Skip to content

Commit fe21c86

Browse files
authoredOct 15, 2024
Merge pull request #978 from infosiftr/sha256
Add SHA256 verification
2 parents 7666104 + 37a7bfd commit fe21c86

File tree

38 files changed

+200
-18
lines changed

38 files changed

+200
-18
lines changed
 

‎3.10/alpine3.19/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.10/alpine3.20/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.10/bookworm/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.10/bullseye/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.10/slim-bookworm/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.10/slim-bullseye/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.11/alpine3.19/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.11/alpine3.20/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.11/bookworm/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.11/bullseye/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.11/slim-bookworm/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.11/slim-bullseye/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.12/alpine3.19/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.12/alpine3.20/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.12/bookworm/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.12/bullseye/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.12/slim-bookworm/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.12/slim-bullseye/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.12/windows/windowsservercore-1809/Dockerfile

+7
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.12/windows/windowsservercore-ltsc2022/Dockerfile

+7
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.13/alpine3.19/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.13/alpine3.20/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.13/bookworm/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.13/bullseye/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.13/slim-bookworm/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.13/slim-bullseye/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.13/windows/windowsservercore-1809/Dockerfile

+7
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.13/windows/windowsservercore-ltsc2022/Dockerfile

+7
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.9/alpine3.19/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.9/alpine3.20/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.9/bookworm/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.9/bullseye/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.9/slim-bookworm/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎3.9/slim-bullseye/Dockerfile

+2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

‎Dockerfile-linux.template

+6
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,9 @@ ENV GPG_KEY {{
7575
}[rcVersion]
7676
}}
7777
ENV PYTHON_VERSION {{ .version }}
78+
{{ if .checksums.source.sha256 then ( -}}
79+
ENV PYTHON_SHA256 {{ .checksums.source.sha256 }}
80+
{{ ) else "" end -}}
7881

7982
RUN set -eux; \
8083
\
@@ -139,6 +142,9 @@ RUN set -eux; \
139142
\
140143
{{ ) else "" end -}}
141144
wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \
145+
{{ if .checksums.source.sha256 then ( -}}
146+
echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \
147+
{{ ) else "" end -}}
142148
wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \
143149
GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \
144150
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \

‎Dockerfile-windows.template

+11
Original file line numberDiff line numberDiff line change
@@ -6,11 +6,22 @@ SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPref
66
ENV PYTHONIOENCODING UTF-8
77

88
ENV PYTHON_VERSION {{ .version }}
9+
{{ if .checksums.windows.sha256 then ( -}}
10+
ENV PYTHON_SHA256 {{ .checksums.windows.sha256 }}
11+
{{ ) else "" end -}}
912

1013
RUN $url = ('https://www.python.org/ftp/python/{0}/python-{1}-amd64.exe' -f ($env:PYTHON_VERSION -replace '[a-z]+[0-9]*$', ''), $env:PYTHON_VERSION); \
1114
Write-Host ('Downloading {0} ...' -f $url); \
1215
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \
1316
Invoke-WebRequest -Uri $url -OutFile 'python.exe'; \
17+
{{ if .checksums.windows.sha256 then ( -}}
18+
\
19+
Write-Host ('Verifying sha256 ({0}) ...' -f $env:PYTHON_SHA256); \
20+
if ((Get-FileHash python.exe -Algorithm sha256).Hash -ne $env:PYTHON_SHA256) { \
21+
Write-Host 'FAILED!'; \
22+
exit 1; \
23+
}; \
24+
{{ ) else "" end -}}
1425
\
1526
Write-Host 'Installing ...'; \
1627
# https://docs.python.org/3/using/windows.html#installing-without-ui

‎versions.json

+31
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,10 @@
11
{
22
"3.10": {
3+
"checksums": {
4+
"source": {
5+
"sha256": "aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79"
6+
}
7+
},
38
"setuptools": {
49
"version": "65.5.1"
510
},
@@ -14,6 +19,11 @@
1419
"version": "3.10.15"
1520
},
1621
"3.11": {
22+
"checksums": {
23+
"source": {
24+
"sha256": "07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372"
25+
}
26+
},
1727
"setuptools": {
1828
"version": "65.5.1"
1929
},
@@ -28,6 +38,14 @@
2838
"version": "3.11.10"
2939
},
3040
"3.12": {
41+
"checksums": {
42+
"source": {
43+
"sha256": "24887b92e2afd4a2ac602419ad4b596372f67ac9b077190f459aba390faf5550"
44+
},
45+
"windows": {
46+
"sha256": "1206721601a62c925d4e4a0dcfc371e88f2ddbe8c0c07962ebb2be9b5bde4570"
47+
}
48+
},
3149
"variants": [
3250
"bookworm",
3351
"slim-bookworm",
@@ -41,6 +59,14 @@
4159
"version": "3.12.7"
4260
},
4361
"3.13": {
62+
"checksums": {
63+
"source": {
64+
"sha256": "086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d"
65+
},
66+
"windows": {
67+
"sha256": "78156ad0cf0ec4123bfb5333b40f078596ebf15f2d062a10144863680afbdefc"
68+
}
69+
},
4470
"variants": [
4571
"bookworm",
4672
"slim-bookworm",
@@ -54,6 +80,11 @@
5480
"version": "3.13.0"
5581
},
5682
"3.9": {
83+
"checksums": {
84+
"source": {
85+
"sha256": "6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c"
86+
}
87+
},
5788
"setuptools": {
5889
"version": "58.1.0"
5990
},

‎versions.sh

+64-18
Original file line numberDiff line numberDiff line change
@@ -13,24 +13,64 @@ else
1313
fi
1414
versions=( "${versions[@]%/}" )
1515

16-
has_linux_version() {
17-
local dir="$1"; shift
16+
declare -A checksums=()
17+
check_file() {
1818
local dirVersion="$1"; shift
1919
local fullVersion="$1"; shift
20+
local type="${1:-source}" # "source" or "windows"
2021

21-
if ! wget -q -O /dev/null -o /dev/null --spider "https://www.python.org/ftp/python/$dirVersion/Python-$fullVersion.tar.xz"; then
22-
return 1
22+
local filename="Python-$fullVersion.tar.xz"
23+
if [ "$type" = 'windows' ]; then
24+
filename="python-$fullVersion-amd64.exe"
25+
fi
26+
local url="https://www.python.org/ftp/python/$dirVersion/$filename"
27+
28+
local sigstore
29+
if sigstore="$(
30+
wget -qO- -o/dev/null "$url.sigstore" \
31+
| jq -r '
32+
.messageSignature.messageDigest
33+
| if .algorithm != "SHA2_256" then
34+
error("sigstore bundle not using SHA2_256")
35+
else .digest end
36+
'
37+
)" && [ -n "$sigstore" ]; then
38+
sigstore="$(base64 -d <<<"$sigstore" | hexdump -ve '/1 "%02x"')"
39+
checksums["$fullVersion"]="$(jq <<<"${checksums["$fullVersion"]:-null}" --arg type "$type" --arg sha256 "$sigstore" '.[$type].sha256 = $sha256')"
40+
return 0
2341
fi
2442

25-
return 0
26-
}
27-
28-
has_windows_version() {
29-
local dir="$1"; shift
30-
local dirVersion="$1"; shift
31-
local fullVersion="$1"; shift
43+
# TODO is this even necessary/useful? the sigstore-based version above is *much* faster, supports all current versions (not just 3.12+ like this), *and* should be more reliable 🤔
44+
local sbom
45+
if sbom="$(
46+
wget -qO- -o/dev/null "$url.spdx.json" \
47+
| jq --arg filename "$filename" '
48+
first(
49+
.packages[]
50+
| select(
51+
.name == "CPython"
52+
and .packageFileName == $filename
53+
)
54+
)
55+
| .checksums
56+
| map({
57+
key: (.algorithm // empty | ascii_downcase),
58+
value: (.checksumValue // empty),
59+
})
60+
| if length < 1 then
61+
error("no checksums found for \($filename)")
62+
else . end
63+
| from_entries
64+
| if has("sha256") then . else
65+
error("missing sha256 for \($filename); have \(.)")
66+
end
67+
'
68+
)" && [ -n "sbom" ]; then
69+
checksums["$fullVersion"]="$(jq <<<"${checksums["$fullVersion"]:-null}" --arg type "$type" --argjson sums "$sbom" '.[$type] += $sums')"
70+
return 0
71+
fi
3272

33-
if ! wget -q -O /dev/null -o /dev/null --spider "https://www.python.org/ftp/python/$dirVersion/python-$fullVersion-amd64.exe"; then
73+
if ! wget -q -O /dev/null -o /dev/null --spider "$url"; then
3474
return 1
3575
fi
3676

@@ -68,9 +108,9 @@ for version in "${versions[@]}"; do
68108
rcPossible="${possible%%[a-z]*}"
69109

70110
# varnish is great until it isn't (usually the directory listing we scrape below is updated/uncached significantly later than the release being available)
71-
if has_linux_version "$version" "$rcPossible" "$possible"; then
111+
if check_file "$rcPossible" "$possible"; then
72112
fullVersion="$possible"
73-
if has_windows_version "$version" "$rcPossible" "$possible"; then
113+
if check_file "$rcPossible" "$possible" windows; then
74114
hasWindows=1
75115
fi
76116
break
@@ -89,9 +129,9 @@ for version in "${versions[@]}"; do
89129
|| true
90130
) )
91131
for possibleVersion in "${possibleVersions[@]}"; do
92-
if has_linux_version "$version" "$rcPossible" "$possibleVersion"; then
132+
if check_file "$rcPossible" "$possibleVersion"; then
93133
fullVersion="$possibleVersion"
94-
if has_windows_version "$version" "$rcPossible" "$possible"; then
134+
if check_file "$rcPossible" "$possible" windows; then
95135
hasWindows=1
96136
fi
97137
break
@@ -150,8 +190,8 @@ for version in "${versions[@]}"; do
150190
echo "$version: $fullVersion"
151191

152192
export fullVersion pipVersion setuptoolsVersion hasWindows
153-
json="$(jq <<<"$json" -c '
154-
.[env.version] = {
193+
doc="$(jq -nc '
194+
{
155195
version: env.fullVersion,
156196
variants: [
157197
(
@@ -178,6 +218,12 @@ for version in "${versions[@]}"; do
178218
},
179219
} else {} end
180220
')"
221+
222+
if [ -n "${checksums["$fullVersion"]:-}" ]; then
223+
doc="$(jq <<<"$doc" -c --argjson checksums "${checksums["$fullVersion"]}" '.checksums = $checksums')"
224+
fi
225+
226+
json="$(jq <<<"$json" -c --argjson doc "$doc" '.[env.version] = $doc')"
181227
done
182228

183229
jq <<<"$json" -S . > versions.json

0 commit comments

Comments
 (0)
Please sign in to comment.