owncloud-$VERSION.tar.bz2 --strip 1 -C /owncloud \
- && tar xzf apcu-$APCU.tgz && tar xzf apcu_bc-$APCUBC.tgz \
- && cd apcu-$APCU && phpize7 && ./configure --with-php-config=/usr/bin/php-config7 && make && make install \
- && cd ../apcu_bc-$APCUBC && phpize7 && ./configure --with-php-config=/usr/bin/php-config7 && make && make install \
+ && wget -q https://pecl.php.net/get/apcu-${APCU_VERSION}.tgz \
+ && wget -q https://pecl.php.net/get/apcu_bc-${APCUBC_VERSION}.tgz \
+ && echo "Verifying both integrity and authenticity of ${OWNCLOUD_TARBALL}..." \
+ && CHECKSUM_STATE=$(echo -n $(sha256sum -c ${OWNCLOUD_TARBALL}.sha256) | tail -c 2) \
+ && if [ "${CHECKSUM_STATE}" != "OK" ]; then echo "Warning! Checksum does not match!" && exit 1; fi \
+ && FINGERPRINT="$(LANG=C gpg --verify ${OWNCLOUD_TARBALL}.asc ${OWNCLOUD_TARBALL} 2>&1 \
+  | sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \
+ && if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \
+ && if [ "${FINGERPRINT}" != "${GPG_owncloud}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
+ && echo "All seems good, now unpacking ${OWNCLOUD_TARBALL}..." \
+ && tar xjf ${OWNCLOUD_TARBALL} --strip 1 -C /owncloud \
+ && tar xzf apcu-${APCU_VERSION}.tgz && tar xzf apcu_bc-${APCUBC_VERSION}.tgz \
+ && cd apcu-${APCU_VERSION} && phpize7 && ./configure --with-php-config=/usr/bin/php-config7 && make && make install \
+ && cd ../apcu_bc-${APCUBC_VERSION} && phpize7 && ./configure --with-php-config=/usr/bin/php-config7 && make && make install \
 && sed -i "s/;env\[PATH\]/env\[PATH\]/g" /etc/php7/php-fpm.d/www.conf \
- && apk del $BUILD_DEPS php7-dev php7-pear \
+ && apk del ${BUILD_DEPS} php7-dev php7-pear \
 && rm -rf /var/cache/apk/* /tmp/*

 COPY nginx.conf /etc/nginx/nginx.conf
@ -75,8 +83,8 @@ VOLUME /data /config /apps2
 EXPOSE 80

 LABEL description="A server software for creating file hosting services" \
-      owncloud="ownCloud v$VERSION" \
-      apcu="apcu v$APCU" \
-      apcu_bc="apcu_bc v$APCUBC"
+      owncloud="ownCloud v${OWNCLOUD_VERSION}" \
+      apcu="apcu v${APCU_VERSION}" \
+      apcu_bc="apcu_bc v${APCUBC_VERSION}"

 CMD ["tini","--","run.sh"]