[Security] authenticate maven binary

Signed-off-by: Jérôme Benoit <jerome.benoit@sap.com>

diff --git a/.vscode/settings.json b/.vscode/settings.json
index eb3d18bbe9452ab8bcde30086aaa3631b92513c5..ece848520c576eca0d5fef4f76bd66cda39f1d2f 100644 (file)
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,5 +1,11 @@
 {
   "editor.codeActionsOnSave": {
     "source.fixAll": true
-  }
+  },
+  "cSpell.words": [
+    "ifeq",
+    "OPTARG",
+    "SAPMACHINE",
+    "xmake"
+  ]
 }

diff --git a/.xmake.cfg b/.xmake.cfg
index 412b278de2b0bb7bd8f4e4c8f94c9a422e22ccb2..556ae7808a9bb5455649ae739aca679b9044a6ad 100644 (file)
--- a/.xmake.cfg
+++ b/.xmake.cfg
@@ -1,5 +1,5 @@
 [xmake]
-version=1.0.3
+version=1.0.4
 # https://github.wdf.sap.corp/pages/xmake-ci/User-Guide/Setting_up_a_Build/Release_Procedure/Release_Versions/
 
 [buildplugin]

diff --git a/Dockerfile b/Dockerfile
index fd929773639f9342c5418917ab6dc3d1ee7f6cf3..6a4fb36fe99413d4e9980c6d85331d613bdde05c 100644 (file)
--- a/Dockerfile
+++ b/Dockerfile
@@ -8,6 +8,8 @@ RUN set -ex \
   && apt-get update \
   && apt-get install -y openssl --no-install-recommends \
   && rm -rf /var/lib/apt/lists/* \
+   # smoke test
+  && openssl version \
   && useradd --home-dir ${USER_HOME_DIR} \
             --create-home \
             --shell /bin/bash \
@@ -132,28 +134,29 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \
   && java --version
 
 ARG MAVEN_VERSION=3.8.6
-ARG SHA=f790857f3b1f90ae8d16281f902c689e4f136ebe584aba45e4b1fa66c80cba826d3e0e52fdd04ed44b4c66f6d3fe3584a057c26dfcac544a60b301e6d0f91c26
-ARG BASE_URL=https://apache.osuosl.org/maven/maven-3/${MAVEN_VERSION}/binaries
+ARG BASE_URL=https://downloads.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries
 
 ENV MAVEN_HOME /usr/share/maven
 ENV M2_HOME ${MAVEN_HOME}
 
 RUN set -ex \
   && apt-get update \
-  && apt-get install -y ca-certificates curl procps --no-install-recommends \
+  && apt-get install -y ca-certificates curl gnupg dirmngr --no-install-recommends \
   && rm -rf /var/lib/apt/lists/* \
+  && curl -fsSL --compressed https://downloads.apache.org/maven/KEYS | gpg --import \
+  && curl -fsSLO --compressed ${BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz \
+  && curl -fsSLO --compressed ${BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz.asc \
+  && gpg --batch --verify apache-maven-${MAVEN_VERSION}-bin.tar.gz.asc apache-maven-${MAVEN_VERSION}-bin.tar.gz \
   && mkdir -p ${MAVEN_HOME} ${MAVEN_HOME}/ref \
-  && curl -fsSL -o /tmp/apache-maven.tar.gz ${BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz \
-  && echo "${SHA}  /tmp/apache-maven.tar.gz" | sha512sum -c - \
-  && tar -xzf /tmp/apache-maven.tar.gz -C ${MAVEN_HOME} --strip-components=1 \
-  && rm -f /tmp/apache-maven.tar.gz \
+  && tar -xzf apache-maven-${MAVEN_VERSION}-bin.tar.gz -C ${MAVEN_HOME} --strip-components=1 \
+  && rm -f apache-maven-${MAVEN_VERSION}-bin.tar.gz.asc apache-maven-${MAVEN_VERSION}-bin.tar.gz \
+  && chmod --recursive a+w ${MAVEN_HOME}/conf/* \
   && ln -s ${MAVEN_HOME}/bin/mvn /usr/bin/mvn \
-  && chmod --recursive a+w "${MAVEN_HOME}"/conf/* \
-  && apt-get remove --purge --autoremove -y ca-certificates curl \
+  && apt-get remove --purge --autoremove -y ca-certificates curl gnupg dirmngr \
   # smoke test
   && mvn --version
 
-ARG MBT_VERSION=1.2.18
+ARG MBT_VERSION=1.2.19
 
 RUN set -ex \
   && npm install -g --unsafe-perm mbt@${MBT_VERSION} \

diff --git a/README.md b/README.md
index 14bba506d9722ebd5023ef0f9ec518826774b18e..b5c8caba929553ea020fc6f664a31c2a6c2515d5 100644 (file)
--- a/README.md
+++ b/README.md
@@ -2,12 +2,12 @@
 
 ## Diff from [devxci](https://github.com/SAP/cloud-mta-build-tool)
 
-* latest versions of node16/sapmachine/maven
+* latest versions of node/sapmachine/maven
 * python 2->3
-* source integrity, source authentication, etc.
-* build debug logs
+* SAP security policy compliance: binaries authentication and integrity check
+* build debug
+* build stopped at any error => no corrupted images can be pushed
 * smoke tests
-* version handling compliant with renovate for automated upgrade
 
 Ref: https://github.com/SAP/cloud-mta-build-tool#the-cloud-mta-build-tool-images-deprecated