Add public key verification for aws cli download #715
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
template/v2/Dockerfile
Outdated
Comment on lines
62
to
66
| RUN curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" && \ | ||
| curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig" | ||
| RUN gpg --import aws-cli-public-key.asc | ||
| RUN gpg --fingerprint FB5DB77FD5C118B80511ADA8A6310ACC4672475C | ||
| RUN gpg --verify awscli-exe-linux-x86_64.zip.sig awscli-exe-linux-x86_64.zip && \ |
There was a problem hiding this comment.
Let's avoid additional "RUN" commands in the Dockerfile because each "RUN" command will generate a new image layer and may cause increase in image size. One way is to move the "COPY" command to the beginning and connect these commands with "&"
template/v2/Dockerfile
Outdated
| sudo ./aws/install && \ | ||
| rm -rf aws awscliv2.zip && \ | ||
|
|
||
| COPY aws-cli-public-key.asc . |
There was a problem hiding this comment.
Let's copy the file to "/tmp/" folder so it will be automatically cleaned up. Example: https://github.com/aws/sagemaker-distribution/blob/main/template/v2/Dockerfile#L85
template/v2/Dockerfile
Outdated
| RUN curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" && \ | ||
| curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig" | ||
| RUN gpg --import aws-cli-public-key.asc | ||
| RUN gpg --fingerprint FB5DB77FD5C118B80511ADA8A6310ACC4672475C |
There was a problem hiding this comment.
How is this fingerprint generated? Will it change in the future or is it fixed? Let's avoid to have such hard-coded value here. If this is indeed needed, try to add some comment to explain what this is
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Add a file that stores the public key the AWS CLI is using (public resource can be find in their documents).
Add logic in the Dockerfile to read the public key and validate the downloaded file.
Type of Change
Release Information
Does this change need to be included in patch version releases? By default, any pull requests will only be added to the next SMD image minor version release once they are merged in template folder. Only critical bug fix or security update should be applied to new patch versions of existed image minor versions.
If yes, please explain why:
Appsec requirement, not urgent
How Has This Been Tested?
Tested in a test Dockerfile
Checklist:
Test Screenshots (if applicable):
test generate SMD docker image succeed:
Related Issues
N/A
Additional Notes
N/A