Add hash checks to downloaded source files

Add hash checks to downloaded source files

  • we had one in place for redis but nowhere else
diff --git a/image/base/install-gifsicle b/image/base/install-gifsicle
index 4d3f0e2..8813eff 100755
--- a/image/base/install-gifsicle
+++ b/image/base/install-gifsicle
@@ -1,8 +1,15 @@
 #!/bin/bash
 set -e
+
+# version check: https://www.lcdf.org/gifsicle/
 VERSION=1.92
+HASH="5ab556c01d65fddf980749e3ccf50b7fd40de738b6df679999294cc5fabfce65"
+
 cd /tmp
 curl -O http://www.lcdf.org/gifsicle/gifsicle-$VERSION.tar.gz
+sha256sum gifsicle-$VERSION.tar.gz
+echo "$HASH gifsicle-$VERSION.tar.gz" | sha256sum -c
+
 tar zxf gifsicle-$VERSION.tar.gz
 cd gifsicle-$VERSION
 ./configure
diff --git a/image/base/install-imagemagick b/image/base/install-imagemagick
index 0be7111..e8debe0 100755
--- a/image/base/install-imagemagick
+++ b/image/base/install-imagemagick
@@ -1,8 +1,13 @@
 #!/bin/bash
-set -o errexit
+set -e
 
+# version check: https://github.com/ImageMagick/ImageMagick/releases
 IMAGE_MAGICK_VERSION="7.0.10-6"
+IMAGE_MAGICK_HASH="37d36f4d736eb16e0dd43c50302e1d01d1bb1125165333df8273508a22f8a64d"
+
+# version check: https://libpng.sourceforge.io/index.html
 LIBPNG_VERSION="1.6.37"
+LIBPNG_HASH="daeb2620d829575513e35fecc83f0d3791a620b9b93d800b763542ece9390fb4"
 
 PREFIX=/usr/local
 WDIR=/tmp/imagemagick
@@ -11,12 +16,13 @@ WDIR=/tmp/imagemagick
 apt -y -q remove imagemagick
 apt -y -q install ghostscript gsfonts pkg-config autoconf libbz2-dev libjpeg-dev libtiff-dev libfreetype6-dev
 
-
 mkdir -p $WDIR
 cd $WDIR
 
 # Build and install libpng
 wget -O $WDIR/libpng.tar.gz https://prdownloads.sourceforge.net/libpng/libpng-$LIBPNG_VERSION.tar.gz?download
+sha256sum $WDIR/libpng.tar.gz
+echo "$LIBPNG_HASH $WDIR/libpng.tar.gz" | sha256sum -c
 
 tar -xzvf $WDIR/libpng.tar.gz
 cd $WDIR/libpng-$LIBPNG_VERSION
@@ -26,6 +32,8 @@ make all && make install
 
 # Build and install ImageMagick
 wget -O $WDIR/ImageMagick.tar.gz "https://github.com/ImageMagick/ImageMagick/archive/$IMAGE_MAGICK_VERSION.tar.gz"
+sha256sum $WDIR/ImageMagick.tar.gz
+echo "$IMAGE_MAGICK_HASH $WDIR/ImageMagick.tar.gz" | sha256sum -c
 IMDIR=$WDIR/$(tar tzf $WDIR/ImageMagick.tar.gz --wildcards "ImageMagick-*/configure" |cut -d/ -f1)
 tar zxf $WDIR/ImageMagick.tar.gz -C $WDIR
 cd $IMDIR
diff --git a/image/base/install-nginx b/image/base/install-nginx
index 0d2b63e..0211234 100755
--- a/image/base/install-nginx
+++ b/image/base/install-nginx
@@ -1,11 +1,13 @@
 #!/bin/bash
 set -e
-cd /tmp
 
-apt install -y autoconf
+# version check: https://nginx.org/en/download.html
 VERSION=1.17.9
+HASH="7dd65d405c753c41b7fdab9415cfb4bdbaf093ec6d9f7432072d52cb7bcbb689"
 
+apt install -y autoconf
 
+cd /tmp
 git clone https://github.com/bagder/libbrotli
 cd libbrotli
 ./autogen.sh
@@ -13,21 +15,23 @@ cd libbrotli
 make install
 
 cd /tmp
-
-
-# this is the reason we are compiling by hand...
-git clone https://github.com/google/ngx_brotli.git
-
 curl -O https://nginx.org/download/nginx-$VERSION.tar.gz
+sha256sum nginx-$VERSION.tar.gz
+echo "$HASH nginx-$VERSION.tar.gz" | sha256sum -c
 tar zxf nginx-$VERSION.tar.gz
 cd nginx-$VERSION
 
 # nginx-common for boilerplate files etc.
 apt install -y nginx-common libpcre3 libpcre3-dev zlib1g zlib1g-dev
 
+cd /tmp
+# this is the reason we are compiling by hand...
+git clone https://github.com/google/ngx_brotli.git
 # now ngx_brotli has brotli as a submodule
-cd /tmp/ngx_brotli && git submodule update --init && cd /tmp/nginx-$VERSION
+cd /tmp/ngx_brotli
+git submodule update --init
 
+cd /tmp/nginx-$VERSION
 # ignoring depracations with -Wno-deprecated-declarations while we wait for this https://github.com/google/ngx_brotli/issues/39#issuecomment-254093378
 ./configure --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_v2_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads --add-module=/tmp/ngx_brotli
 
diff --git a/image/base/install-pngcrush b/image/base/install-pngcrush
index a08b2b6..40b8349 100755
--- a/image/base/install-pngcrush
+++ b/image/base/install-pngcrush
@@ -1,8 +1,15 @@
 #!/bin/bash
 set -e
+
+# version check: https://sourceforge.net/projects/pmt/files/pngcrush/
 PNGCRUSH_VERSION=1.8.13
+PNGCRUSH_HASH="bac37d4b2be88d7e88aadcde9661beb3a513a90e7d26784f906c1e2da8ba332e"
+
 cd /tmp
 wget https://sourceforge.net/projects/pmt/files/pngcrush/$PNGCRUSH_VERSION/pngcrush-$PNGCRUSH_VERSION.tar.gz/download -O pngcrush-$PNGCRUSH_VERSION.tar.gz
+sha256sum pngcrush-$PNGCRUSH_VERSION.tar.gz
+echo "$PNGCRUSH_HASH pngcrush-$PNGCRUSH_VERSION.tar.gz" | sha256sum -c
+
 tar zxf pngcrush-$PNGCRUSH_VERSION.tar.gz
 cd pngcrush-$PNGCRUSH_VERSION
 make && cp -f pngcrush /usr/local/bin
diff --git a/image/base/install-pngquant b/image/base/install-pngquant
index 415648f..ec7bd06 100755
--- a/image/base/install-pngquant
+++ b/image/base/install-pngquant
@@ -1,5 +1,9 @@
 #!/bin/bash
+set -e
+
+# version check: https://pngquant.org/
 VERSION=2.12.5
+
 cd /tmp
 git clone -b $VERSION --single-branch https://github.com/pornel/pngquant
 cd pngquant
diff --git a/image/base/install-redis b/image/base/install-redis
index d6affb3..329dfbd 100755
--- a/image/base/install-redis
+++ b/image/base/install-redis
@@ -1,13 +1,16 @@
 #!/bin/bash
 set -e
+
+# version check: https://redis.io/
 REDIS_VERSION=5.0.5
 REDIS_HASH="2139009799d21d8ff94fc40b7f36ac46699b9e1254086299f8d3b223ca54a375"
 
 cd /tmp
-
 # Prepare Redis source.
 wget http://download.redis.io/releases/redis-$REDIS_VERSION.tar.gz
+sha256sum redis-$REDIS_VERSION.tar.gz
 echo "$REDIS_HASH redis-$REDIS_VERSION.tar.gz" | sha256sum -c
+
 tar zxf redis-$REDIS_VERSION.tar.gz
 cd redis-$REDIS_VERSION
 

GitHub sha: 89620297

This commit appears in #461 which was approved by Falco. It was merged by Falco.