From b460335446e73bb38d8362eba7b8cc8813f90d96 Mon Sep 17 00:00:00 2001 From: =?utf8?q?J=C3=A9r=C3=B4me=20Benoit?= Date: Mon, 31 Oct 2022 10:26:28 +0100 Subject: [PATCH] [Security] authenticate maven binary MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Jérôme Benoit --- .vscode/settings.json | 8 +++++++- .xmake.cfg | 2 +- Dockerfile | 23 +++++++++++++---------- README.md | 8 ++++---- 4 files changed, 25 insertions(+), 16 deletions(-) diff --git a/.vscode/settings.json b/.vscode/settings.json index eb3d18b..ece8485 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,5 +1,11 @@ { "editor.codeActionsOnSave": { "source.fixAll": true - } + }, + "cSpell.words": [ + "ifeq", + "OPTARG", + "SAPMACHINE", + "xmake" + ] } diff --git a/.xmake.cfg b/.xmake.cfg index 412b278..556ae78 100644 --- a/.xmake.cfg +++ b/.xmake.cfg @@ -1,5 +1,5 @@ [xmake] -version=1.0.3 +version=1.0.4 # https://github.wdf.sap.corp/pages/xmake-ci/User-Guide/Setting_up_a_Build/Release_Procedure/Release_Versions/ [buildplugin] diff --git a/Dockerfile b/Dockerfile index fd92977..6a4fb36 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,6 +8,8 @@ RUN set -ex \ && apt-get update \ && apt-get install -y openssl --no-install-recommends \ && rm -rf /var/lib/apt/lists/* \ + # smoke test + && openssl version \ && useradd --home-dir ${USER_HOME_DIR} \ --create-home \ --shell /bin/bash \ @@ -132,28 +134,29 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \ && java --version ARG MAVEN_VERSION=3.8.6 -ARG SHA=f790857f3b1f90ae8d16281f902c689e4f136ebe584aba45e4b1fa66c80cba826d3e0e52fdd04ed44b4c66f6d3fe3584a057c26dfcac544a60b301e6d0f91c26 -ARG BASE_URL=https://apache.osuosl.org/maven/maven-3/${MAVEN_VERSION}/binaries +ARG BASE_URL=https://downloads.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries ENV MAVEN_HOME /usr/share/maven ENV M2_HOME ${MAVEN_HOME} RUN set -ex \ && apt-get update \ - && apt-get install -y ca-certificates curl procps --no-install-recommends \ + && apt-get install -y ca-certificates curl gnupg dirmngr --no-install-recommends \ && rm -rf /var/lib/apt/lists/* \ + && curl -fsSL --compressed https://downloads.apache.org/maven/KEYS | gpg --import \ + && curl -fsSLO --compressed ${BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz \ + && curl -fsSLO --compressed ${BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz.asc \ + && gpg --batch --verify apache-maven-${MAVEN_VERSION}-bin.tar.gz.asc apache-maven-${MAVEN_VERSION}-bin.tar.gz \ && mkdir -p ${MAVEN_HOME} ${MAVEN_HOME}/ref \ - && curl -fsSL -o /tmp/apache-maven.tar.gz ${BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz \ - && echo "${SHA} /tmp/apache-maven.tar.gz" | sha512sum -c - \ - && tar -xzf /tmp/apache-maven.tar.gz -C ${MAVEN_HOME} --strip-components=1 \ - && rm -f /tmp/apache-maven.tar.gz \ + && tar -xzf apache-maven-${MAVEN_VERSION}-bin.tar.gz -C ${MAVEN_HOME} --strip-components=1 \ + && rm -f apache-maven-${MAVEN_VERSION}-bin.tar.gz.asc apache-maven-${MAVEN_VERSION}-bin.tar.gz \ + && chmod --recursive a+w ${MAVEN_HOME}/conf/* \ && ln -s ${MAVEN_HOME}/bin/mvn /usr/bin/mvn \ - && chmod --recursive a+w "${MAVEN_HOME}"/conf/* \ - && apt-get remove --purge --autoremove -y ca-certificates curl \ + && apt-get remove --purge --autoremove -y ca-certificates curl gnupg dirmngr \ # smoke test && mvn --version -ARG MBT_VERSION=1.2.18 +ARG MBT_VERSION=1.2.19 RUN set -ex \ && npm install -g --unsafe-perm mbt@${MBT_VERSION} \ diff --git a/README.md b/README.md index 14bba50..b5c8cab 100644 --- a/README.md +++ b/README.md @@ -2,12 +2,12 @@ ## Diff from [devxci](https://github.com/SAP/cloud-mta-build-tool) -* latest versions of node16/sapmachine/maven +* latest versions of node/sapmachine/maven * python 2->3 -* source integrity, source authentication, etc. -* build debug logs +* SAP security policy compliance: binaries authentication and integrity check +* build debug +* build stopped at any error => no corrupted images can be pushed * smoke tests -* version handling compliant with renovate for automated upgrade Ref: https://github.com/SAP/cloud-mta-build-tool#the-cloud-mta-build-tool-images-deprecated -- 2.34.1