persist golang hash in tuxbot (#17551)

* persist golang hash in tuxbot

packaging/linux/Dockerfile

@@ -28,7 +28,14 @@ RUN apt-get install -y nodejs yarn
 
 # Install Go directly from Google, because the Debian repos tend to be behind.
 # When updating the version, remember to bump keybase_packaging_v# in docker_build.sh.
-RUN wget "https://storage.googleapis.com/golang/go1.12.4.linux-amd64.tar.gz" -O /root/go.tar
-RUN tar -C /usr/local -xzf /root/go.tar
-RUN rm /root/go.tar
+# Copy over the new hash when upgrading version. But if not upgrading version,
+# the check should not ever fail.
+ENV GOLANG_VERSION 1.12.4
+ENV GOLANG_DOWNLOAD_URL https://golang.org/dl/go$GOLANG_VERSION.linux-amd64.tar.gz
+ENV GOLANG_DOWNLOAD_SHA256 d7d1f1f88ddfe55840712dc1747f37a790cbcaa448f6c9cf51bbe10aa65442f5
+
+RUN wget "$GOLANG_DOWNLOAD_URL" -O /root/go.tar.gz
+RUN echo "$GOLANG_DOWNLOAD_SHA256 /root/go.tar.gz" | sha256sum --check --status --strict -
+RUN tar -C /usr/local -xzf /root/go.tar.gz
+RUN rm /root/go.tar.gz
 ENV PATH "$PATH:/usr/local/go/bin"

packaging/linux/docker_build.sh

@@ -59,7 +59,7 @@ gpg_tempfile="$gpg_tempdir/code_signing_key"
 gpg --export-secret-key --armor "$code_signing_fingerprint" > "$gpg_tempfile"
 
 # Make sure the Docker image is built.
-image=keybase_packaging_v19
+image=keybase_packaging_v21
 if [ -z "$(docker images -q "$image")" ] ; then
   echo "Docker image '$image' not yet built. Building..."
   docker build -t "$image" "$clientdir/packaging/linux"