Verify awscli signature before installing

Resolves grafana/k6#1916 (comment)
APITeamLimited · Apr 9, 2021 · e608e38 · e608e38
1 parent bc39f28
commit e608e38
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 4 deletions.
diff --git a/packaging/Dockerfile b/packaging/Dockerfile
@@ -7,13 +7,21 @@ ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update -y && \
     apt-get install -y apt-utils createrepo curl git gnupg2 python3 unzip
 
+COPY ./awscli-key.gpg .
+
 ARG AWSCLI_VERSION=2.1.35
 
-RUN curl -fSsL -o "awscliv2.zip" \
-      "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-$***REMOVED***AWSCLI_VERSION***REMOVED***.zip" && \
-    unzip -q awscliv2.zip && \
+# Download awscli, check GPG signature and install.
+RUN export GNUPGHOME="$(mktemp -d)" && \
+    gpg2 --import ./awscli-key.gpg && \
+    fpr="$(gpg2 --with-colons --fingerprint aws-cli | grep '^fpr' | cut -d: -f10)" && \
+    gpg2 --export-ownertrust && echo "$***REMOVED***fpr***REMOVED***:6:" | gpg2 --import-ownertrust && \
+    curl -fsSL --remote-name-all \
+      "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-$***REMOVED***AWSCLI_VERSION***REMOVED***.zip"***REMOVED***,.sig***REMOVED*** && \
+    gpg2 --verify awscli*.sig awscli*.zip && \
+    unzip -q awscli*.zip && \
     ./aws/install && \
-    rm -rf aws*
+    rm -rf aws* "$GNUPGHOME"
 
 RUN addgroup --gid 1000 k6 && \
     useradd --create-home --shell /bin/bash --no-log-init \

diff --git a/packaging/awscli-key.gpg b/packaging/awscli-key.gpg
@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF2Cr7UBEADJZHcgusOJl7ENSyumXh85z0TRV0xJorM2B/JL0kHOyigQluUG
+ZMLhENaG0bYatdrKP+3H91lvK050pXwnO/R7fB/FSTouki4ciIx5OuLlnJZIxSzx
+PqGl0mkxImLNbGWoi6Lto0LYxqHN2iQtzlwTVmq9733zd3XfcXrZ3+LblHAgEt5G
+TfNxEKJ8soPLyWmwDH6HWCnjZ/aIQRBTIQ05uVeEoYxSh6wOai7ss/KveoSNBbYz
+gbdzoqI2Y8cgH2nbfgp3DSasaLZEdCSsIsK1u05CinE7k2qZ7KgKAUIcT/cR/grk
+C6VwsnDU0OUCideXcQ8WeHutqvgZH1JgKDbznoIzeQHJD238GEu+eKhRHcz8/jeG
+94zkcgJOz3KbZGYMiTh277Fvj9zzvZsbMBCedV1BTg3TqgvdX4bdkhf5cH+7NtWO
+lrFj6UwAsGukBTAOxC0l/dnSmZhJ7Z1KmEWilro/gOrjtOxqRQutlIqG22TaqoPG
+fYVN+en3Zwbt97kcgZDwqbuykNt64oZWc4XKCa3mprEGC3IbJTBFqglXmZ7l9ywG
+EEUJYOlb2XrSuPWml39beWdKM8kzr1OjnlOm6+lpTRCBfo0wa9F8YZRhHPAkwKkX
+XDeOGpWRj4ohOx0d2GWkyV5xyN14p2tQOCdOODmz80yUTgRpPVQUtOEhXQARAQAB
+tCFBV1MgQ0xJIFRlYW0gPGF3cy1jbGlAYW1hem9uLmNvbT6JAlQEEwEIAD4WIQT7
+Xbd/1cEYuAURraimMQrMRnJHXAUCXYKvtQIbAwUJB4TOAAULCQgHAgYVCgkICwIE
+FgIDAQIeAQIXgAAKCRCmMQrMRnJHXJIXEAChLUIkg80uPUkGjE3jejvQSA1aWuAM
+yzy6fdpdlRUz6M6nmsUhOExjVIvibEJpzK5mhuSZ4lb0vJ2ZUPgCv4zs2nBd7BGJ
+MxKiWgBReGvTdqZ0SzyYH4PYCJSE732x/Fw9hfnh1dMTXNcrQXzwOmmFNNegG0Ox
+au+VnpcR5Kz3smiTrIwZbRudo1ijhCYPQ7t5CMp9kjC6bObvy1hSIg2xNbMAN/Do
+ikebAl36uA6Y/Uczjj3GxZW4ZWeFirMidKbtqvUz2y0UFszobjiBSqZZHCreC34B
+hw9bFNpuWC/0SrXgohdsc6vK50pDGdV5kM2qo9tMQ/izsAwTh/d/GzZv8H4lV9eO
+tEis+EpR497PaxKKh9tJf0N6Q1YLRHof5xePZtOIlS3gfvsH5hXA3HJ9yIxb8T0H
+QYmVr3aIUes20i6meI3fuV36VFupwfrTKaL7VXnsrK2fq5cRvyJLNzXucg0WAjPF
+RrAGLzY7nP1xeg1a0aeP+pdsqjqlPJom8OCWc1+6DWbg0jsC74WoesAqgBItODMB
+rsal1y/q+bPzpsnWjzHV8+1/EtZmSc8ZUGSJOPkfC7hObnfkl18h+1QtKTjZme4d
+H17gsBJr+opwJw/Zio2LMjQBOqlm3K1A4zFTh7wBC7He6KPQea1p2XAMgtvATtNe
+YLZATHZKTJyiqA==
+=vYOk
+-----END PGP PUBLIC KEY BLOCK-----