Add SHA256 checksum verification for downloaded binaries

bartlomieju · claude · bartlomieju · commit 14444a52b9d2 · 2026-03-19T13:05:25.000+01:00
Verify integrity of the Deno binary (bin.dockerfile) and tini binary (alpine, ubuntu, debian, distroless) using upstream .sha256sum files. This is a requirement for docker-library/official-images inclusion. Closes #162 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/alpine.dockerfile b/alpine.dockerfile
@@ -12,6 +12,10 @@ ARG TARGETARCH
 
 RUN curl -fsSL https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-${TARGETARCH} \
     --output /tini \
+  && curl -fsSL https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-${TARGETARCH}.sha256sum \
+    --output /tini.sha256sum \
+  && cd / && sha256sum -c tini.sha256sum \
+  && rm /tini.sha256sum \
   && chmod +x /tini
 
 FROM gcr.io/distroless/cc@sha256:66d87e170bc2c5e2b8cf853501141c3c55b4e502b8677595c57534df54a68cc5 as cc
diff --git a/bin.dockerfile b/bin.dockerfile
@@ -11,10 +11,14 @@ RUN export DEBIAN_FRONTEND=noninteractive \
 ARG DENO_VERSION
 ARG TARGETARCH
 
-RUN curl -fsSL https://dl.deno.land/release/v${DENO_VERSION}/deno-$(echo $TARGETARCH | sed -e 's/arm64/aarch64/' -e 's/amd64/x86_64/')-unknown-linux-gnu.zip \
+RUN export DENO_TARGET=$(echo $TARGETARCH | sed -e 's/arm64/aarch64/' -e 's/amd64/x86_64/') \
+  && curl -fsSL https://dl.deno.land/release/v${DENO_VERSION}/deno-${DENO_TARGET}-unknown-linux-gnu.zip \
     --output deno.zip \
+  && curl -fsSL https://dl.deno.land/release/v${DENO_VERSION}/deno-${DENO_TARGET}-unknown-linux-gnu.zip.sha256sum \
+    --output deno.zip.sha256sum \
+  && sha256sum -c deno.zip.sha256sum \
   && unzip deno.zip \
-  && rm deno.zip \
+  && rm deno.zip deno.zip.sha256sum \
   && chmod 755 deno
 
 
diff --git a/debian.dockerfile b/debian.dockerfile
@@ -12,6 +12,10 @@ ARG TARGETARCH
 
 RUN curl -fsSL https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-${TARGETARCH} \
     --output /tini \
+  && curl -fsSL https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-${TARGETARCH}.sha256sum \
+    --output /tini.sha256sum \
+  && cd / && sha256sum -c tini.sha256sum \
+  && rm /tini.sha256sum \
   && chmod +x /tini
 
 
diff --git a/distroless.dockerfile b/distroless.dockerfile
@@ -12,6 +12,10 @@ ARG TARGETARCH
 
 RUN curl -fsSL https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-${TARGETARCH} \
     --output /tini \
+  && curl -fsSL https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-${TARGETARCH}.sha256sum \
+    --output /tini.sha256sum \
+  && cd / && sha256sum -c tini.sha256sum \
+  && rm /tini.sha256sum \
   && chmod +x /tini
 
 
diff --git a/ubuntu.dockerfile b/ubuntu.dockerfile
@@ -12,6 +12,10 @@ ARG TARGETARCH
 
 RUN curl -fsSL https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-${TARGETARCH} \
     --output /tini \
+  && curl -fsSL https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-${TARGETARCH}.sha256sum \
+    --output /tini.sha256sum \
+  && cd / && sha256sum -c tini.sha256sum \
+  && rm /tini.sha256sum \
   && chmod +x /tini
 
 
