From 2efad6dc700c98f1701958de5bdb513107f31a3f Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Fri, 11 Feb 2022 11:44:30 -0800
Subject: [PATCH] Pin and verify rustup-init sha256 in builder image

As an extra defense, pin the rustup version used and verify the
hash of the downloaded rustup-init binary. Previously we were downloading
the hash from the same place we were downloading the binary, so it didn't
really offer any extra protection besides making sure the download wasn't
corrupted (which HTTPS does for us).

This does not completely protect us, as rustup-init downloads rustup
without verifying signatures, but that will hopefully be fixed
soon: <https://github.com/rust-lang/rustup/issues/2028>.

This shouldn't add a significant amount of maintenance overhead, as old
rustup versions can still be used to download newer Rust versions.

Fixes https://github.com/freedomofpress/securedrop-security/issues/70.
---
 molecule/builder-focal/Dockerfile | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/molecule/builder-focal/Dockerfile b/molecule/builder-focal/Dockerfile
index b50eb3ab2c..29eef16c8a 100644
--- a/molecule/builder-focal/Dockerfile
+++ b/molecule/builder-focal/Dockerfile
@@ -42,14 +42,13 @@ COPY dh-virtualenv.pref /etc/apt/preferences.d/
 RUN apt-get update && apt-get install -y dh-virtualenv
 
 ENV RUST_VERSION 1.58.1
+ENV RUSTUP_VERSION 1.24.3
+ENV RUSTUP_INIT_SHA256 3dc5ef50861ee18657f9db2eeb7392f9c2a6c95c90ab41e45ab4ca71476b4338
 
 # Install Rust for building cryptography
 RUN TMPDIR=`mktemp -d` && cd ${TMPDIR} \
-        && curl --proto '=https' --tlsv1.2 -OO -sSf https://static.rust-lang.org/rustup/dist/x86_64-unknown-linux-gnu/rustup-init{,.sha256} \
-        && mkdir -p target/x86_64-unknown-linux-gnu/release/ \
-        && mv rustup-init target/x86_64-unknown-linux-gnu/release/ \
-        && sha256sum --check rustup-init.sha256 \
-        && cd target/x86_64-unknown-linux-gnu/release/ \
+        && curl --proto '=https' --tlsv1.2 -OO -sSf https://static.rust-lang.org/rustup/archive/${RUSTUP_VERSION}/x86_64-unknown-linux-gnu/rustup-init \
+        && echo "${RUSTUP_INIT_SHA256} *rustup-init" | sha256sum -c - \
         && chmod +x rustup-init \
         && ./rustup-init --default-toolchain=${RUST_VERSION} -y \
         && cd && rm -rf ${TMPDIR}