Generate and verify checksum for the rootfs

.gitlab-ci.yml

@@ -9,7 +9,8 @@ stages:
 lint:
   stage: lint
   image: hadolint/hadolint:latest
-  script: hadolint --ignore DL3020 Dockerfile.template
+  # DL3007: We use the latest tag for multistage build
+  script: hadolint --ignore DL3007 --ignore DL3020 Dockerfile.template
 
 rootfs:base:
   stage: rootfs
@@ -20,10 +21,11 @@ rootfs:base:
     - echo "BUILD_DATE=$(date +%Y%m%d)" > build.env
   script:
     - pacman -Syu --noconfirm make devtools fakechroot fakeroot
-    - make base.tar.xz
+    - make dockerfile-image-base
   artifacts:
     paths:
       - base.tar.xz
+      - Dockerfile.base
     expire_in: 10m
     reports:
       dotenv: build.env
@@ -37,10 +39,11 @@ rootfs:base-devel:
     - echo "BUILD_DATE=$(date +%Y%m%d)" > build.env
   script:
     - pacman -Syu --noconfirm make devtools fakechroot fakeroot
-    - make base-devel.tar.xz
+    - make dockerfile-image-base-devel
   artifacts:
     paths:
       - base-devel.tar.xz
+      - Dockerfile.base-devel
     expire_in: 10m
     reports:
       dotenv: build.env
@@ -54,8 +57,6 @@ docker:base:
     - job: "rootfs:base"
   before_script:
     - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
-    - sed "s/TEMPLATE_LOCATION_HERE/base.tar/" Dockerfile.template > Dockerfile.base
-    - unxz base.tar.xz
   script:
     - /kaniko/executor
       --whitelist-var-run="false"
@@ -72,8 +73,6 @@ docker:base-devel:
     - job: "rootfs:base-devel"
   before_script:
     - echo "{\"auths\":{\"$CI_REGISTRY\":{\"username\":\"$CI_REGISTRY_USER\",\"password\":\"$CI_REGISTRY_PASSWORD\"}}}" > /kaniko/.docker/config.json
-    - sed "s/TEMPLATE_LOCATION_HERE/base-devel.tar/" Dockerfile.template > Dockerfile.base-devel
-    - unxz base-devel.tar.xz
   script:
     - /kaniko/executor
       --whitelist-var-run="false"

Dockerfile.template

+FROM archlinux:latest AS verify
+COPY TEMPLATE_ROOTFS_FILE /
+SHELL ["/bin/bash", "-c"]
+RUN ROOTFS="$(curl --continue-at - --remote-name --write-out "%{filename_effective}" TEMPLATE_ROOTFS_URL)" && \
+    sha256sum -c <<< "TEMPLATE_ROOTFS_HASH" && \
+    mkdir /rootfs && \
+    tar -C /rootfs --extract --auto-compress --file "${ROOTFS}"
+
 FROM scratch AS base
-ADD TEMPLATE_LOCATION_HERE /
+COPY --from=verify /rootfs/ /
 
 # manually run all alpm hooks that can't be run inside the fakechroot
 RUN ldconfig && update-ca-trust && locale-gen

Makefile

@@ -49,20 +49,32 @@ rootfs-base-devel: hooks
 
 base.tar.xz: rootfs-base
 	xz -9 -T0 -f base.tar
+	sha256sum base.tar.xz > base.tar.xz.SHA256
 
 base-devel.tar.xz: rootfs-base-devel
 	xz -9 -T0 -f base-devel.tar
+	sha256sum base-devel.tar.xz > base-devel.tar.xz.SHA256
+
+.PHONY: dockerfile-image-base
+dockerfile-image-base: base.tar.xz
+	sed -e "s/TEMPLATE_ROOTFS_FILE/base.tar.xz/" \
+	    -e "s/TEMPLATE_ROOTFS_URL/file:\/\/\/base.tar.xz/" \
+	    -e "s/TEMPLATE_ROOTFS_HASH/$$(cat base.tar.xz.SHA256)/" \
+	    Dockerfile.template > Dockerfile.base
+
+.PHONY: dockerfile-image-base-devel
+dockerfile-image-base-devel: base-devel.tar.xz
+	sed -e "s/TEMPLATE_ROOTFS_FILE/base-devel.tar.xz/" \
+	    -e "s/TEMPLATE_ROOTFS_URL/file:\/\/\/base-devel.tar.xz/" \
+	    -e "s/TEMPLATE_ROOTFS_HASH/$$(cat base-devel.tar.xz.SHA256)/" \
+	    Dockerfile.template > Dockerfile.base-devel
 
 .PHONY: docker-image-base
-docker-image-base: base.tar.xz
-	unxz base.tar.xz
-	sed "s/TEMPLATE_LOCATION_HERE/base.tar/" Dockerfile.template > Dockerfile.base
+docker-image-base: dockerfile-image-base
 	docker build -f Dockerfile.base -t archlinux/archlinux:base .
 
 .PHONY: docker-image-base-devel
-docker-image-base-devel: base-devel.tar.xz
-	unxz base-devel.tar.xz
-	sed "s/TEMPLATE_LOCATION_HERE/base-devel.tar/" Dockerfile.template > Dockerfile.base-devel
+docker-image-base-devel: dockerfile-image-base-devel
 	docker build -f Dockerfile.base-devel -t archlinux/archlinux:base-devel .
 
 .PHONY: docker-push-base

ci/release.py

@@ -11,6 +11,7 @@ Required env vars:
 """
 
 import os
+import re
 from pathlib import Path
 import gitlab
 
@@ -24,22 +25,36 @@ if __name__ == "__main__":
     project = gl.projects.get(project_id)
 
     print("Uploading base.tar.xz")
+    base_filename = f"base-{build_date}.tar.xz"
     base_uploaded_url = project.upload(
-        f"base-{build_date}.tar.xz", filepath="base.tar.xz"
+        base_filename, filepath="base.tar.xz"
     )["url"]
     base_template = Path("Dockerfile.template").read_text()
     base_full_url = f"{project_url}{base_uploaded_url}"
-    base_replaced = base_template.replace("TEMPLATE_LOCATION_HERE", base_full_url)
+    base_replaced = base_template.replace("TEMPLATE_ROOTFS_URL", base_full_url)
+    base_hash = f"{Path('base.tar.xz.SHA256').read_text()[0:64]}  {base_filename}"
+    base_replaced = base_replaced.replace(
+        "TEMPLATE_ROOTFS_HASH", base_hash
+    )
+    # Remove the line containing TEMPLATE_ROOTFS_FILE
+    base_replaced = re.sub(".*TEMPLATE_ROOTFS_FILE.*\n", "", base_replaced)
 
     print("Uploading base-devel.tar.xz")
+    base_devel_filename = f"base-devel-{build_date}.tar.xz"
     base_devel_uploaded_url = project.upload(
-        f"base-devel-{build_date}.tar.xz", filepath="base-devel.tar.xz"
+        base_devel_filename, filepath="base-devel.tar.xz"
     )["url"]
     base_devel_template = Path("Dockerfile.template").read_text()
     base_devel_full_url = f"{project_url}{base_devel_uploaded_url}"
     base_devel_replaced = base_devel_template.replace(
-        "TEMPLATE_LOCATION_HERE", base_devel_full_url
+        "TEMPLATE_ROOTFS_URL", base_devel_full_url
+    )
+    base_devel_hash = f"{Path('base-devel.tar.xz.SHA256').read_text()[0:64]}  {base_devel_filename}"
+    base_devel_replaced = base_devel_replaced.replace(
+        "TEMPLATE_ROOTFS_HASH", base_devel_hash
     )
+    # Remove the line containing TEMPLATE_ROOTFS_FILE
+    base_devel_replaced = re.sub(".*TEMPLATE_ROOTFS_FILE.*\n", "", base_devel_replaced)
 
     print("Templating Dockerfiles")
     data = {