From f2889f0383e7e9550a8071ee81ed12ebda8daae1 Mon Sep 17 00:00:00 2001
From: Michael Lescisin <IntegralProgrammer@users.noreply.github.com>
Date: Mon, 16 Sep 2019 14:36:11 -0400
Subject: [PATCH] Follow Dockerfile best practice by verifying file download
 against GPG signature. (#485)

---
 curl/Dockerfile | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/curl/Dockerfile b/curl/Dockerfile
index 704852d..df14dc3 100644
--- a/curl/Dockerfile
+++ b/curl/Dockerfile
@@ -22,7 +22,11 @@ RUN set -x \
 		nghttp2-dev \
 		openssl-dev \
 		perl \
+		gnupg \
 	&& wget https://curl.haxx.se/download/curl-$CURL_VERSION.tar.bz2 \
+	&& wget https://curl.haxx.se/download/curl-$CURL_VERSION.tar.bz2.asc \
+	&& gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2 \
+	&& gpg --verify curl-$CURL_VERSION.tar.bz2.asc \
     && tar xjvf curl-$CURL_VERSION.tar.bz2 \
     && rm curl-$CURL_VERSION.tar.bz2 \
     && ( \