Pin busybox to fixed version and verify sha256

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-12-10 14:04:11 +01:00 · 2019-12-10 14:04:11 +01:00 · 3e3cd7b255
parent 97b742676b
commit 3e3cd7b255
1 changed files with 12 additions and 1 deletions
--- a/contrib/busybox/Dockerfile
+++ b/contrib/busybox/Dockerfile
@ -10,10 +10,21 @@
 # To publish: Needs someone with publishing rights
 ARG WINDOWS_BASE_IMAGE=mcr.microsoft.com/windows/servercore
 ARG WINDOWS_BASE_IMAGE_TAG=ltsc2019
+ARG BUSYBOX_VERSION=FRP-3329-gcf0fa4d13
+
+# Checksum taken from https://frippery.org/files/busybox/SHA256SUM
+ARG BUSYBOX_SHA256SUM=bfaeb88638e580fc522a68e69072e305308f9747563e51fa085eec60ca39a5ae

 FROM ${WINDOWS_BASE_IMAGE}:${WINDOWS_BASE_IMAGE_TAG}
 RUN mkdir C:\tmp && mkdir C:\bin
-ADD http://frippery.org/files/busybox/busybox.exe /bin/
+ARG BUSYBOX_VERSION
+ARG BUSYBOX_SHA256SUM
+ADD https://frippery.org/files/busybox/busybox-w32-${BUSYBOX_VERSION}.exe /bin/busybox.exe
+RUN powershell \
+    if ((Get-FileHash -Path /bin/busybox.exe -Algorithm SHA256).Hash -ne $Env:BUSYBOX_SHA256SUM) { \
+        Throw \"Checksum validation failed\" \
+    }
+
 RUN setx /M PATH "C:\bin;%PATH%"
 RUN powershell busybox.exe --list ^|%{$nul = cmd /c mklink C:\bin\$_.exe busybox.exe}
 CMD ["sh"]