From 6915f706938e7a9bca3bd34592b6b50ed878738a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?H=C3=A9ctor=20Molinero=20Fern=C3=A1ndez?=
 <hector@molinero.dev>
Date: Sat, 21 Sep 2019 11:03:30 +0200
Subject: [PATCH] Verify noVNC and Websockify tarballs

---
 Dockerfile | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index e898567..b8267fc 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -32,24 +32,29 @@ RUN export DEBIAN_FRONTEND=noninteractive \
 # Install noVNC
 ARG NOVNC_VERSION=v1.1.0
 ARG NOVNC_TARBALL_URL=https://github.com/novnc/noVNC/archive/${NOVNC_VERSION}.tar.gz
-RUN mkdir /opt/novnc/
-RUN curl -sSfL "${NOVNC_TARBALL_URL:?}" | tar -xz --strip-components=1 -C /opt/novnc/
+ARG NOVNC_TARBALL_CHECKSUM=2c63418b624a221a28cac7b9a7efecc092b695fc1b7dd88255b074ab32bc72a7
+RUN mkdir -p /opt/novnc/ \
+	&& curl -Lo /tmp/novnc.tgz "${NOVNC_TARBALL_URL:?}" \
+	&& printf '%s' "${NOVNC_TARBALL_CHECKSUM:?}  /tmp/novnc.tgz" | sha256sum -c \
+	&& tar -xzf /tmp/novnc.tgz --strip-components=1 -C /opt/novnc/ \
+	&& rm -f /tmp/novnc.tgz
 
 # Install Websockify
 ARG WEBSOCKIFY_VERSION=v0.9.0
 ARG WEBSOCKIFY_TARBALL_URL=https://github.com/novnc/websockify/archive/${WEBSOCKIFY_VERSION}.tar.gz
-RUN mkdir -p /opt/novnc/utils/websockify/
-RUN curl -sSfL "${WEBSOCKIFY_TARBALL_URL:?}" | tar -xz --strip-components=1 -C /opt/novnc/utils/websockify/
-
-# Create data directories
-RUN mkdir -p /var/lib/qemu/images/ /var/lib/qemu/iso/
+ARG WEBSOCKIFY_TARBALL_CHECKSUM=6ebfec791dd78be6584fb5fe3bc27f02af54501beddf8457368699f571de13ae
+RUN mkdir -p /opt/novnc/utils/websockify/ \
+	&& curl -Lo /tmp/websockify.tgz "${WEBSOCKIFY_TARBALL_URL:?}" \
+	&& printf '%s' "${WEBSOCKIFY_TARBALL_CHECKSUM:?}  /tmp/websockify.tgz" | sha256sum -c \
+	&& tar -xzf /tmp/websockify.tgz --strip-components=1 -C /opt/novnc/utils/websockify/ \
+	&& rm -f /tmp/websockify.tgz
 
 # Download ReactOS ISO
 ARG REACTOS_ISO_URL=https://downloads.sourceforge.net/project/reactos/ReactOS/0.4.12/ReactOS-0.4.12-iso.zip
 ARG REACTOS_ISO_CHECKSUM=16351c1352a05576e920fe3453a4a9e79bfd551b1dba696fbd16c61b60ce4c86
-RUN mkdir /tmp/reactos/ \
+RUN mkdir -p /tmp/reactos/ /var/lib/qemu/iso/ /var/lib/qemu/images/ \
 	&& curl -Lo /tmp/reactos/reactos.zip "${REACTOS_ISO_URL:?}" \
-	&& echo "${REACTOS_ISO_CHECKSUM:?}  /tmp/reactos/reactos.zip" | sha256sum -c \
+	&& printf '%s' "${REACTOS_ISO_CHECKSUM:?}  /tmp/reactos/reactos.zip" | sha256sum -c \
 	&& unzip /tmp/reactos/reactos.zip -d /tmp/reactos/ \
 	&& mv /tmp/reactos/*.iso /var/lib/qemu/iso/reactos.iso \
 	&& rm -rf /tmp/reactos/