From 751b861f29b2b391ff01700c6a2883c65cd802f9 Mon Sep 17 00:00:00 2001
From: "Patrick J.P. Culp" <jpculp@amazon.com>
Date: Thu, 20 May 2021 20:38:32 +0000
Subject: [PATCH] Pull bash and musl sources from lookaside cache

This commit pulls and verifies sources from the Bottlerocket SDK's
lookaside-cache, as opposed to their upstream repositories.
---
 Dockerfile  | 15 ++++++++-------
 hashes/bash | 40 +++++++++++++++++++++++++++++++++++++++-
 hashes/musl |  3 ++-
 sdk-fetch   |  8 ++++++++
 4 files changed, 57 insertions(+), 9 deletions(-)
 create mode 100755 sdk-fetch

diff --git a/Dockerfile b/Dockerfile
index ba8112a..a9d4788 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,14 +7,16 @@ ARG musl_version=1.2.2
 ARG bash_version=5.0
 ARG bash_patch_level=18
 
+WORKDIR /opt/build
+COPY ./sdk-fetch ./
+
 WORKDIR /opt/build
 COPY ./hashes/musl ./hashes
 
 RUN \
-  curl -OL https://musl.libc.org/releases/musl-${musl_version}.tar.gz && \
-  grep musl-${musl_version}.tar.gz hashes | sha512sum --check - && \
+  ./sdk-fetch hashes && \
   tar -xf musl-${musl_version}.tar.gz && \
-  rm musl-${musl_version}.tar.gz
+  rm musl-${musl_version}.tar.gz hashes
 
 WORKDIR /opt/build/musl-${musl_version}
 RUN ./configure --enable-static && make -j$(nproc) && make install
@@ -23,14 +25,13 @@ WORKDIR /opt/build
 COPY ./hashes/bash ./hashes
 
 RUN \
-  curl -OL https://ftp.gnu.org/gnu/bash/bash-${bash_version}.tar.gz && \
-  grep bash-${bash_version}.tar.gz hashes | sha512sum --check - && \
+  ./sdk-fetch hashes && \
   tar -xf bash-${bash_version}.tar.gz && \
-  rm bash-${bash_version}.tar.gz
+  rm bash-${bash_version}.tar.gz hashes
 
 WORKDIR /opt/build/bash-${bash_version}
 RUN for patch_level in $(seq ${bash_patch_level}); do \
-        curl -L https://ftp.gnu.org/gnu/bash/bash-${bash_version}-patches/bash${bash_version//.}-$(printf '%03d' $patch_level) | patch -p0; \
+        patch -p0 < /opt/build/bash${bash_version//.}-$(printf '%03d' $patch_level); \
     done
 RUN CC=""/usr/local/musl/bin/musl-gcc CFLAGS="-Os -DHAVE_DLOPEN=0" \
     ./configure \
diff --git a/hashes/bash b/hashes/bash
index 21e89b4..bdb0c70 100644
--- a/hashes/bash
+++ b/hashes/bash
@@ -1 +1,39 @@
-bb4519f06e278f271d08722b531e49d2e842cc3e0b02a6b3eee422e2efcb5b6226111af43f5e5eae56beb85ac8bfebcd6a4aacbabb8f609e529aa4d571890864 bash-5.0.tar.gz
\ No newline at end of file
+# https://ftp.gnu.org/gnu/bash/bash-5.0.tar.gz
+SHA512 (bash-5.0.tar.gz) = bb4519f06e278f271d08722b531e49d2e842cc3e0b02a6b3eee422e2efcb5b6226111af43f5e5eae56beb85ac8bfebcd6a4aacbabb8f609e529aa4d571890864
+
+# https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash50-001
+SHA512 (bash50-001) = e3bf036287d3be1f3e91755678c04c9a8e1b4a98e34e181871dfaeb13987dda18c31a44db3f3829d91a185ba4414b9c0229f2a15f6e8a951cbc6c1054252bfdd
+# https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash50-002
+SHA512 (bash50-002) = 59b1cfa1be1029ada53c63fe651d51451ead5523c50c115e0eada07e34e641c693ed728366986acb431f96fdc61818efd3f8cd168ce416001edc62602e5f28dd
+# https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash50-003
+SHA512 (bash50-003) = 520b5cc0b7aeea6cd8b7471b553d8979996f3627a3e5c8889023562dadc82475be243aca2ec608217b78400a1dceb134b877d3ded926e581445234f1b69409e6
+# https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash50-004
+SHA512 (bash50-004) = cbf51bb242edf36289bd483b47c9451132c12f341f494212c0e5d969cd06a3c1c4d121295f3bacb1d7d5e56f789258ba9f54c4cfb5760ed3c70ec1f49f25c719
+# https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash50-005
+SHA512 (bash50-005) = 4d3e6f337a76b9ff1887c4c6e4e4352885779504f3c975b8d6fa587962f01e8adbd843b5341c1fc1d11152cf465f2982eebd9dc6e1384f319157d29740d510da
+# https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash50-006
+SHA512 (bash50-006) = 71df829a3a3927a363ad961de8af8db898ea8b0ccf604c5f1326fe4646d0d50b3c7038ee473c225fc10d26c2dc1f711d66b74d003bb0445d36a8a70c49e056e0
+# https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash50-007
+SHA512 (bash50-007) = 467d377836c53d188cda39de550ce1e00b58895a6646c4da3535e74e599978558a92d8e7bf7c59c988159468fbce04f3a0dbf62cbded28472272f1b9811786e8
+# https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash50-008
+SHA512 (bash50-008) = 110fef44c1a26819ad8926ce00bd5378e99275763db4b0e9cfd125ba1ab7eb9f93abf912efb9841fa2ac59c380995e477683afc8cf6bf00367a9af7ae371e7f4
+# https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash50-009
+SHA512 (bash50-009) = 6b770dbd4ca1175f9b958931b1e725d96626a24fb270bac5414d1679dde05276c87654815e9957d6932c515e8792caf8a5f0e9f2dc108bdd041d8024cf75a833
+# https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash50-010
+SHA512 (bash50-010) = 8ca2cea0264bc0401414207fd8752d4d6eda64be3bb10fdc22529fa2bcedb84e6ab257ba2badc7078ece7f2ae1e2964635926f227eea7aed58166e82871322c2
+# https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash50-011
+SHA512 (bash50-011) = 05833d6c85f3795a9c100246335f39155c1b5d190e073bf382269c2bbceb13a2de3f85dbe1dd5d4c7824fcca481febe3bdbb4c555e1f2de86bec05fcf6f5871e
+# https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash50-012
+SHA512 (bash50-012) = 24d67358eec07cc4cd0457ec0c296567558f20bf713b917fc8a8e5095a83f1c5db880bb863d483ca0c9e003972ac5f56596a2eb10c26c82bf6326d0475784e7e
+# https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash50-013
+SHA512 (bash50-013) = 38fff9856c2259fbba607aacee027dd61e8733c6e5f476b7491bc43755fb5a63e82372f9f18663ec81e7480f0738b296271c948e1932e851f68f53cf3a1935b5
+# https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash50-014
+SHA512 (bash50-014) = e8f65be24b425ecaf66672eb4271e0efac2f495f882aeb559d60b52359a468b51852ed7aeeea0ab77cf648a48c9d37f2a00e263d06d29e9fa75b67a648399d91
+# https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash50-015
+SHA512 (bash50-015) = 3a1a552d1f03dec9ed41be8d8c319fb3cbd01df9978ab25a7b37322913014beca6703980f342ea908250b666d72db95402d7b8219ffdd3df717acb36ed4b72b9
+# https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash50-016
+SHA512 (bash50-016) = dbc3bd0fe3bddad8f6417b210fc5638a9c0c545f9d27638d63bac48aba9d3b93181a4f2e9898584d231b658589573fad5e4627ccbcf3e9d87e7663ac730b51aa
+# https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash50-017
+SHA512 (bash50-017) = d4a4b2746a106a7e78f7df2467cfd4ca486ab36b3e6e97eb9d47ede728033b1246bc1b60edc271cdb49df998af196619b09e598c0da1b425f05455237e256b65
+# https://ftp.gnu.org/gnu/bash/bash-5.0-patches/bash50-018
+SHA512 (bash50-018) = cfbad36b1805ad76cb21d9136843171d794e57383318a014522e2d35905cf262d6721615f0a79972cacc45152de636977c957cbbad08ccb52f96de40b09bba5c
diff --git a/hashes/musl b/hashes/musl
index bf8845f..8260539 100644
--- a/hashes/musl
+++ b/hashes/musl
@@ -1 +1,2 @@
-5344b581bd6463d71af8c13e91792fa51f25a96a1ecbea81e42664b63d90b325aeb421dfbc8c22e187397ca08e84d9296a0c0c299ba04fa2b751d6864914bd82 musl-1.2.2.tar.gz
+# https://musl.libc.org/releases/musl-1.2.2.tar.gz
+SHA512 (musl-1.2.2.tar.gz) = 5344b581bd6463d71af8c13e91792fa51f25a96a1ecbea81e42664b63d90b325aeb421dfbc8c22e187397ca08e84d9296a0c0c299ba04fa2b751d6864914bd82
diff --git a/sdk-fetch b/sdk-fetch
new file mode 100755
index 0000000..d6eb568
--- /dev/null
+++ b/sdk-fetch
@@ -0,0 +1,8 @@
+#!/bin/bash
+set -euxo pipefail
+# shellcheck disable=SC2046
+curl --fail --remote-name-all --remote-time \
+    $(awk -F '[ ()]' '/^SHA512 \(/ {
+        printf "https://cache.bottlerocket.aws/%s/%s/%s\n", $3, $6, $3
+    }' "$1")
+sha512sum --check "$1"