Add SHA256 checksum verification for downloaded binaries (#521)

bartlomieju · claude · web-flow · commit 05bc54294bc1 · 2026-03-25T08:45:16.000+01:00
Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/alpine.dockerfile b/alpine.dockerfile
@@ -11,7 +11,12 @@ ARG TINI_VERSION=0.19.0
 ARG TARGETARCH
 
 RUN curl -fsSL https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-${TARGETARCH} \
-    --output /tini \
+    --output /tini-${TARGETARCH} \
+  && curl -fsSL https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-${TARGETARCH}.sha256sum \
+    --output /tini-${TARGETARCH}.sha256sum \
+  && cd / && sha256sum -c tini-${TARGETARCH}.sha256sum \
+  && mv /tini-${TARGETARCH} /tini \
+  && rm /tini-${TARGETARCH}.sha256sum \
   && chmod +x /tini
 
 FROM gcr.io/distroless/cc@sha256:66d87e170bc2c5e2b8cf853501141c3c55b4e502b8677595c57534df54a68cc5 as cc
diff --git a/bin.dockerfile b/bin.dockerfile
@@ -11,10 +11,15 @@ RUN export DEBIAN_FRONTEND=noninteractive \
 ARG DENO_VERSION
 ARG TARGETARCH
 
-RUN curl -fsSL https://dl.deno.land/release/v${DENO_VERSION}/deno-$(echo $TARGETARCH | sed -e 's/arm64/aarch64/' -e 's/amd64/x86_64/')-unknown-linux-gnu.zip \
-    --output deno.zip \
-  && unzip deno.zip \
-  && rm deno.zip \
+RUN export DENO_TARGET=$(echo $TARGETARCH | sed -e 's/arm64/aarch64/' -e 's/amd64/x86_64/') \
+  && export DENO_ZIP=deno-${DENO_TARGET}-unknown-linux-gnu.zip \
+  && curl -fsSL https://dl.deno.land/release/v${DENO_VERSION}/${DENO_ZIP} \
+    --output ${DENO_ZIP} \
+  && curl -fsSL https://dl.deno.land/release/v${DENO_VERSION}/${DENO_ZIP}.sha256sum \
+    --output ${DENO_ZIP}.sha256sum \
+  && sha256sum -c ${DENO_ZIP}.sha256sum \
+  && unzip ${DENO_ZIP} \
+  && rm ${DENO_ZIP} ${DENO_ZIP}.sha256sum \
   && chmod 755 deno
 
 
diff --git a/debian.dockerfile b/debian.dockerfile
@@ -11,7 +11,12 @@ ARG TINI_VERSION=0.19.0
 ARG TARGETARCH
 
 RUN curl -fsSL https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-${TARGETARCH} \
-    --output /tini \
+    --output /tini-${TARGETARCH} \
+  && curl -fsSL https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-${TARGETARCH}.sha256sum \
+    --output /tini-${TARGETARCH}.sha256sum \
+  && cd / && sha256sum -c tini-${TARGETARCH}.sha256sum \
+  && mv /tini-${TARGETARCH} /tini \
+  && rm /tini-${TARGETARCH}.sha256sum \
   && chmod +x /tini
 
 
diff --git a/distroless.dockerfile b/distroless.dockerfile
@@ -11,7 +11,12 @@ ARG TINI_VERSION=0.19.0
 ARG TARGETARCH
 
 RUN curl -fsSL https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-${TARGETARCH} \
-    --output /tini \
+    --output /tini-${TARGETARCH} \
+  && curl -fsSL https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-${TARGETARCH}.sha256sum \
+    --output /tini-${TARGETARCH}.sha256sum \
+  && cd / && sha256sum -c tini-${TARGETARCH}.sha256sum \
+  && mv /tini-${TARGETARCH} /tini \
+  && rm /tini-${TARGETARCH}.sha256sum \
   && chmod +x /tini
 
 
diff --git a/ubuntu.dockerfile b/ubuntu.dockerfile
@@ -11,7 +11,12 @@ ARG TINI_VERSION=0.19.0
 ARG TARGETARCH
 
 RUN curl -fsSL https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-${TARGETARCH} \
-    --output /tini \
+    --output /tini-${TARGETARCH} \
+  && curl -fsSL https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-${TARGETARCH}.sha256sum \
+    --output /tini-${TARGETARCH}.sha256sum \
+  && cd / && sha256sum -c tini-${TARGETARCH}.sha256sum \
+  && mv /tini-${TARGETARCH} /tini \
+  && rm /tini-${TARGETARCH}.sha256sum \
   && chmod +x /tini
 
 
