Description
Many of our dockerfiles in the /dockerfile folder have a step where we install dotnet by downloading the install-dotnet shell script, and then comparing its SHA to a known good SHA. These steps are done primarily for change notification tracking. We should document why we have these steps in the dockerfile along with the process for updating the sha.
- Review the output of the failing run to grab updated sha from the output.
- Update the dockerfiles to use the new SHA
In addition to this, we can add a verification step to these dockerfiles that validates the signature of the script.
We can add the public signing keys to our repo, and follow the steps in https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-install-script#signature-validation-of-dotnet-installsh to validate the signature of the script. We just need to skip the step of downloading the signature verification key, because it will already be in the repo.
Then when the signature verification step fails, we can see if it was due to a problem, or the key expiring. If there's a problem, then we can't trust the script and should not run it. If the key expired we need to get the updated key.
When we need to update the key we should require someone to take the following steps. These steps should also be documented.
- Download the install-dotnet script and key
- Review the contents of that script to verify that it is safe to use.
- Verify the signature of the script using the downloaded key
- Update our repo to use the new key
Metadata
Metadata
Assignees
Labels
Type
Projects
Status