From 37a7bfdfa9947e8eaf650150a5df1729e7432599 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 9 Oct 2024 15:18:55 -0700 Subject: [PATCH] Add SHA256 verification This works by extracting the relevant checksums from the upstream `.sigstore` bundles. Hopefully at some point in the future there will be a more explicit means of getting these checksum values directly. --- 3.10/alpine3.19/Dockerfile | 2 + 3.10/alpine3.20/Dockerfile | 2 + 3.10/bookworm/Dockerfile | 2 + 3.10/bullseye/Dockerfile | 2 + 3.10/slim-bookworm/Dockerfile | 2 + 3.10/slim-bullseye/Dockerfile | 2 + 3.11/alpine3.19/Dockerfile | 2 + 3.11/alpine3.20/Dockerfile | 2 + 3.11/bookworm/Dockerfile | 2 + 3.11/bullseye/Dockerfile | 2 + 3.11/slim-bookworm/Dockerfile | 2 + 3.11/slim-bullseye/Dockerfile | 2 + 3.12/alpine3.19/Dockerfile | 2 + 3.12/alpine3.20/Dockerfile | 2 + 3.12/bookworm/Dockerfile | 2 + 3.12/bullseye/Dockerfile | 2 + 3.12/slim-bookworm/Dockerfile | 2 + 3.12/slim-bullseye/Dockerfile | 2 + .../windows/windowsservercore-1809/Dockerfile | 7 ++ .../windowsservercore-ltsc2022/Dockerfile | 7 ++ 3.13/alpine3.19/Dockerfile | 2 + 3.13/alpine3.20/Dockerfile | 2 + 3.13/bookworm/Dockerfile | 2 + 3.13/bullseye/Dockerfile | 2 + 3.13/slim-bookworm/Dockerfile | 2 + 3.13/slim-bullseye/Dockerfile | 2 + .../windows/windowsservercore-1809/Dockerfile | 7 ++ .../windowsservercore-ltsc2022/Dockerfile | 7 ++ 3.9/alpine3.19/Dockerfile | 2 + 3.9/alpine3.20/Dockerfile | 2 + 3.9/bookworm/Dockerfile | 2 + 3.9/bullseye/Dockerfile | 2 + 3.9/slim-bookworm/Dockerfile | 2 + 3.9/slim-bullseye/Dockerfile | 2 + Dockerfile-linux.template | 6 ++ Dockerfile-windows.template | 11 +++ versions.json | 31 +++++++ versions.sh | 82 +++++++++++++++---- 38 files changed, 200 insertions(+), 18 deletions(-) diff --git a/3.10/alpine3.19/Dockerfile b/3.10/alpine3.19/Dockerfile index 65a6b2d37..df5dd811b 100644 --- a/3.10/alpine3.19/Dockerfile +++ b/3.10/alpine3.19/Dockerfile @@ -23,6 +23,7 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.10.15 +ENV PYTHON_SHA256 aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79 RUN set -eux; \ \ @@ -58,6 +59,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.10/alpine3.20/Dockerfile b/3.10/alpine3.20/Dockerfile index 4627b12b5..330b28c17 100644 --- a/3.10/alpine3.20/Dockerfile +++ b/3.10/alpine3.20/Dockerfile @@ -23,6 +23,7 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.10.15 +ENV PYTHON_SHA256 aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79 RUN set -eux; \ \ @@ -58,6 +59,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.10/bookworm/Dockerfile b/3.10/bookworm/Dockerfile index 9e9e3170a..2fd89a19c 100644 --- a/3.10/bookworm/Dockerfile +++ b/3.10/bookworm/Dockerfile @@ -26,10 +26,12 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.10.15 +ENV PYTHON_SHA256 aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79 RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.10/bullseye/Dockerfile b/3.10/bullseye/Dockerfile index 98440f9a5..bbb175fff 100644 --- a/3.10/bullseye/Dockerfile +++ b/3.10/bullseye/Dockerfile @@ -26,10 +26,12 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.10.15 +ENV PYTHON_SHA256 aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79 RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.10/slim-bookworm/Dockerfile b/3.10/slim-bookworm/Dockerfile index e99add8ed..984b7a8d0 100644 --- a/3.10/slim-bookworm/Dockerfile +++ b/3.10/slim-bookworm/Dockerfile @@ -26,6 +26,7 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.10.15 +ENV PYTHON_SHA256 aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79 RUN set -eux; \ \ @@ -56,6 +57,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.10/slim-bullseye/Dockerfile b/3.10/slim-bullseye/Dockerfile index 0732224b2..3342d27cc 100644 --- a/3.10/slim-bullseye/Dockerfile +++ b/3.10/slim-bullseye/Dockerfile @@ -26,6 +26,7 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.10.15 +ENV PYTHON_SHA256 aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79 RUN set -eux; \ \ @@ -56,6 +57,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.11/alpine3.19/Dockerfile b/3.11/alpine3.19/Dockerfile index 39491416a..0de2b82ed 100644 --- a/3.11/alpine3.19/Dockerfile +++ b/3.11/alpine3.19/Dockerfile @@ -23,6 +23,7 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.11.10 +ENV PYTHON_SHA256 07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372 RUN set -eux; \ \ @@ -58,6 +59,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.11/alpine3.20/Dockerfile b/3.11/alpine3.20/Dockerfile index a945539c2..914e34edc 100644 --- a/3.11/alpine3.20/Dockerfile +++ b/3.11/alpine3.20/Dockerfile @@ -23,6 +23,7 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.11.10 +ENV PYTHON_SHA256 07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372 RUN set -eux; \ \ @@ -58,6 +59,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.11/bookworm/Dockerfile b/3.11/bookworm/Dockerfile index 93be03eb4..0dbd36f3e 100644 --- a/3.11/bookworm/Dockerfile +++ b/3.11/bookworm/Dockerfile @@ -26,10 +26,12 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.11.10 +ENV PYTHON_SHA256 07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372 RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.11/bullseye/Dockerfile b/3.11/bullseye/Dockerfile index c5a0a7a6d..4bdf869c1 100644 --- a/3.11/bullseye/Dockerfile +++ b/3.11/bullseye/Dockerfile @@ -26,10 +26,12 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.11.10 +ENV PYTHON_SHA256 07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372 RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.11/slim-bookworm/Dockerfile b/3.11/slim-bookworm/Dockerfile index f435e9847..53dd3e913 100644 --- a/3.11/slim-bookworm/Dockerfile +++ b/3.11/slim-bookworm/Dockerfile @@ -26,6 +26,7 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.11.10 +ENV PYTHON_SHA256 07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372 RUN set -eux; \ \ @@ -56,6 +57,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.11/slim-bullseye/Dockerfile b/3.11/slim-bullseye/Dockerfile index 4a5fdd620..ffc5971dd 100644 --- a/3.11/slim-bullseye/Dockerfile +++ b/3.11/slim-bullseye/Dockerfile @@ -26,6 +26,7 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.11.10 +ENV PYTHON_SHA256 07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372 RUN set -eux; \ \ @@ -56,6 +57,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.12/alpine3.19/Dockerfile b/3.12/alpine3.19/Dockerfile index c2784b6e1..7cfbf1d31 100644 --- a/3.12/alpine3.19/Dockerfile +++ b/3.12/alpine3.19/Dockerfile @@ -23,6 +23,7 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.12.7 +ENV PYTHON_SHA256 24887b92e2afd4a2ac602419ad4b596372f67ac9b077190f459aba390faf5550 RUN set -eux; \ \ @@ -58,6 +59,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.12/alpine3.20/Dockerfile b/3.12/alpine3.20/Dockerfile index bee89fc88..9a984f575 100644 --- a/3.12/alpine3.20/Dockerfile +++ b/3.12/alpine3.20/Dockerfile @@ -23,6 +23,7 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.12.7 +ENV PYTHON_SHA256 24887b92e2afd4a2ac602419ad4b596372f67ac9b077190f459aba390faf5550 RUN set -eux; \ \ @@ -58,6 +59,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.12/bookworm/Dockerfile b/3.12/bookworm/Dockerfile index 5677e4af5..40a5e46ce 100644 --- a/3.12/bookworm/Dockerfile +++ b/3.12/bookworm/Dockerfile @@ -26,10 +26,12 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.12.7 +ENV PYTHON_SHA256 24887b92e2afd4a2ac602419ad4b596372f67ac9b077190f459aba390faf5550 RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.12/bullseye/Dockerfile b/3.12/bullseye/Dockerfile index cc136ec99..a0c98d45a 100644 --- a/3.12/bullseye/Dockerfile +++ b/3.12/bullseye/Dockerfile @@ -26,10 +26,12 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.12.7 +ENV PYTHON_SHA256 24887b92e2afd4a2ac602419ad4b596372f67ac9b077190f459aba390faf5550 RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.12/slim-bookworm/Dockerfile b/3.12/slim-bookworm/Dockerfile index 59ff54284..0fb84592f 100644 --- a/3.12/slim-bookworm/Dockerfile +++ b/3.12/slim-bookworm/Dockerfile @@ -26,6 +26,7 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.12.7 +ENV PYTHON_SHA256 24887b92e2afd4a2ac602419ad4b596372f67ac9b077190f459aba390faf5550 RUN set -eux; \ \ @@ -56,6 +57,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.12/slim-bullseye/Dockerfile b/3.12/slim-bullseye/Dockerfile index 12414e84d..34761e37e 100644 --- a/3.12/slim-bullseye/Dockerfile +++ b/3.12/slim-bullseye/Dockerfile @@ -26,6 +26,7 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.12.7 +ENV PYTHON_SHA256 24887b92e2afd4a2ac602419ad4b596372f67ac9b077190f459aba390faf5550 RUN set -eux; \ \ @@ -56,6 +57,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.12/windows/windowsservercore-1809/Dockerfile b/3.12/windows/windowsservercore-1809/Dockerfile index 6141b6936..1c85224d0 100644 --- a/3.12/windows/windowsservercore-1809/Dockerfile +++ b/3.12/windows/windowsservercore-1809/Dockerfile @@ -12,12 +12,19 @@ SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPref ENV PYTHONIOENCODING UTF-8 ENV PYTHON_VERSION 3.12.7 +ENV PYTHON_SHA256 1206721601a62c925d4e4a0dcfc371e88f2ddbe8c0c07962ebb2be9b5bde4570 RUN $url = ('https://www.python.org/ftp/python/{0}/python-{1}-amd64.exe' -f ($env:PYTHON_VERSION -replace '[a-z]+[0-9]*$', ''), $env:PYTHON_VERSION); \ Write-Host ('Downloading {0} ...' -f $url); \ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \ Invoke-WebRequest -Uri $url -OutFile 'python.exe'; \ \ + Write-Host ('Verifying sha256 ({0}) ...' -f $env:PYTHON_SHA256); \ + if ((Get-FileHash python.exe -Algorithm sha256).Hash -ne $env:PYTHON_SHA256) { \ + Write-Host 'FAILED!'; \ + exit 1; \ + }; \ + \ Write-Host 'Installing ...'; \ # https://docs.python.org/3/using/windows.html#installing-without-ui $exitCode = (Start-Process python.exe -Wait -NoNewWindow -PassThru \ diff --git a/3.12/windows/windowsservercore-ltsc2022/Dockerfile b/3.12/windows/windowsservercore-ltsc2022/Dockerfile index 0c79621e4..d8af8a47c 100644 --- a/3.12/windows/windowsservercore-ltsc2022/Dockerfile +++ b/3.12/windows/windowsservercore-ltsc2022/Dockerfile @@ -12,12 +12,19 @@ SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPref ENV PYTHONIOENCODING UTF-8 ENV PYTHON_VERSION 3.12.7 +ENV PYTHON_SHA256 1206721601a62c925d4e4a0dcfc371e88f2ddbe8c0c07962ebb2be9b5bde4570 RUN $url = ('https://www.python.org/ftp/python/{0}/python-{1}-amd64.exe' -f ($env:PYTHON_VERSION -replace '[a-z]+[0-9]*$', ''), $env:PYTHON_VERSION); \ Write-Host ('Downloading {0} ...' -f $url); \ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \ Invoke-WebRequest -Uri $url -OutFile 'python.exe'; \ \ + Write-Host ('Verifying sha256 ({0}) ...' -f $env:PYTHON_SHA256); \ + if ((Get-FileHash python.exe -Algorithm sha256).Hash -ne $env:PYTHON_SHA256) { \ + Write-Host 'FAILED!'; \ + exit 1; \ + }; \ + \ Write-Host 'Installing ...'; \ # https://docs.python.org/3/using/windows.html#installing-without-ui $exitCode = (Start-Process python.exe -Wait -NoNewWindow -PassThru \ diff --git a/3.13/alpine3.19/Dockerfile b/3.13/alpine3.19/Dockerfile index 0895e5cd3..814a33818 100644 --- a/3.13/alpine3.19/Dockerfile +++ b/3.13/alpine3.19/Dockerfile @@ -18,6 +18,7 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.13.0 +ENV PYTHON_SHA256 086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d RUN set -eux; \ \ @@ -53,6 +54,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.13/alpine3.20/Dockerfile b/3.13/alpine3.20/Dockerfile index afd49db9a..dd8642626 100644 --- a/3.13/alpine3.20/Dockerfile +++ b/3.13/alpine3.20/Dockerfile @@ -18,6 +18,7 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.13.0 +ENV PYTHON_SHA256 086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d RUN set -eux; \ \ @@ -53,6 +54,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.13/bookworm/Dockerfile b/3.13/bookworm/Dockerfile index 58bdbf4f1..93cacf9af 100644 --- a/3.13/bookworm/Dockerfile +++ b/3.13/bookworm/Dockerfile @@ -21,10 +21,12 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.13.0 +ENV PYTHON_SHA256 086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.13/bullseye/Dockerfile b/3.13/bullseye/Dockerfile index f334cc74c..9d4aab748 100644 --- a/3.13/bullseye/Dockerfile +++ b/3.13/bullseye/Dockerfile @@ -21,10 +21,12 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.13.0 +ENV PYTHON_SHA256 086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.13/slim-bookworm/Dockerfile b/3.13/slim-bookworm/Dockerfile index 9237983f0..6573d6f94 100644 --- a/3.13/slim-bookworm/Dockerfile +++ b/3.13/slim-bookworm/Dockerfile @@ -21,6 +21,7 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.13.0 +ENV PYTHON_SHA256 086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d RUN set -eux; \ \ @@ -51,6 +52,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.13/slim-bullseye/Dockerfile b/3.13/slim-bullseye/Dockerfile index 2b2b11c64..55795e1da 100644 --- a/3.13/slim-bullseye/Dockerfile +++ b/3.13/slim-bullseye/Dockerfile @@ -21,6 +21,7 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.13.0 +ENV PYTHON_SHA256 086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d RUN set -eux; \ \ @@ -51,6 +52,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.13/windows/windowsservercore-1809/Dockerfile b/3.13/windows/windowsservercore-1809/Dockerfile index c15287f91..99eb4c5f4 100644 --- a/3.13/windows/windowsservercore-1809/Dockerfile +++ b/3.13/windows/windowsservercore-1809/Dockerfile @@ -12,12 +12,19 @@ SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPref ENV PYTHONIOENCODING UTF-8 ENV PYTHON_VERSION 3.13.0 +ENV PYTHON_SHA256 78156ad0cf0ec4123bfb5333b40f078596ebf15f2d062a10144863680afbdefc RUN $url = ('https://www.python.org/ftp/python/{0}/python-{1}-amd64.exe' -f ($env:PYTHON_VERSION -replace '[a-z]+[0-9]*$', ''), $env:PYTHON_VERSION); \ Write-Host ('Downloading {0} ...' -f $url); \ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \ Invoke-WebRequest -Uri $url -OutFile 'python.exe'; \ \ + Write-Host ('Verifying sha256 ({0}) ...' -f $env:PYTHON_SHA256); \ + if ((Get-FileHash python.exe -Algorithm sha256).Hash -ne $env:PYTHON_SHA256) { \ + Write-Host 'FAILED!'; \ + exit 1; \ + }; \ + \ Write-Host 'Installing ...'; \ # https://docs.python.org/3/using/windows.html#installing-without-ui $exitCode = (Start-Process python.exe -Wait -NoNewWindow -PassThru \ diff --git a/3.13/windows/windowsservercore-ltsc2022/Dockerfile b/3.13/windows/windowsservercore-ltsc2022/Dockerfile index 4977b3983..99ba51773 100644 --- a/3.13/windows/windowsservercore-ltsc2022/Dockerfile +++ b/3.13/windows/windowsservercore-ltsc2022/Dockerfile @@ -12,12 +12,19 @@ SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPref ENV PYTHONIOENCODING UTF-8 ENV PYTHON_VERSION 3.13.0 +ENV PYTHON_SHA256 78156ad0cf0ec4123bfb5333b40f078596ebf15f2d062a10144863680afbdefc RUN $url = ('https://www.python.org/ftp/python/{0}/python-{1}-amd64.exe' -f ($env:PYTHON_VERSION -replace '[a-z]+[0-9]*$', ''), $env:PYTHON_VERSION); \ Write-Host ('Downloading {0} ...' -f $url); \ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \ Invoke-WebRequest -Uri $url -OutFile 'python.exe'; \ \ + Write-Host ('Verifying sha256 ({0}) ...' -f $env:PYTHON_SHA256); \ + if ((Get-FileHash python.exe -Algorithm sha256).Hash -ne $env:PYTHON_SHA256) { \ + Write-Host 'FAILED!'; \ + exit 1; \ + }; \ + \ Write-Host 'Installing ...'; \ # https://docs.python.org/3/using/windows.html#installing-without-ui $exitCode = (Start-Process python.exe -Wait -NoNewWindow -PassThru \ diff --git a/3.9/alpine3.19/Dockerfile b/3.9/alpine3.19/Dockerfile index 8632c56f2..1163933f8 100644 --- a/3.9/alpine3.19/Dockerfile +++ b/3.9/alpine3.19/Dockerfile @@ -23,6 +23,7 @@ RUN set -eux; \ ENV GPG_KEY E3FF2839C048B25C084DEBE9B26995E310250568 ENV PYTHON_VERSION 3.9.20 +ENV PYTHON_SHA256 6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c RUN set -eux; \ \ @@ -58,6 +59,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.9/alpine3.20/Dockerfile b/3.9/alpine3.20/Dockerfile index 91044e1a8..00a3b9a64 100644 --- a/3.9/alpine3.20/Dockerfile +++ b/3.9/alpine3.20/Dockerfile @@ -23,6 +23,7 @@ RUN set -eux; \ ENV GPG_KEY E3FF2839C048B25C084DEBE9B26995E310250568 ENV PYTHON_VERSION 3.9.20 +ENV PYTHON_SHA256 6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c RUN set -eux; \ \ @@ -58,6 +59,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.9/bookworm/Dockerfile b/3.9/bookworm/Dockerfile index fe0ba4cee..9180a988e 100644 --- a/3.9/bookworm/Dockerfile +++ b/3.9/bookworm/Dockerfile @@ -26,10 +26,12 @@ RUN set -eux; \ ENV GPG_KEY E3FF2839C048B25C084DEBE9B26995E310250568 ENV PYTHON_VERSION 3.9.20 +ENV PYTHON_SHA256 6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.9/bullseye/Dockerfile b/3.9/bullseye/Dockerfile index fbe07aa6e..816a80ba8 100644 --- a/3.9/bullseye/Dockerfile +++ b/3.9/bullseye/Dockerfile @@ -26,10 +26,12 @@ RUN set -eux; \ ENV GPG_KEY E3FF2839C048B25C084DEBE9B26995E310250568 ENV PYTHON_VERSION 3.9.20 +ENV PYTHON_SHA256 6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.9/slim-bookworm/Dockerfile b/3.9/slim-bookworm/Dockerfile index b29051af5..f6c0daa43 100644 --- a/3.9/slim-bookworm/Dockerfile +++ b/3.9/slim-bookworm/Dockerfile @@ -26,6 +26,7 @@ RUN set -eux; \ ENV GPG_KEY E3FF2839C048B25C084DEBE9B26995E310250568 ENV PYTHON_VERSION 3.9.20 +ENV PYTHON_SHA256 6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c RUN set -eux; \ \ @@ -56,6 +57,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.9/slim-bullseye/Dockerfile b/3.9/slim-bullseye/Dockerfile index 956ede228..37ce11eb8 100644 --- a/3.9/slim-bullseye/Dockerfile +++ b/3.9/slim-bullseye/Dockerfile @@ -26,6 +26,7 @@ RUN set -eux; \ ENV GPG_KEY E3FF2839C048B25C084DEBE9B26995E310250568 ENV PYTHON_VERSION 3.9.20 +ENV PYTHON_SHA256 6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c RUN set -eux; \ \ @@ -56,6 +57,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/Dockerfile-linux.template b/Dockerfile-linux.template index 3b87b10ab..02f1c9ad6 100644 --- a/Dockerfile-linux.template +++ b/Dockerfile-linux.template @@ -75,6 +75,9 @@ ENV GPG_KEY {{ }[rcVersion] }} ENV PYTHON_VERSION {{ .version }} +{{ if .checksums.source.sha256 then ( -}} +ENV PYTHON_SHA256 {{ .checksums.source.sha256 }} +{{ ) else "" end -}} RUN set -eux; \ \ @@ -139,6 +142,9 @@ RUN set -eux; \ \ {{ ) else "" end -}} wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ +{{ if .checksums.source.sha256 then ( -}} + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ +{{ ) else "" end -}} wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/Dockerfile-windows.template b/Dockerfile-windows.template index 78d5aaa9d..a564f29de 100644 --- a/Dockerfile-windows.template +++ b/Dockerfile-windows.template @@ -6,11 +6,22 @@ SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPref ENV PYTHONIOENCODING UTF-8 ENV PYTHON_VERSION {{ .version }} +{{ if .checksums.windows.sha256 then ( -}} +ENV PYTHON_SHA256 {{ .checksums.windows.sha256 }} +{{ ) else "" end -}} RUN $url = ('https://www.python.org/ftp/python/{0}/python-{1}-amd64.exe' -f ($env:PYTHON_VERSION -replace '[a-z]+[0-9]*$', ''), $env:PYTHON_VERSION); \ Write-Host ('Downloading {0} ...' -f $url); \ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \ Invoke-WebRequest -Uri $url -OutFile 'python.exe'; \ +{{ if .checksums.windows.sha256 then ( -}} + \ + Write-Host ('Verifying sha256 ({0}) ...' -f $env:PYTHON_SHA256); \ + if ((Get-FileHash python.exe -Algorithm sha256).Hash -ne $env:PYTHON_SHA256) { \ + Write-Host 'FAILED!'; \ + exit 1; \ + }; \ +{{ ) else "" end -}} \ Write-Host 'Installing ...'; \ # https://docs.python.org/3/using/windows.html#installing-without-ui diff --git a/versions.json b/versions.json index d2b47f5d1..24e297545 100644 --- a/versions.json +++ b/versions.json @@ -1,5 +1,10 @@ { "3.10": { + "checksums": { + "source": { + "sha256": "aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79" + } + }, "setuptools": { "version": "65.5.1" }, @@ -14,6 +19,11 @@ "version": "3.10.15" }, "3.11": { + "checksums": { + "source": { + "sha256": "07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372" + } + }, "setuptools": { "version": "65.5.1" }, @@ -28,6 +38,14 @@ "version": "3.11.10" }, "3.12": { + "checksums": { + "source": { + "sha256": "24887b92e2afd4a2ac602419ad4b596372f67ac9b077190f459aba390faf5550" + }, + "windows": { + "sha256": "1206721601a62c925d4e4a0dcfc371e88f2ddbe8c0c07962ebb2be9b5bde4570" + } + }, "variants": [ "bookworm", "slim-bookworm", @@ -41,6 +59,14 @@ "version": "3.12.7" }, "3.13": { + "checksums": { + "source": { + "sha256": "086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d" + }, + "windows": { + "sha256": "78156ad0cf0ec4123bfb5333b40f078596ebf15f2d062a10144863680afbdefc" + } + }, "variants": [ "bookworm", "slim-bookworm", @@ -54,6 +80,11 @@ "version": "3.13.0" }, "3.9": { + "checksums": { + "source": { + "sha256": "6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c" + } + }, "setuptools": { "version": "58.1.0" }, diff --git a/versions.sh b/versions.sh index c4fef9a9a..53c0498c4 100755 --- a/versions.sh +++ b/versions.sh @@ -13,24 +13,64 @@ else fi versions=( "${versions[@]%/}" ) -has_linux_version() { - local dir="$1"; shift +declare -A checksums=() +check_file() { local dirVersion="$1"; shift local fullVersion="$1"; shift + local type="${1:-source}" # "source" or "windows" - if ! wget -q -O /dev/null -o /dev/null --spider "https://www.python.org/ftp/python/$dirVersion/Python-$fullVersion.tar.xz"; then - return 1 + local filename="Python-$fullVersion.tar.xz" + if [ "$type" = 'windows' ]; then + filename="python-$fullVersion-amd64.exe" + fi + local url="https://www.python.org/ftp/python/$dirVersion/$filename" + + local sigstore + if sigstore="$( + wget -qO- -o/dev/null "$url.sigstore" \ + | jq -r ' + .messageSignature.messageDigest + | if .algorithm != "SHA2_256" then + error("sigstore bundle not using SHA2_256") + else .digest end + ' + )" && [ -n "$sigstore" ]; then + sigstore="$(base64 -d <<<"$sigstore" | hexdump -ve '/1 "%02x"')" + checksums["$fullVersion"]="$(jq <<<"${checksums["$fullVersion"]:-null}" --arg type "$type" --arg sha256 "$sigstore" '.[$type].sha256 = $sha256')" + return 0 fi - return 0 -} - -has_windows_version() { - local dir="$1"; shift - local dirVersion="$1"; shift - local fullVersion="$1"; shift + # TODO is this even necessary/useful? the sigstore-based version above is *much* faster, supports all current versions (not just 3.12+ like this), *and* should be more reliable 🤔 + local sbom + if sbom="$( + wget -qO- -o/dev/null "$url.spdx.json" \ + | jq --arg filename "$filename" ' + first( + .packages[] + | select( + .name == "CPython" + and .packageFileName == $filename + ) + ) + | .checksums + | map({ + key: (.algorithm // empty | ascii_downcase), + value: (.checksumValue // empty), + }) + | if length < 1 then + error("no checksums found for \($filename)") + else . end + | from_entries + | if has("sha256") then . else + error("missing sha256 for \($filename); have \(.)") + end + ' + )" && [ -n "sbom" ]; then + checksums["$fullVersion"]="$(jq <<<"${checksums["$fullVersion"]:-null}" --arg type "$type" --argjson sums "$sbom" '.[$type] += $sums')" + return 0 + fi - if ! wget -q -O /dev/null -o /dev/null --spider "https://www.python.org/ftp/python/$dirVersion/python-$fullVersion-amd64.exe"; then + if ! wget -q -O /dev/null -o /dev/null --spider "$url"; then return 1 fi @@ -68,9 +108,9 @@ for version in "${versions[@]}"; do rcPossible="${possible%%[a-z]*}" # varnish is great until it isn't (usually the directory listing we scrape below is updated/uncached significantly later than the release being available) - if has_linux_version "$version" "$rcPossible" "$possible"; then + if check_file "$rcPossible" "$possible"; then fullVersion="$possible" - if has_windows_version "$version" "$rcPossible" "$possible"; then + if check_file "$rcPossible" "$possible" windows; then hasWindows=1 fi break @@ -89,9 +129,9 @@ for version in "${versions[@]}"; do || true ) ) for possibleVersion in "${possibleVersions[@]}"; do - if has_linux_version "$version" "$rcPossible" "$possibleVersion"; then + if check_file "$rcPossible" "$possibleVersion"; then fullVersion="$possibleVersion" - if has_windows_version "$version" "$rcPossible" "$possible"; then + if check_file "$rcPossible" "$possible" windows; then hasWindows=1 fi break @@ -150,8 +190,8 @@ for version in "${versions[@]}"; do echo "$version: $fullVersion" export fullVersion pipVersion setuptoolsVersion hasWindows - json="$(jq <<<"$json" -c ' - .[env.version] = { + doc="$(jq -nc ' + { version: env.fullVersion, variants: [ ( @@ -178,6 +218,12 @@ for version in "${versions[@]}"; do }, } else {} end ')" + + if [ -n "${checksums["$fullVersion"]:-}" ]; then + doc="$(jq <<<"$doc" -c --argjson checksums "${checksums["$fullVersion"]}" '.checksums = $checksums')" + fi + + json="$(jq <<<"$json" -c --argjson doc "$doc" '.[env.version] = $doc')" done jq <<<"$json" -S . > versions.json