From e608e38168ad5400b595a494b94e12c248826c83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ivan=20Miri=C4=87?= Date: Fri, 9 Apr 2021 12:36:23 +0200 Subject: [PATCH] Verify awscli signature before installing Resolves https://github.com/k6io/k6/pull/1916#discussion_r610447918 --- packaging/Dockerfile | 16 ++++++++++++---- packaging/awscli-key.gpg | 29 +++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 4 deletions(-) create mode 100644 packaging/awscli-key.gpg diff --git a/packaging/Dockerfile b/packaging/Dockerfile index 997c5dfda..1f456c626 100644 --- a/packaging/Dockerfile +++ b/packaging/Dockerfile @@ -7,13 +7,21 @@ ENV DEBIAN_FRONTEND=noninteractive RUN apt-get update -y && \ apt-get install -y apt-utils createrepo curl git gnupg2 python3 unzip +COPY ./awscli-key.gpg . + ARG AWSCLI_VERSION=2.1.35 -RUN curl -fSsL -o "awscliv2.zip" \ - "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-$***REMOVED***AWSCLI_VERSION***REMOVED***.zip" && \ - unzip -q awscliv2.zip && \ +# Download awscli, check GPG signature and install. +RUN export GNUPGHOME="$(mktemp -d)" && \ + gpg2 --import ./awscli-key.gpg && \ + fpr="$(gpg2 --with-colons --fingerprint aws-cli | grep '^fpr' | cut -d: -f10)" && \ + gpg2 --export-ownertrust && echo "$***REMOVED***fpr***REMOVED***:6:" | gpg2 --import-ownertrust && \ + curl -fsSL --remote-name-all \ + "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-$***REMOVED***AWSCLI_VERSION***REMOVED***.zip"***REMOVED***,.sig***REMOVED*** && \ + gpg2 --verify awscli*.sig awscli*.zip && \ + unzip -q awscli*.zip && \ ./aws/install && \ - rm -rf aws* + rm -rf aws* "$GNUPGHOME" RUN addgroup --gid 1000 k6 && \ useradd --create-home --shell /bin/bash --no-log-init \ diff --git a/packaging/awscli-key.gpg b/packaging/awscli-key.gpg new file mode 100644 index 000000000..595184845 --- /dev/null +++ b/packaging/awscli-key.gpg @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF2Cr7UBEADJZHcgusOJl7ENSyumXh85z0TRV0xJorM2B/JL0kHOyigQluUG +ZMLhENaG0bYatdrKP+3H91lvK050pXwnO/R7fB/FSTouki4ciIx5OuLlnJZIxSzx +PqGl0mkxImLNbGWoi6Lto0LYxqHN2iQtzlwTVmq9733zd3XfcXrZ3+LblHAgEt5G +TfNxEKJ8soPLyWmwDH6HWCnjZ/aIQRBTIQ05uVeEoYxSh6wOai7ss/KveoSNBbYz +gbdzoqI2Y8cgH2nbfgp3DSasaLZEdCSsIsK1u05CinE7k2qZ7KgKAUIcT/cR/grk +C6VwsnDU0OUCideXcQ8WeHutqvgZH1JgKDbznoIzeQHJD238GEu+eKhRHcz8/jeG +94zkcgJOz3KbZGYMiTh277Fvj9zzvZsbMBCedV1BTg3TqgvdX4bdkhf5cH+7NtWO +lrFj6UwAsGukBTAOxC0l/dnSmZhJ7Z1KmEWilro/gOrjtOxqRQutlIqG22TaqoPG +fYVN+en3Zwbt97kcgZDwqbuykNt64oZWc4XKCa3mprEGC3IbJTBFqglXmZ7l9ywG +EEUJYOlb2XrSuPWml39beWdKM8kzr1OjnlOm6+lpTRCBfo0wa9F8YZRhHPAkwKkX +XDeOGpWRj4ohOx0d2GWkyV5xyN14p2tQOCdOODmz80yUTgRpPVQUtOEhXQARAQAB +tCFBV1MgQ0xJIFRlYW0gPGF3cy1jbGlAYW1hem9uLmNvbT6JAlQEEwEIAD4WIQT7 +Xbd/1cEYuAURraimMQrMRnJHXAUCXYKvtQIbAwUJB4TOAAULCQgHAgYVCgkICwIE +FgIDAQIeAQIXgAAKCRCmMQrMRnJHXJIXEAChLUIkg80uPUkGjE3jejvQSA1aWuAM +yzy6fdpdlRUz6M6nmsUhOExjVIvibEJpzK5mhuSZ4lb0vJ2ZUPgCv4zs2nBd7BGJ +MxKiWgBReGvTdqZ0SzyYH4PYCJSE732x/Fw9hfnh1dMTXNcrQXzwOmmFNNegG0Ox +au+VnpcR5Kz3smiTrIwZbRudo1ijhCYPQ7t5CMp9kjC6bObvy1hSIg2xNbMAN/Do +ikebAl36uA6Y/Uczjj3GxZW4ZWeFirMidKbtqvUz2y0UFszobjiBSqZZHCreC34B +hw9bFNpuWC/0SrXgohdsc6vK50pDGdV5kM2qo9tMQ/izsAwTh/d/GzZv8H4lV9eO +tEis+EpR497PaxKKh9tJf0N6Q1YLRHof5xePZtOIlS3gfvsH5hXA3HJ9yIxb8T0H +QYmVr3aIUes20i6meI3fuV36VFupwfrTKaL7VXnsrK2fq5cRvyJLNzXucg0WAjPF +RrAGLzY7nP1xeg1a0aeP+pdsqjqlPJom8OCWc1+6DWbg0jsC74WoesAqgBItODMB +rsal1y/q+bPzpsnWjzHV8+1/EtZmSc8ZUGSJOPkfC7hObnfkl18h+1QtKTjZme4d +H17gsBJr+opwJw/Zio2LMjQBOqlm3K1A4zFTh7wBC7He6KPQea1p2XAMgtvATtNe +YLZATHZKTJyiqA== +=vYOk +-----END PGP PUBLIC KEY BLOCK-----