diff --git a/.goreleaser.yml b/.goreleaser.yml index 1f80f4a9c..0735fff30 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -114,11 +114,11 @@ checksum: signs: - - signature: "${artifact}.asc" + signature: "${artifact}.minisig" cmd: "sh" args: - '-c' - - 'gpg --quiet --detach-sign -a ${artifact}' + - 'minisign -s /media/${USER}/minio/minisign.key -qQSm ${artifact} < /media/${USER}/minio/minisign-passphrase' artifacts: all changelog: diff --git a/Dockerfile.arm.release b/Dockerfile.arm.release index 79f9c66c2..a42efe138 100644 --- a/Dockerfile.arm.release +++ b/Dockerfile.arm.release @@ -12,13 +12,19 @@ ENV MINIO_ACCESS_KEY_FILE=access_key \ MINIO_SSE_MASTER_KEY_FILE=sse_master_key RUN \ - apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' && \ + echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \ + apk update && apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' minisign && \ echo 'hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4' >> /etc/nsswitch.conf && \ curl -s -q https://dl.min.io/server/minio/release/linux-arm/minio -o /usr/bin/minio && \ - curl -s -q https://raw.githubusercontent.com/minio/minio/release/dockerscripts/docker-entrypoint.sh -o /usr/bin/docker-entrypoint.sh && \ + curl -s -q https://dl.min.io/server/minio/release/linux-arm/minio.sha256sum -o /usr/bin/minio.sha256sum && \ + curl -s -q https://dl.min.io/server/minio/release/linux-arm/minio.minisig -o /usr/bin/minio.minisig && \ + curl -s -q https://raw.githubusercontent.com/minio/minio/master/dockerscripts/verify-minio.sh -o /usr/bin/verify-minio.sh && \ + curl -s -q https://raw.githubusercontent.com/minio/minio/master/dockerscripts/docker-entrypoint.sh -o /usr/bin/docker-entrypoint.sh && \ chmod +x /usr/bin/minio && \ chmod +x /usr/bin/docker-entrypoint.sh && \ - curl -s -q -O https://raw.githubusercontent.com/minio/minio/release/CREDITS + chmod +x /usr/bin/verify-minio.sh && \ + curl -s -q -O https://raw.githubusercontent.com/minio/minio/release/CREDITS && \ + /usr/bin/verify-minio.sh EXPOSE 9000 diff --git a/Dockerfile.arm64.release b/Dockerfile.arm64.release index 9a4f1e5c3..42a8ede28 100644 --- a/Dockerfile.arm64.release +++ b/Dockerfile.arm64.release @@ -12,13 +12,19 @@ ENV MINIO_ACCESS_KEY_FILE=access_key \ MINIO_SSE_MASTER_KEY_FILE=sse_master_key RUN \ - apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' && \ + echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \ + apk update && apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' minisign && \ echo 'hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4' >> /etc/nsswitch.conf && \ curl -s -q https://dl.min.io/server/minio/release/linux-arm64/minio -o /usr/bin/minio && \ - curl -s -q https://raw.githubusercontent.com/minio/minio/release/dockerscripts/docker-entrypoint.sh -o /usr/bin/docker-entrypoint.sh && \ + curl -s -q https://dl.min.io/server/minio/release/linux-arm64/minio.sha256sum -o /usr/bin/minio.sha256sum && \ + curl -s -q https://dl.min.io/server/minio/release/linux-arm64/minio.minisig -o /usr/bin/minio.minisig && \ + curl -s -q https://raw.githubusercontent.com/minio/minio/master/dockerscripts/verify-minio.sh -o /usr/bin/verify-minio.sh && \ + curl -s -q https://raw.githubusercontent.com/minio/minio/master/dockerscripts/docker-entrypoint.sh -o /usr/bin/docker-entrypoint.sh && \ chmod +x /usr/bin/minio && \ chmod +x /usr/bin/docker-entrypoint.sh && \ - curl -s -q -O https://raw.githubusercontent.com/minio/minio/release/CREDITS + chmod +x /usr/bin/verify-minio.sh && \ + curl -s -q -O https://raw.githubusercontent.com/minio/minio/release/CREDITS && \ + /usr/bin/verify-minio.sh EXPOSE 9000 diff --git a/Dockerfile.ppc64le.release b/Dockerfile.ppc64le.release index 8dc5428fc..875cdcc23 100644 --- a/Dockerfile.ppc64le.release +++ b/Dockerfile.ppc64le.release @@ -12,13 +12,18 @@ ENV MINIO_ACCESS_KEY_FILE=access_key \ MINIO_SSE_MASTER_KEY_FILE=sse_master_key RUN \ - apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' && \ - echo 'hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4' >> /etc/nsswitch.conf && \ + echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \ + apk update && apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' minisign && \ curl -s -q https://dl.min.io/server/minio/release/linux-ppc64le/minio -o /usr/bin/minio && \ - curl -s -q https://raw.githubusercontent.com/minio/minio/release/dockerscripts/docker-entrypoint.sh -o /usr/bin/docker-entrypoint.sh && \ + curl -s -q https://dl.min.io/server/minio/release/linux-ppc64le/minio.sha256sum -o /usr/bin/minio.sha256sum && \ + curl -s -q https://dl.min.io/server/minio/release/linux-ppc64le/minio.minisig -o /usr/bin/minio.minisig && \ + curl -s -q https://raw.githubusercontent.com/minio/minio/master/dockerscripts/verify-minio.sh -o /usr/bin/verify-minio.sh && \ + curl -s -q https://raw.githubusercontent.com/minio/minio/master/dockerscripts/docker-entrypoint.sh -o /usr/bin/docker-entrypoint.sh && \ chmod +x /usr/bin/minio && \ chmod +x /usr/bin/docker-entrypoint.sh && \ - curl -s -q -O https://raw.githubusercontent.com/minio/minio/release/CREDITS + chmod +x /usr/bin/verify-minio.sh && \ + curl -s -q -O https://raw.githubusercontent.com/minio/minio/release/CREDITS && \ + /usr/bin/verify-minio.sh EXPOSE 9000 diff --git a/Dockerfile.release b/Dockerfile.release index aaa167092..ec09bc3fc 100644 --- a/Dockerfile.release +++ b/Dockerfile.release @@ -9,13 +9,19 @@ ENV MINIO_ACCESS_KEY_FILE=access_key \ MINIO_SSE_MASTER_KEY_FILE=sse_master_key RUN \ - apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' && \ + echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \ + apk update && apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' minisign && \ echo 'hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4' >> /etc/nsswitch.conf && \ curl -s -q https://dl.min.io/server/minio/release/linux-amd64/minio -o /usr/bin/minio && \ - curl -s -q https://raw.githubusercontent.com/minio/minio/release/dockerscripts/docker-entrypoint.sh -o /usr/bin/docker-entrypoint.sh && \ + curl -s -q https://dl.min.io/server/minio/release/linux-amd64/minio.sha256sum -o /usr/bin/minio.sha256sum && \ + curl -s -q https://dl.min.io/server/minio/release/linux-amd64/minio.minisig -o /usr/bin/minio.minisig && \ + curl -s -q https://raw.githubusercontent.com/minio/minio/master/dockerscripts/verify-minio.sh -o /usr/bin/verify-minio.sh && \ + curl -s -q https://raw.githubusercontent.com/minio/minio/master/dockerscripts/docker-entrypoint.sh -o /usr/bin/docker-entrypoint.sh && \ chmod +x /usr/bin/minio && \ chmod +x /usr/bin/docker-entrypoint.sh && \ - curl -s -q -O https://raw.githubusercontent.com/minio/minio/release/CREDITS + chmod +x /usr/bin/verify-minio.sh && \ + curl -s -q -O https://raw.githubusercontent.com/minio/minio/release/CREDITS && \ + /usr/bin/verify-minio.sh EXPOSE 9000 diff --git a/Dockerfile.s390x.release b/Dockerfile.s390x.release index 9f8a624af..9c7d08e52 100644 --- a/Dockerfile.s390x.release +++ b/Dockerfile.s390x.release @@ -12,13 +12,18 @@ ENV MINIO_ACCESS_KEY_FILE=access_key \ MINIO_SSE_MASTER_KEY_FILE=sse_master_key RUN \ - apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' && \ - echo 'hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4' >> /etc/nsswitch.conf && \ + echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories && \ + apk update && apk add --no-cache ca-certificates 'curl>7.61.0' 'su-exec>=0.2' minisign && \ curl -s -q https://dl.min.io/server/minio/release/linux-s390x/minio -o /usr/bin/minio && \ - curl -s -q https://raw.githubusercontent.com/minio/minio/release/dockerscripts/docker-entrypoint.sh -o /usr/bin/docker-entrypoint.sh && \ + curl -s -q https://dl.min.io/server/minio/release/linux-s390x/minio.sha256sum -o /usr/bin/minio.sha256sum && \ + curl -s -q https://dl.min.io/server/minio/release/linux-s390x/minio.minisig -o /usr/bin/minio.minisig && \ + curl -s -q https://raw.githubusercontent.com/minio/minio/master/dockerscripts/verify-minio.sh -o /usr/bin/verify-minio.sh && \ + curl -s -q https://raw.githubusercontent.com/minio/minio/master/dockerscripts/docker-entrypoint.sh -o /usr/bin/docker-entrypoint.sh && \ chmod +x /usr/bin/minio && \ chmod +x /usr/bin/docker-entrypoint.sh && \ - curl -s -q -O https://raw.githubusercontent.com/minio/minio/release/CREDITS + chmod +x /usr/bin/verify-minio.sh && \ + curl -s -q -O https://raw.githubusercontent.com/minio/minio/release/CREDITS && \ + /usr/bin/verify-minio.sh EXPOSE 9000 diff --git a/dockerscripts/verify-minio.sh b/dockerscripts/verify-minio.sh new file mode 100755 index 000000000..ad1369ee6 --- /dev/null +++ b/dockerscripts/verify-minio.sh @@ -0,0 +1,41 @@ +#!/bin/sh +# +# MinIO Cloud Storage, (C) 2020 MinIO, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +set -e + +if [ ! -x "/usr/bin/minio" ]; then + echo "minio executable binary not found refusing to proceed" + exit 1 +fi + +verify_sha256sum() { + echo "verifying binary checksum" + echo "$(awk '{print $1}' /usr/bin/minio.sha256sum) /usr/bin/minio" | sha256sum -c +} + +verify_signature() { + echo "verifying binary signature" + minisign -VQm /usr/bin/minio -P RWTx5Zr1tiHQLwG9keckT0c45M3AGeHD6IvimQHpyRywVWGbP1aVSGav +} + +main() { + verify_sha256sum + + verify_signature +} + +main "$@"