Follow Dockerfile best practice by verifying file download against GPG signature. (#485)

2024-11-23 11:31:49 +01:00 · 2019-09-16 14:36:11 -04:00 · 2019-09-16 14:36:11 -04:00 · f2889f0383
commit f2889f0383
parent 7ed006e246
1 changed files with 4 additions and 0 deletions
--- a/curl/Dockerfile
+++ b/curl/Dockerfile
@ -22,7 +22,11 @@ RUN set -x \
 		nghttp2-dev \
 		openssl-dev \
 		perl \
+		gnupg \
 	&& wget https://curl.haxx.se/download/curl-$CURL_VERSION.tar.bz2 \
+	&& wget https://curl.haxx.se/download/curl-$CURL_VERSION.tar.bz2.asc \
+	&& gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 27EDEAF22F3ABCEB50DB9A125CC908FDB71E12C2 \
+	&& gpg --verify curl-$CURL_VERSION.tar.bz2.asc \
    && tar xjvf curl-$CURL_VERSION.tar.bz2 \
    && rm curl-$CURL_VERSION.tar.bz2 \
    && ( \