If you’re adding additional sources for
apt-get in your
Dockerfile you should make sure that the correct key is added, otherwise the integrity of your Docker image may be violated.
You can do so by using
sha256sum to generate the checksum of the downloaded file and compare it to a given checksum. That checksum could be listed on the web page where you download the file from or you can create it by yourself with
$:~/Docker-apt-key-security$ sha256sum archive.key
In that case
"191f801a17273f25b781c580c2900d2fd58064554220ad6e18698aeb3c3afe70" is the checksum of the file
Use that checksum in your
Dockerfile, once the key file was downloaded:
wget -q <URL> \ && echo "<CHECKSUM> <FILENAME>" \ | sha256sum -c
Note the double spaces between the checksum and the file name, this is the checksum file format.
You get the whole string for the
echo command when you execute
Dockerfile would look like this:
FROM ubuntu:16.04 RUN apt-get update \ && apt-get install -y wget # download archive.key-file, # and check checksum against a # previously calculated checksum with "sha256sum archive.key" # Note the double space between checksum and file name RUN wget -q http://deb.opera.com/archive.key \ && echo "191f801a17273f25b781c580c2900d2fd58064554220ad6e18698aeb3c3afe70 archive.key" \ | sha256sum -c