merge branch 'pr-3481' into release-1.1

Kir Kolyshkin (2): script/seccomp.sh: check tarball sha256 Dockerfile,scripts/release: bump libseccomp to v2.5.4 LGTMs: AkihiroSuda cyphar Closes #3481
opencontainers · May 27, 2022 · ff14258 · ff14258
2 parents 131222d + 8242c05
commit ff14258
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 3 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 ARG GO_VERSION=1.17
 ARG BATS_VERSION=v1.3.0
-ARG LIBSECCOMP_VERSION=2.5.3
+ARG LIBSECCOMP_VERSION=2.5.4
 
 FROM golang:${GO_VERSION}-bullseye
 ARG DEBIAN_FRONTEND=noninteractive

diff --git a/script/release_build.sh b/script/release_build.sh
@@ -19,7 +19,7 @@ set -e
 ## --->
 # Project-specific options and functions. In *theory* you shouldn't need to
 # touch anything else in this script in order to use this elsewhere.
-: "${LIBSECCOMP_VERSION:=2.5.3}"
+: "${LIBSECCOMP_VERSION:=2.5.4}"
 project="runc"
 root="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")/..")"
 

diff --git a/script/seccomp.sh b/script/seccomp.sh
@@ -5,6 +5,11 @@ set -e -u -o pipefail
 # shellcheck source=./script/lib.sh
 source "$(dirname "${BASH_SOURCE[0]}")/lib.sh"
 
+# sha256 checksums for seccomp release tarballs.
+declare -A SECCOMP_SHA256=(
+	["2.5.4"]=d82902400405cf0068574ef3dc1fe5f5926207543ba1ae6f8e7a1576351dcbdb
+)
+
 # Due to libseccomp being LGPL we must include its sources,
 # so download, install and build against it.
 # Parameters:
@@ -19,8 +24,10 @@ function build_libseccomp() {
 	local arches=("$@")
 	local tar="libseccomp-${ver}.tar.gz"
 
-	# Download and extract.
+	# Download, check, and extract.
 	wget "https://github.com/seccomp/libseccomp/releases/download/v${ver}/${tar}"{,.asc}
+	sha256sum --strict --check - <<<"${SECCOMP_SHA256[${ver}]} *${tar}"
+
 	local srcdir
 	srcdir="$(mktemp -d)"
 	tar xf "$tar" -C "$srcdir"