Merge pull request #3 from jdoss/sha256_check

SHA256 tarball check
jdoss · Jun 5, 2018 · ce6c38c · ce6c38c
2 parents 8f2e976 + b4ec6ad
commit ce6c38c
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 10 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,9 +1,9 @@
-
 FROM fedora as builder
 MAINTAINER "Joe Doss" <joe@solidadmin.com>
 
 ARG WIREGUARD_VERSION
 ARG WIREGUARD_KERNEL_VERSION
+ARG WIREGUARD_SHA256
 
 WORKDIR /tmp
 
@@ -20,11 +20,13 @@ RUN dnf update -y && dnf install \
         kernel-devel-${WIREGUARD_KERNEL_VERSION}.rpm \
         kernel-modules-${WIREGUARD_KERNEL_VERSION}.rpm -y && \
         dnf clean all && \
-        curl -SL  https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${WIREGUARD_VERSION}.tar.xz | tar xJ -C /usr/src/
+        curl -LS https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${WIREGUARD_VERSION}.tar.xz | \
+        { t="$(mktemp)"; trap "rm -f '$t'" INT TERM EXIT; cat >| "$t"; sha256sum --quiet -c <<<"${WIREGUARD_SHA256} $t" \
+        || exit 1; cat "$t"; } | tar xJf -
 
-WORKDIR /usr/src/WireGuard-${WIREGUARD_VERSION}/src
+WORKDIR /tmp/WireGuard-${WIREGUARD_VERSION}/src
 
-RUN KERNELDIR=/usr/lib/modules/${WIREGUARD_KERNEL_VERSION}/build make && make install
+RUN KERNELDIR=/usr/lib/modules/${WIREGUARD_KERNEL_VERSION}/build make -j$(nproc) && make install
 
 FROM fedora
 MAINTAINER "Joe Doss" <joe@solidadmin.com>
@@ -35,10 +37,8 @@ WORKDIR /tmp
 
 RUN dnf update -y && dnf install kmod koji -y && \
         koji download-build --rpm --arch=x86_64 kernel-core-${WIREGUARD_KERNEL_VERSION} && \
-        koji download-build --rpm --arch=x86_64 kernel-devel-${WIREGUARD_KERNEL_VERSION} && \
         koji download-build --rpm --arch=x86_64 kernel-modules-${WIREGUARD_KERNEL_VERSION} && \
         dnf install /tmp/kernel-core-${WIREGUARD_KERNEL_VERSION}.rpm \
-        kernel-devel-${WIREGUARD_KERNEL_VERSION}.rpm \
         kernel-modules-${WIREGUARD_KERNEL_VERSION}.rpm -y && \
         dnf clean all && rm -f /tmp/*.rpm
 

diff --git a/README.md b/README.md
@@ -59,7 +59,7 @@ unload      Unload wireguard kernel module
 reload      Build and reload wireguard kernel module
 ```
 
-Atomic Wireguard also has a systemd unit file which on start waits for NetworkManager to finish starting up and then it will build and load the WireGuard kernel module. You can also use `systemctl reload atomic-wireguard` to run the build process, unload and then load the kernel module. This is handy if you want to change the WireGuard kernel module version. To change the version, just edit the `WIREGUARD_VERSION` line in `/etc/sysconfig/atomic-wireguard`. Please note that this needs to be the exact version number of a released snapshot. You can verify that the kernel module is loaded with `lsmod |grep wireguard`.
+Atomic Wireguard also has a systemd unit file which on start waits for NetworkManager to finish starting up and then it will build and load the WireGuard kernel module. You can also use `systemctl reload atomic-wireguard` to run the build process, unload and then load the kernel module. This is handy if you want to change the WireGuard kernel module version. To change the version, just edit the `WIREGUARD_VERSION` and `WIREGUARD_SHA265` lines in `/etc/sysconfig/atomic-wireguard`. Please note that this needs to be the exact version number and SHA256 hash of a released WireGuard snapshot. You can verify that the kernel module is loaded with `lsmod |grep wireguard`.
 
 ### Setting up systemd-networkd
 

diff --git a/atomic-wireguard b/atomic-wireguard
@@ -1,2 +1,3 @@
 WIREGUARD_PRUNE_OLD_VERSIONS=false
-WIREGUARD_VERSION=0.0.20180524
+WIREGUARD_SHA256=ff653095cc0e4c491ab6cd095ddf5d1db207f48f947fb92873a73220363f423c
+WIREGUARD_VERSION=0.0.20180531
diff --git a/atomic-wireguard-module b/atomic-wireguard-module
@@ -38,7 +38,9 @@ build_wireguard()
     echo "The WireGuard ${WIREGUARD_VERSION} kernel module container is not built."
     echo "Building ${WIREGUARD_VERSION} kernel module for ${WIREGUARD_KERNEL_VERSION} ..."
 
-    podman build --build-arg WIREGUARD_VERSION=${WIREGUARD_VERSION} --build-arg WIREGUARD_KERNEL_VERSION=${WIREGUARD_KERNEL_VERSION} \
+    podman build --build-arg WIREGUARD_VERSION=${WIREGUARD_VERSION} \
+    --build-arg WIREGUARD_SHA256=${WIREGUARD_SHA256} \
+    --build-arg WIREGUARD_KERNEL_VERSION=${WIREGUARD_KERNEL_VERSION} \
     -t wireguard:${WIREGUARD_VERSION} git://github.com/jdoss/atomic-wireguard
   fi
 
@@ -50,7 +52,9 @@ build_wireguard()
     echo "The WireGuard kernel module for ${WIREGUARD_KERNEL_VERSION} is not the correct version."
     echo "Building ${WIREGUARD_VERSION} kernel module for ${WIREGUARD_KERNEL_VERSION} ..."
 
-    podman build --build-arg WIREGUARD_VERSION=${WIREGUARD_VERSION} --build-arg WIREGUARD_KERNEL_VERSION=${WIREGUARD_KERNEL_VERSION} \
+    podman build --build-arg WIREGUARD_VERSION=${WIREGUARD_VERSION} \
+    --build-arg WIREGUARD_SHA256=${WIREGUARD_SHA256} \
+    --build-arg WIREGUARD_KERNEL_VERSION=${WIREGUARD_KERNEL_VERSION} \
     -t wireguard:${WIREGUARD_VERSION} git://github.com/jdoss/atomic-wireguard
   fi