Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

windocker: Perform checksum verification on the cygwin + WinRM setup downloads #3715

Closed
sxa opened this issue Aug 14, 2024 · 1 comment · Fixed by #3730
Closed

windocker: Perform checksum verification on the cygwin + WinRM setup downloads #3715

sxa opened this issue Aug 14, 2024 · 1 comment · Fixed by #3730
Assignees
@steelhead31
Labels
ansible docker os:windows secure-dev Issues specific to SSDF/SLSA compliance work

Comments

@sxa
Copy link
Member

sxa commented Aug 14, 2024
edited
Loading

The Windows 2022 dockerfile used for creating the build images is downloading and using two artifacts that do not have their checksums verified. This should be changed.

Noting also that the cygwin setup is not verified in the main windows playbook for cygwin either, so that should also be updated.

Also noting that we seem to have a copy of the cygwin setup tool in https://github.com/adoptium/infrastructure/tree/master/.github/cygwin-build although it's likely unused now since the Dockerfiles that utilised them have since been deleted.
@sxa sxa added the secure-dev Issues specific to SSDF/SLSA compliance work label Aug 22, 2024
@sxa
Copy link
Member Author

sxa commented Aug 22, 2024

I have verified that the "old" cygwin installer in the repo appears to still be functional therefore pulling the fixed version from git and copying into the image instead of downloading from the third-party repo would be feasible, if undesirable from a currency perspective.
However I expect that there will be good PowerShell options for doing this.

@steelhead31 steelhead31 self-assigned this Sep 4, 2024
@steelhead31 steelhead31 moved this to In Progress in 2024 3Q Adoptium Plan Sep 4, 2024
@steelhead31 steelhead31 mentioned this issue Sep 11, 2024
Merged
2 tasks
@github-project-automation github-project-automation bot moved this from In Progress to Done in 2024 3Q Adoptium Plan Sep 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@steelhead31 steelhead31

Labels
ansible docker os:windows secure-dev Issues specific to SSDF/SLSA compliance work
Projects
No open projects
2024 3Q Adoptium Plan
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Docker: Include checksum validation for Cygwin & Ansible Downloads steelhead31/infrastructure
2 participants
@sxa @steelhead31