From 37a7bfdfa9947e8eaf650150a5df1729e7432599 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Wed, 9 Oct 2024 15:18:55 -0700 Subject: [PATCH] Add SHA256 verification This works by extracting the relevant checksums from the upstream `.sigstore` bundles. Hopefully at some point in the future there will be a more explicit means of getting these checksum values directly. --- 3.10/alpine3.19/Dockerfile | 2 + 3.10/alpine3.20/Dockerfile | 2 + 3.10/bookworm/Dockerfile | 2 + 3.10/bullseye/Dockerfile | 2 + 3.10/slim-bookworm/Dockerfile | 2 + 3.10/slim-bullseye/Dockerfile | 2 + 3.11/alpine3.19/Dockerfile | 2 + 3.11/alpine3.20/Dockerfile | 2 + 3.11/bookworm/Dockerfile | 2 + 3.11/bullseye/Dockerfile | 2 + 3.11/slim-bookworm/Dockerfile | 2 + 3.11/slim-bullseye/Dockerfile | 2 + 3.12/alpine3.19/Dockerfile | 2 + 3.12/alpine3.20/Dockerfile | 2 + 3.12/bookworm/Dockerfile | 2 + 3.12/bullseye/Dockerfile | 2 + 3.12/slim-bookworm/Dockerfile | 2 + 3.12/slim-bullseye/Dockerfile | 2 + .../windows/windowsservercore-1809/Dockerfile | 7 ++ .../windowsservercore-ltsc2022/Dockerfile | 7 ++ 3.13/alpine3.19/Dockerfile | 2 + 3.13/alpine3.20/Dockerfile | 2 + 3.13/bookworm/Dockerfile | 2 + 3.13/bullseye/Dockerfile | 2 + 3.13/slim-bookworm/Dockerfile | 2 + 3.13/slim-bullseye/Dockerfile | 2 + .../windows/windowsservercore-1809/Dockerfile | 7 ++ .../windowsservercore-ltsc2022/Dockerfile | 7 ++ 3.9/alpine3.19/Dockerfile | 2 + 3.9/alpine3.20/Dockerfile | 2 + 3.9/bookworm/Dockerfile | 2 + 3.9/bullseye/Dockerfile | 2 + 3.9/slim-bookworm/Dockerfile | 2 + 3.9/slim-bullseye/Dockerfile | 2 + Dockerfile-linux.template | 6 ++ Dockerfile-windows.template | 11 +++ versions.json | 31 +++++++ versions.sh | 82 +++++++++++++++---- 38 files changed, 200 insertions(+), 18 deletions(-) diff --git a/3.10/alpine3.19/Dockerfile b/3.10/alpine3.19/Dockerfile index 65a6b2d37..df5dd811b 100644 --- a/3.10/alpine3.19/Dockerfile +++ b/3.10/alpine3.19/Dockerfile @@ -23,6 +23,7 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.10.15 +ENV PYTHON_SHA256 aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79 RUN set -eux; \ \ @@ -58,6 +59,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.10/alpine3.20/Dockerfile b/3.10/alpine3.20/Dockerfile index 4627b12b5..330b28c17 100644 --- a/3.10/alpine3.20/Dockerfile +++ b/3.10/alpine3.20/Dockerfile @@ -23,6 +23,7 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.10.15 +ENV PYTHON_SHA256 aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79 RUN set -eux; \ \ @@ -58,6 +59,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.10/bookworm/Dockerfile b/3.10/bookworm/Dockerfile index 9e9e3170a..2fd89a19c 100644 --- a/3.10/bookworm/Dockerfile +++ b/3.10/bookworm/Dockerfile @@ -26,10 +26,12 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.10.15 +ENV PYTHON_SHA256 aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79 RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.10/bullseye/Dockerfile b/3.10/bullseye/Dockerfile index 98440f9a5..bbb175fff 100644 --- a/3.10/bullseye/Dockerfile +++ b/3.10/bullseye/Dockerfile @@ -26,10 +26,12 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.10.15 +ENV PYTHON_SHA256 aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79 RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.10/slim-bookworm/Dockerfile b/3.10/slim-bookworm/Dockerfile index e99add8ed..984b7a8d0 100644 --- a/3.10/slim-bookworm/Dockerfile +++ b/3.10/slim-bookworm/Dockerfile @@ -26,6 +26,7 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.10.15 +ENV PYTHON_SHA256 aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79 RUN set -eux; \ \ @@ -56,6 +57,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.10/slim-bullseye/Dockerfile b/3.10/slim-bullseye/Dockerfile index 0732224b2..3342d27cc 100644 --- a/3.10/slim-bullseye/Dockerfile +++ b/3.10/slim-bullseye/Dockerfile @@ -26,6 +26,7 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.10.15 +ENV PYTHON_SHA256 aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79 RUN set -eux; \ \ @@ -56,6 +57,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.11/alpine3.19/Dockerfile b/3.11/alpine3.19/Dockerfile index 39491416a..0de2b82ed 100644 --- a/3.11/alpine3.19/Dockerfile +++ b/3.11/alpine3.19/Dockerfile @@ -23,6 +23,7 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.11.10 +ENV PYTHON_SHA256 07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372 RUN set -eux; \ \ @@ -58,6 +59,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.11/alpine3.20/Dockerfile b/3.11/alpine3.20/Dockerfile index a945539c2..914e34edc 100644 --- a/3.11/alpine3.20/Dockerfile +++ b/3.11/alpine3.20/Dockerfile @@ -23,6 +23,7 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.11.10 +ENV PYTHON_SHA256 07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372 RUN set -eux; \ \ @@ -58,6 +59,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.11/bookworm/Dockerfile b/3.11/bookworm/Dockerfile index 93be03eb4..0dbd36f3e 100644 --- a/3.11/bookworm/Dockerfile +++ b/3.11/bookworm/Dockerfile @@ -26,10 +26,12 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.11.10 +ENV PYTHON_SHA256 07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372 RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.11/bullseye/Dockerfile b/3.11/bullseye/Dockerfile index c5a0a7a6d..4bdf869c1 100644 --- a/3.11/bullseye/Dockerfile +++ b/3.11/bullseye/Dockerfile @@ -26,10 +26,12 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.11.10 +ENV PYTHON_SHA256 07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372 RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.11/slim-bookworm/Dockerfile b/3.11/slim-bookworm/Dockerfile index f435e9847..53dd3e913 100644 --- a/3.11/slim-bookworm/Dockerfile +++ b/3.11/slim-bookworm/Dockerfile @@ -26,6 +26,7 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.11.10 +ENV PYTHON_SHA256 07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372 RUN set -eux; \ \ @@ -56,6 +57,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.11/slim-bullseye/Dockerfile b/3.11/slim-bullseye/Dockerfile index 4a5fdd620..ffc5971dd 100644 --- a/3.11/slim-bullseye/Dockerfile +++ b/3.11/slim-bullseye/Dockerfile @@ -26,6 +26,7 @@ RUN set -eux; \ ENV GPG_KEY A035C8C19219BA821ECEA86B64E628F8D684696D ENV PYTHON_VERSION 3.11.10 +ENV PYTHON_SHA256 07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372 RUN set -eux; \ \ @@ -56,6 +57,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.12/alpine3.19/Dockerfile b/3.12/alpine3.19/Dockerfile index c2784b6e1..7cfbf1d31 100644 --- a/3.12/alpine3.19/Dockerfile +++ b/3.12/alpine3.19/Dockerfile @@ -23,6 +23,7 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.12.7 +ENV PYTHON_SHA256 24887b92e2afd4a2ac602419ad4b596372f67ac9b077190f459aba390faf5550 RUN set -eux; \ \ @@ -58,6 +59,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.12/alpine3.20/Dockerfile b/3.12/alpine3.20/Dockerfile index bee89fc88..9a984f575 100644 --- a/3.12/alpine3.20/Dockerfile +++ b/3.12/alpine3.20/Dockerfile @@ -23,6 +23,7 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.12.7 +ENV PYTHON_SHA256 24887b92e2afd4a2ac602419ad4b596372f67ac9b077190f459aba390faf5550 RUN set -eux; \ \ @@ -58,6 +59,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.12/bookworm/Dockerfile b/3.12/bookworm/Dockerfile index 5677e4af5..40a5e46ce 100644 --- a/3.12/bookworm/Dockerfile +++ b/3.12/bookworm/Dockerfile @@ -26,10 +26,12 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.12.7 +ENV PYTHON_SHA256 24887b92e2afd4a2ac602419ad4b596372f67ac9b077190f459aba390faf5550 RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.12/bullseye/Dockerfile b/3.12/bullseye/Dockerfile index cc136ec99..a0c98d45a 100644 --- a/3.12/bullseye/Dockerfile +++ b/3.12/bullseye/Dockerfile @@ -26,10 +26,12 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.12.7 +ENV PYTHON_SHA256 24887b92e2afd4a2ac602419ad4b596372f67ac9b077190f459aba390faf5550 RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.12/slim-bookworm/Dockerfile b/3.12/slim-bookworm/Dockerfile index 59ff54284..0fb84592f 100644 --- a/3.12/slim-bookworm/Dockerfile +++ b/3.12/slim-bookworm/Dockerfile @@ -26,6 +26,7 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.12.7 +ENV PYTHON_SHA256 24887b92e2afd4a2ac602419ad4b596372f67ac9b077190f459aba390faf5550 RUN set -eux; \ \ @@ -56,6 +57,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.12/slim-bullseye/Dockerfile b/3.12/slim-bullseye/Dockerfile index 12414e84d..34761e37e 100644 --- a/3.12/slim-bullseye/Dockerfile +++ b/3.12/slim-bullseye/Dockerfile @@ -26,6 +26,7 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.12.7 +ENV PYTHON_SHA256 24887b92e2afd4a2ac602419ad4b596372f67ac9b077190f459aba390faf5550 RUN set -eux; \ \ @@ -56,6 +57,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.12/windows/windowsservercore-1809/Dockerfile b/3.12/windows/windowsservercore-1809/Dockerfile index 6141b6936..1c85224d0 100644 --- a/3.12/windows/windowsservercore-1809/Dockerfile +++ b/3.12/windows/windowsservercore-1809/Dockerfile @@ -12,12 +12,19 @@ SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPref ENV PYTHONIOENCODING UTF-8 ENV PYTHON_VERSION 3.12.7 +ENV PYTHON_SHA256 1206721601a62c925d4e4a0dcfc371e88f2ddbe8c0c07962ebb2be9b5bde4570 RUN $url = ('https://www.python.org/ftp/python/{0}/python-{1}-amd64.exe' -f ($env:PYTHON_VERSION -replace '[a-z]+[0-9]*$', ''), $env:PYTHON_VERSION); \ Write-Host ('Downloading {0} ...' -f $url); \ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \ Invoke-WebRequest -Uri $url -OutFile 'python.exe'; \ \ + Write-Host ('Verifying sha256 ({0}) ...' -f $env:PYTHON_SHA256); \ + if ((Get-FileHash python.exe -Algorithm sha256).Hash -ne $env:PYTHON_SHA256) { \ + Write-Host 'FAILED!'; \ + exit 1; \ + }; \ + \ Write-Host 'Installing ...'; \ # https://docs.python.org/3/using/windows.html#installing-without-ui $exitCode = (Start-Process python.exe -Wait -NoNewWindow -PassThru \ diff --git a/3.12/windows/windowsservercore-ltsc2022/Dockerfile b/3.12/windows/windowsservercore-ltsc2022/Dockerfile index 0c79621e4..d8af8a47c 100644 --- a/3.12/windows/windowsservercore-ltsc2022/Dockerfile +++ b/3.12/windows/windowsservercore-ltsc2022/Dockerfile @@ -12,12 +12,19 @@ SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPref ENV PYTHONIOENCODING UTF-8 ENV PYTHON_VERSION 3.12.7 +ENV PYTHON_SHA256 1206721601a62c925d4e4a0dcfc371e88f2ddbe8c0c07962ebb2be9b5bde4570 RUN $url = ('https://www.python.org/ftp/python/{0}/python-{1}-amd64.exe' -f ($env:PYTHON_VERSION -replace '[a-z]+[0-9]*$', ''), $env:PYTHON_VERSION); \ Write-Host ('Downloading {0} ...' -f $url); \ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \ Invoke-WebRequest -Uri $url -OutFile 'python.exe'; \ \ + Write-Host ('Verifying sha256 ({0}) ...' -f $env:PYTHON_SHA256); \ + if ((Get-FileHash python.exe -Algorithm sha256).Hash -ne $env:PYTHON_SHA256) { \ + Write-Host 'FAILED!'; \ + exit 1; \ + }; \ + \ Write-Host 'Installing ...'; \ # https://docs.python.org/3/using/windows.html#installing-without-ui $exitCode = (Start-Process python.exe -Wait -NoNewWindow -PassThru \ diff --git a/3.13/alpine3.19/Dockerfile b/3.13/alpine3.19/Dockerfile index 0895e5cd3..814a33818 100644 --- a/3.13/alpine3.19/Dockerfile +++ b/3.13/alpine3.19/Dockerfile @@ -18,6 +18,7 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.13.0 +ENV PYTHON_SHA256 086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d RUN set -eux; \ \ @@ -53,6 +54,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.13/alpine3.20/Dockerfile b/3.13/alpine3.20/Dockerfile index afd49db9a..dd8642626 100644 --- a/3.13/alpine3.20/Dockerfile +++ b/3.13/alpine3.20/Dockerfile @@ -18,6 +18,7 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.13.0 +ENV PYTHON_SHA256 086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d RUN set -eux; \ \ @@ -53,6 +54,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.13/bookworm/Dockerfile b/3.13/bookworm/Dockerfile index 58bdbf4f1..93cacf9af 100644 --- a/3.13/bookworm/Dockerfile +++ b/3.13/bookworm/Dockerfile @@ -21,10 +21,12 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.13.0 +ENV PYTHON_SHA256 086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.13/bullseye/Dockerfile b/3.13/bullseye/Dockerfile index f334cc74c..9d4aab748 100644 --- a/3.13/bullseye/Dockerfile +++ b/3.13/bullseye/Dockerfile @@ -21,10 +21,12 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.13.0 +ENV PYTHON_SHA256 086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.13/slim-bookworm/Dockerfile b/3.13/slim-bookworm/Dockerfile index 9237983f0..6573d6f94 100644 --- a/3.13/slim-bookworm/Dockerfile +++ b/3.13/slim-bookworm/Dockerfile @@ -21,6 +21,7 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.13.0 +ENV PYTHON_SHA256 086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d RUN set -eux; \ \ @@ -51,6 +52,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.13/slim-bullseye/Dockerfile b/3.13/slim-bullseye/Dockerfile index 2b2b11c64..55795e1da 100644 --- a/3.13/slim-bullseye/Dockerfile +++ b/3.13/slim-bullseye/Dockerfile @@ -21,6 +21,7 @@ RUN set -eux; \ ENV GPG_KEY 7169605F62C751356D054A26A821E680E5FA6305 ENV PYTHON_VERSION 3.13.0 +ENV PYTHON_SHA256 086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d RUN set -eux; \ \ @@ -51,6 +52,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.13/windows/windowsservercore-1809/Dockerfile b/3.13/windows/windowsservercore-1809/Dockerfile index c15287f91..99eb4c5f4 100644 --- a/3.13/windows/windowsservercore-1809/Dockerfile +++ b/3.13/windows/windowsservercore-1809/Dockerfile @@ -12,12 +12,19 @@ SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPref ENV PYTHONIOENCODING UTF-8 ENV PYTHON_VERSION 3.13.0 +ENV PYTHON_SHA256 78156ad0cf0ec4123bfb5333b40f078596ebf15f2d062a10144863680afbdefc RUN $url = ('https://www.python.org/ftp/python/{0}/python-{1}-amd64.exe' -f ($env:PYTHON_VERSION -replace '[a-z]+[0-9]*$', ''), $env:PYTHON_VERSION); \ Write-Host ('Downloading {0} ...' -f $url); \ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \ Invoke-WebRequest -Uri $url -OutFile 'python.exe'; \ \ + Write-Host ('Verifying sha256 ({0}) ...' -f $env:PYTHON_SHA256); \ + if ((Get-FileHash python.exe -Algorithm sha256).Hash -ne $env:PYTHON_SHA256) { \ + Write-Host 'FAILED!'; \ + exit 1; \ + }; \ + \ Write-Host 'Installing ...'; \ # https://docs.python.org/3/using/windows.html#installing-without-ui $exitCode = (Start-Process python.exe -Wait -NoNewWindow -PassThru \ diff --git a/3.13/windows/windowsservercore-ltsc2022/Dockerfile b/3.13/windows/windowsservercore-ltsc2022/Dockerfile index 4977b3983..99ba51773 100644 --- a/3.13/windows/windowsservercore-ltsc2022/Dockerfile +++ b/3.13/windows/windowsservercore-ltsc2022/Dockerfile @@ -12,12 +12,19 @@ SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPref ENV PYTHONIOENCODING UTF-8 ENV PYTHON_VERSION 3.13.0 +ENV PYTHON_SHA256 78156ad0cf0ec4123bfb5333b40f078596ebf15f2d062a10144863680afbdefc RUN $url = ('https://www.python.org/ftp/python/{0}/python-{1}-amd64.exe' -f ($env:PYTHON_VERSION -replace '[a-z]+[0-9]*$', ''), $env:PYTHON_VERSION); \ Write-Host ('Downloading {0} ...' -f $url); \ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \ Invoke-WebRequest -Uri $url -OutFile 'python.exe'; \ \ + Write-Host ('Verifying sha256 ({0}) ...' -f $env:PYTHON_SHA256); \ + if ((Get-FileHash python.exe -Algorithm sha256).Hash -ne $env:PYTHON_SHA256) { \ + Write-Host 'FAILED!'; \ + exit 1; \ + }; \ + \ Write-Host 'Installing ...'; \ # https://docs.python.org/3/using/windows.html#installing-without-ui $exitCode = (Start-Process python.exe -Wait -NoNewWindow -PassThru \ diff --git a/3.9/alpine3.19/Dockerfile b/3.9/alpine3.19/Dockerfile index 8632c56f2..1163933f8 100644 --- a/3.9/alpine3.19/Dockerfile +++ b/3.9/alpine3.19/Dockerfile @@ -23,6 +23,7 @@ RUN set -eux; \ ENV GPG_KEY E3FF2839C048B25C084DEBE9B26995E310250568 ENV PYTHON_VERSION 3.9.20 +ENV PYTHON_SHA256 6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c RUN set -eux; \ \ @@ -58,6 +59,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.9/alpine3.20/Dockerfile b/3.9/alpine3.20/Dockerfile index 91044e1a8..00a3b9a64 100644 --- a/3.9/alpine3.20/Dockerfile +++ b/3.9/alpine3.20/Dockerfile @@ -23,6 +23,7 @@ RUN set -eux; \ ENV GPG_KEY E3FF2839C048B25C084DEBE9B26995E310250568 ENV PYTHON_VERSION 3.9.20 +ENV PYTHON_SHA256 6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c RUN set -eux; \ \ @@ -58,6 +59,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.9/bookworm/Dockerfile b/3.9/bookworm/Dockerfile index fe0ba4cee..9180a988e 100644 --- a/3.9/bookworm/Dockerfile +++ b/3.9/bookworm/Dockerfile @@ -26,10 +26,12 @@ RUN set -eux; \ ENV GPG_KEY E3FF2839C048B25C084DEBE9B26995E310250568 ENV PYTHON_VERSION 3.9.20 +ENV PYTHON_SHA256 6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.9/bullseye/Dockerfile b/3.9/bullseye/Dockerfile index fbe07aa6e..816a80ba8 100644 --- a/3.9/bullseye/Dockerfile +++ b/3.9/bullseye/Dockerfile @@ -26,10 +26,12 @@ RUN set -eux; \ ENV GPG_KEY E3FF2839C048B25C084DEBE9B26995E310250568 ENV PYTHON_VERSION 3.9.20 +ENV PYTHON_SHA256 6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.9/slim-bookworm/Dockerfile b/3.9/slim-bookworm/Dockerfile index b29051af5..f6c0daa43 100644 --- a/3.9/slim-bookworm/Dockerfile +++ b/3.9/slim-bookworm/Dockerfile @@ -26,6 +26,7 @@ RUN set -eux; \ ENV GPG_KEY E3FF2839C048B25C084DEBE9B26995E310250568 ENV PYTHON_VERSION 3.9.20 +ENV PYTHON_SHA256 6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c RUN set -eux; \ \ @@ -56,6 +57,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/3.9/slim-bullseye/Dockerfile b/3.9/slim-bullseye/Dockerfile index 956ede228..37ce11eb8 100644 --- a/3.9/slim-bullseye/Dockerfile +++ b/3.9/slim-bullseye/Dockerfile @@ -26,6 +26,7 @@ RUN set -eux; \ ENV GPG_KEY E3FF2839C048B25C084DEBE9B26995E310250568 ENV PYTHON_VERSION 3.9.20 +ENV PYTHON_SHA256 6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c RUN set -eux; \ \ @@ -56,6 +57,7 @@ RUN set -eux; \ ; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/Dockerfile-linux.template b/Dockerfile-linux.template index 3b87b10ab..02f1c9ad6 100644 --- a/Dockerfile-linux.template +++ b/Dockerfile-linux.template @@ -75,6 +75,9 @@ ENV GPG_KEY {{ }[rcVersion] }} ENV PYTHON_VERSION {{ .version }} +{{ if .checksums.source.sha256 then ( -}} +ENV PYTHON_SHA256 {{ .checksums.source.sha256 }} +{{ ) else "" end -}} RUN set -eux; \ \ @@ -139,6 +142,9 @@ RUN set -eux; \ \ {{ ) else "" end -}} wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ +{{ if .checksums.source.sha256 then ( -}} + echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ +{{ ) else "" end -}} wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ diff --git a/Dockerfile-windows.template b/Dockerfile-windows.template index 78d5aaa9d..a564f29de 100644 --- a/Dockerfile-windows.template +++ b/Dockerfile-windows.template @@ -6,11 +6,22 @@ SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPref ENV PYTHONIOENCODING UTF-8 ENV PYTHON_VERSION {{ .version }} +{{ if .checksums.windows.sha256 then ( -}} +ENV PYTHON_SHA256 {{ .checksums.windows.sha256 }} +{{ ) else "" end -}} RUN $url = ('https://www.python.org/ftp/python/{0}/python-{1}-amd64.exe' -f ($env:PYTHON_VERSION -replace '[a-z]+[0-9]*$', ''), $env:PYTHON_VERSION); \ Write-Host ('Downloading {0} ...' -f $url); \ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \ Invoke-WebRequest -Uri $url -OutFile 'python.exe'; \ +{{ if .checksums.windows.sha256 then ( -}} + \ + Write-Host ('Verifying sha256 ({0}) ...' -f $env:PYTHON_SHA256); \ + if ((Get-FileHash python.exe -Algorithm sha256).Hash -ne $env:PYTHON_SHA256) { \ + Write-Host 'FAILED!'; \ + exit 1; \ + }; \ +{{ ) else "" end -}} \ Write-Host 'Installing ...'; \ # https://docs.python.org/3/using/windows.html#installing-without-ui diff --git a/versions.json b/versions.json index d2b47f5d1..24e297545 100644 --- a/versions.json +++ b/versions.json @@ -1,5 +1,10 @@ { "3.10": { + "checksums": { + "source": { + "sha256": "aab0950817735172601879872d937c1e4928a57c409ae02369ec3d91dccebe79" + } + }, "setuptools": { "version": "65.5.1" }, @@ -14,6 +19,11 @@ "version": "3.10.15" }, "3.11": { + "checksums": { + "source": { + "sha256": "07a4356e912900e61a15cb0949a06c4a05012e213ecd6b4e84d0f67aabbee372" + } + }, "setuptools": { "version": "65.5.1" }, @@ -28,6 +38,14 @@ "version": "3.11.10" }, "3.12": { + "checksums": { + "source": { + "sha256": "24887b92e2afd4a2ac602419ad4b596372f67ac9b077190f459aba390faf5550" + }, + "windows": { + "sha256": "1206721601a62c925d4e4a0dcfc371e88f2ddbe8c0c07962ebb2be9b5bde4570" + } + }, "variants": [ "bookworm", "slim-bookworm", @@ -41,6 +59,14 @@ "version": "3.12.7" }, "3.13": { + "checksums": { + "source": { + "sha256": "086de5882e3cb310d4dca48457522e2e48018ecd43da9cdf827f6a0759efb07d" + }, + "windows": { + "sha256": "78156ad0cf0ec4123bfb5333b40f078596ebf15f2d062a10144863680afbdefc" + } + }, "variants": [ "bookworm", "slim-bookworm", @@ -54,6 +80,11 @@ "version": "3.13.0" }, "3.9": { + "checksums": { + "source": { + "sha256": "6b281279efd85294d2d6993e173983a57464c0133956fbbb5536ec9646beaf0c" + } + }, "setuptools": { "version": "58.1.0" }, diff --git a/versions.sh b/versions.sh index c4fef9a9a..53c0498c4 100755 --- a/versions.sh +++ b/versions.sh @@ -13,24 +13,64 @@ else fi versions=( "${versions[@]%/}" ) -has_linux_version() { - local dir="$1"; shift +declare -A checksums=() +check_file() { local dirVersion="$1"; shift local fullVersion="$1"; shift + local type="${1:-source}" # "source" or "windows" - if ! wget -q -O /dev/null -o /dev/null --spider "https://www.python.org/ftp/python/$dirVersion/Python-$fullVersion.tar.xz"; then - return 1 + local filename="Python-$fullVersion.tar.xz" + if [ "$type" = 'windows' ]; then + filename="python-$fullVersion-amd64.exe" + fi + local url="https://www.python.org/ftp/python/$dirVersion/$filename" + + local sigstore + if sigstore="$( + wget -qO- -o/dev/null "$url.sigstore" \ + | jq -r ' + .messageSignature.messageDigest + | if .algorithm != "SHA2_256" then + error("sigstore bundle not using SHA2_256") + else .digest end + ' + )" && [ -n "$sigstore" ]; then + sigstore="$(base64 -d <<<"$sigstore" | hexdump -ve '/1 "%02x"')" + checksums["$fullVersion"]="$(jq <<<"${checksums["$fullVersion"]:-null}" --arg type "$type" --arg sha256 "$sigstore" '.[$type].sha256 = $sha256')" + return 0 fi - return 0 -} - -has_windows_version() { - local dir="$1"; shift - local dirVersion="$1"; shift - local fullVersion="$1"; shift + # TODO is this even necessary/useful? the sigstore-based version above is *much* faster, supports all current versions (not just 3.12+ like this), *and* should be more reliable 🤔 + local sbom + if sbom="$( + wget -qO- -o/dev/null "$url.spdx.json" \ + | jq --arg filename "$filename" ' + first( + .packages[] + | select( + .name == "CPython" + and .packageFileName == $filename + ) + ) + | .checksums + | map({ + key: (.algorithm // empty | ascii_downcase), + value: (.checksumValue // empty), + }) + | if length < 1 then + error("no checksums found for \($filename)") + else . end + | from_entries + | if has("sha256") then . else + error("missing sha256 for \($filename); have \(.)") + end + ' + )" && [ -n "sbom" ]; then + checksums["$fullVersion"]="$(jq <<<"${checksums["$fullVersion"]:-null}" --arg type "$type" --argjson sums "$sbom" '.[$type] += $sums')" + return 0 + fi - if ! wget -q -O /dev/null -o /dev/null --spider "https://www.python.org/ftp/python/$dirVersion/python-$fullVersion-amd64.exe"; then + if ! wget -q -O /dev/null -o /dev/null --spider "$url"; then return 1 fi @@ -68,9 +108,9 @@ for version in "${versions[@]}"; do rcPossible="${possible%%[a-z]*}" # varnish is great until it isn't (usually the directory listing we scrape below is updated/uncached significantly later than the release being available) - if has_linux_version "$version" "$rcPossible" "$possible"; then + if check_file "$rcPossible" "$possible"; then fullVersion="$possible" - if has_windows_version "$version" "$rcPossible" "$possible"; then + if check_file "$rcPossible" "$possible" windows; then hasWindows=1 fi break @@ -89,9 +129,9 @@ for version in "${versions[@]}"; do || true ) ) for possibleVersion in "${possibleVersions[@]}"; do - if has_linux_version "$version" "$rcPossible" "$possibleVersion"; then + if check_file "$rcPossible" "$possibleVersion"; then fullVersion="$possibleVersion" - if has_windows_version "$version" "$rcPossible" "$possible"; then + if check_file "$rcPossible" "$possible" windows; then hasWindows=1 fi break @@ -150,8 +190,8 @@ for version in "${versions[@]}"; do echo "$version: $fullVersion" export fullVersion pipVersion setuptoolsVersion hasWindows - json="$(jq <<<"$json" -c ' - .[env.version] = { + doc="$(jq -nc ' + { version: env.fullVersion, variants: [ ( @@ -178,6 +218,12 @@ for version in "${versions[@]}"; do }, } else {} end ')" + + if [ -n "${checksums["$fullVersion"]:-}" ]; then + doc="$(jq <<<"$doc" -c --argjson checksums "${checksums["$fullVersion"]}" '.checksums = $checksums')" + fi + + json="$(jq <<<"$json" -c --argjson doc "$doc" '.[env.version] = $doc')" done jq <<<"$json" -S . > versions.json pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy