Merge pull request #978 from infosiftr/sha256

Add SHA256 verification

Author: yosifkit

3.10/alpine3.19/Dockerfile

@@ -75,6 +75,9 @@ ENV GPG_KEY {{
 	}[rcVersion]
 }}
 ENV PYTHON_VERSION {{ .version }}
+{{ if .checksums.source.sha256 then ( -}}
+ENV PYTHON_SHA256 {{ .checksums.source.sha256 }}
+{{ ) else "" end -}}
 
 RUN set -eux; \
 	\
@@ -139,6 +142,9 @@ RUN set -eux; \
 	\
 {{ ) else "" end -}}
 	wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \
+{{ if .checksums.source.sha256 then ( -}}
+	echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \
+{{ ) else "" end -}}
 	wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \
 	GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \
 	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \

3.10/alpine3.20/Dockerfile

@@ -6,11 +6,22 @@ SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPref
 ENV PYTHONIOENCODING UTF-8
 
 ENV PYTHON_VERSION {{ .version }}
+{{ if .checksums.windows.sha256 then ( -}}
+ENV PYTHON_SHA256 {{ .checksums.windows.sha256 }}
+{{ ) else "" end -}}
 
 RUN $url = ('https://www.python.org/ftp/python/{0}/python-{1}-amd64.exe' -f ($env:PYTHON_VERSION -replace '[a-z]+[0-9]*$', ''), $env:PYTHON_VERSION); \
 	Write-Host ('Downloading {0} ...' -f $url); \
 	[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \
 	Invoke-WebRequest -Uri $url -OutFile 'python.exe'; \
+{{ if .checksums.windows.sha256 then ( -}}
+	\
+	Write-Host ('Verifying sha256 ({0}) ...' -f $env:PYTHON_SHA256); \
+	if ((Get-FileHash python.exe -Algorithm sha256).Hash -ne $env:PYTHON_SHA256) { \
+		Write-Host 'FAILED!'; \
+		exit 1; \
+	}; \
+{{ ) else "" end -}}
 	\
 	Write-Host 'Installing ...'; \
 # https://docs.python.org/3/using/windows.html#installing-without-ui

3.10/bookworm/Dockerfile

@@ -1,5 +1,10 @@
 {
   "3.10": {
+    "checksums": {
+      "source": {
+        "sha256": "aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79"
+      }
+    },
     "setuptools": {
       "version": "65.5.1"
     },
@@ -14,6 +19,11 @@
     "version": "3.10.15"
   },
   "3.11": {
+    "checksums": {
+      "source": {
+        "sha256": "07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372"
+      }
+    },
     "setuptools": {
       "version": "65.5.1"
     },
@@ -28,6 +38,14 @@
     "version": "3.11.10"
   },
   "3.12": {
+    "checksums": {
+      "source": {
+        "sha256": "24887b92e2afd4a2ac602419ad4b596372f67ac9b077190f459aba390faf5550"
+      },
+      "windows": {
+        "sha256": "1206721601a62c925d4e4a0dcfc371e88f2ddbe8c0c07962ebb2be9b5bde4570"
+      }
+    },
     "variants": [
       "bookworm",
       "slim-bookworm",
@@ -41,6 +59,14 @@
     "version": "3.12.7"
   },
   "3.13": {
+    "checksums": {
+      "source": {
+        "sha256": "086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d"
+      },
+      "windows": {
+        "sha256": "78156ad0cf0ec4123bfb5333b40f078596ebf15f2d062a10144863680afbdefc"
+      }
+    },
     "variants": [
       "bookworm",
       "slim-bookworm",
@@ -54,6 +80,11 @@
     "version": "3.13.0"
   },
   "3.9": {
+    "checksums": {
+      "source": {
+        "sha256": "6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c"
+      }
+    },
     "setuptools": {
       "version": "58.1.0"
     },

3.10/bullseye/Dockerfile

@@ -13,24 +13,64 @@ else
 fi
 versions=( "${versions[@]%/}" )
 
-has_linux_version() {
-	local dir="$1"; shift
+declare -A checksums=()
+check_file() {
 	local dirVersion="$1"; shift
 	local fullVersion="$1"; shift
+	local type="${1:-source}" # "source" or "windows"
 
-	if ! wget -q -O /dev/null -o /dev/null --spider "https://www.python.org/ftp/python/$dirVersion/Python-$fullVersion.tar.xz"; then
-		return 1
+	local filename="Python-$fullVersion.tar.xz"
+	if [ "$type" = 'windows' ]; then
+		filename="python-$fullVersion-amd64.exe"
+	fi
+	local url="https://www.python.org/ftp/python/$dirVersion/$filename"
+
+	local sigstore
+	if sigstore="$(
+		wget -qO- -o/dev/null "$url.sigstore" \
+			| jq -r '
+				.messageSignature.messageDigest
+				| if .algorithm != "SHA2_256" then
+					error("sigstore bundle not using SHA2_256")
+				else .digest end
+			'
+	)" && [ -n "$sigstore" ]; then
+		sigstore="$(base64 -d <<<"$sigstore" | hexdump -ve '/1 "%02x"')"
+		checksums["$fullVersion"]="$(jq <<<"${checksums["$fullVersion"]:-null}" --arg type "$type" --arg sha256 "$sigstore" '.[$type].sha256 = $sha256')"
+		return 0
 	fi
 
-	return 0
-}
-
-has_windows_version() {
-	local dir="$1"; shift
-	local dirVersion="$1"; shift
-	local fullVersion="$1"; shift
+	# TODO is this even necessary/useful?  the sigstore-based version above is *much* faster, supports all current versions (not just 3.12+ like this), *and* should be more reliable 🤔
+	local sbom
+	if sbom="$(
+		wget -qO- -o/dev/null "$url.spdx.json" \
+			| jq --arg filename "$filename" '
+				first(
+					.packages[]
+					| select(
+						.name == "CPython"
+						and .packageFileName == $filename
+					)
+				)
+				| .checksums
+				| map({
+					key: (.algorithm // empty | ascii_downcase),
+					value: (.checksumValue // empty),
+				})
+				| if length < 1 then
+					error("no checksums found for \($filename)")
+				else . end
+				| from_entries
+				| if has("sha256") then . else
+					error("missing sha256 for \($filename); have \(.)")
+				end
+			'
+	)" && [ -n "sbom" ]; then
+		checksums["$fullVersion"]="$(jq <<<"${checksums["$fullVersion"]:-null}" --arg type "$type" --argjson sums "$sbom" '.[$type] += $sums')"
+		return 0
+	fi
 
-	if ! wget -q -O /dev/null -o /dev/null --spider "https://www.python.org/ftp/python/$dirVersion/python-$fullVersion-amd64.exe"; then
+	if ! wget -q -O /dev/null -o /dev/null --spider "$url"; then
 		return 1
 	fi
 
@@ -68,9 +108,9 @@ for version in "${versions[@]}"; do
 		rcPossible="${possible%%[a-z]*}"
 
 		# varnish is great until it isn't (usually the directory listing we scrape below is updated/uncached significantly later than the release being available)
-		if has_linux_version "$version" "$rcPossible" "$possible"; then
+		if check_file "$rcPossible" "$possible"; then
 			fullVersion="$possible"
-			if has_windows_version "$version" "$rcPossible" "$possible"; then
+			if check_file "$rcPossible" "$possible" windows; then
 				hasWindows=1
 			fi
 			break
@@ -89,9 +129,9 @@ for version in "${versions[@]}"; do
 				|| true
 		) )
 		for possibleVersion in "${possibleVersions[@]}"; do
-			if has_linux_version "$version" "$rcPossible" "$possibleVersion"; then
+			if check_file "$rcPossible" "$possibleVersion"; then
 				fullVersion="$possibleVersion"
-				if has_windows_version "$version" "$rcPossible" "$possible"; then
+				if check_file "$rcPossible" "$possible" windows; then
 					hasWindows=1
 				fi
 				break
@@ -150,8 +190,8 @@ for version in "${versions[@]}"; do
 	echo "$version: $fullVersion"
 
 	export fullVersion pipVersion setuptoolsVersion hasWindows
-	json="$(jq <<<"$json" -c '
-		.[env.version] = {
+	doc="$(jq -nc '
+		{
 			version: env.fullVersion,
 			variants: [
 				(
@@ -178,6 +218,12 @@ for version in "${versions[@]}"; do
 			},
 		} else {} end
 	')"
+
+	if [ -n "${checksums["$fullVersion"]:-}" ]; then
+		doc="$(jq <<<"$doc" -c --argjson checksums "${checksums["$fullVersion"]}" '.checksums = $checksums')"
+	fi
+
+	json="$(jq <<<"$json" -c --argjson doc "$doc" '.[env.version] = $doc')"
 done
 
 jq <<<"$json" -S . > versions.json