From a5a48d27312ece873ebf129493cf92da81ab8b0c Mon Sep 17 00:00:00 2001
From: Dan Carley <dan.carley@gmail.com>
Date: Fri, 29 Apr 2016 11:04:16 +0100
Subject: [PATCH] Terraform: Validate checksum of downloaded release

To ensure that every build gets the exactly the same version/release that we
have specified.

This will guard against the unlikely events that the release has been
updated without changing the version number (accidentally or maliciously) or
our download has been MITMed.

The checksum has been taken from:

- https://releases.hashicorp.com/terraform/0.6.13/terraform_0.6.13_SHA256SUMS

This isn't perfect, as described in the following article, but it's still
good practice:

- https://micahflee.com/2016/02/backdoored-linux-mint-and-the-perils-of-checksums/
---
 terraform/Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/terraform/Dockerfile b/terraform/Dockerfile
index f141a72e..7145d7bf 100644
--- a/terraform/Dockerfile
+++ b/terraform/Dockerfile
@@ -2,6 +2,7 @@ FROM alpine:3.3
 
 ENV PATH $PATH:/usr/local/bin
 ENV TERRAFORM_VER 0.6.13
+ENV TERRAFORM_SUM 8eeddca53958d5c871de93a624eb0f5971f97cbaf107e0b2d1cc289f2ac21b79
 ENV TERRAFORM_ZIP terraform_${TERRAFORM_VER}_linux_amd64.zip
 ENV BINARY_WHITELIST \
   terraform \
@@ -17,5 +18,6 @@ ENV BINARY_WHITELIST \
 RUN apk add --update openssl openssh-client ca-certificates && rm -rf /var/cache/apk/*
 RUN set -ex \
        && wget https://releases.hashicorp.com/terraform/${TERRAFORM_VER}/${TERRAFORM_ZIP} -O /tmp/${TERRAFORM_ZIP} \
+       && echo "${TERRAFORM_SUM}  /tmp/${TERRAFORM_ZIP}" | sha256sum -c - \
        && unzip /tmp/${TERRAFORM_ZIP} -d /usr/local/bin ${BINARY_WHITELIST} \
        && rm /tmp/${TERRAFORM_ZIP}