### Secure Download and Verification in Dockerfile (Shell) Source: https://www.cve.org/Resources/Media/Archives/OldWebsite/data/board/archives/2016-06/msg00004 This example illustrates a secure method for downloading and verifying software within a Dockerfile, as seen in the Nginx Dockerfile. It involves setting GPG keys, downloading the key, and using it to verify the integrity of the downloaded tarball before extraction. ```shell ENV GPG_KEYS B0F4253373F8F6F510D42178520A9993A1C052F8 && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$GPG_KEYS" && gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \ ``` -------------------------------- ### Download and Execute Script in Dockerfile (Shell) Source: https://www.cve.org/Resources/Media/Archives/OldWebsite/data/board/archives/2016-06/msg00004 This snippet demonstrates a common pattern in Dockerfiles where a script is downloaded and executed. It highlights potential security risks if not handled properly, such as running as root or using HTTP. The example shows a specific implementation from the PocketMine-MP Dockerfile. ```shell RUN cd PocketMine-MP && wget -q -O - http://cdn.pocketmine.net/installer.sh | bash -s - -v beta ``` -------------------------------- ### Download and Execute Script in Dockerfile (Example) Source: https://www.cve.org/Resources/Media/Archives/OldWebsite/data/board/archives/2016-06/msg00011 This snippet demonstrates a common pattern in Dockerfiles where a script is downloaded via `wget` and then executed. It highlights potential security risks, especially when run with elevated privileges or over unencrypted HTTP. The example shows a `RUN` command that changes directory, downloads a script, and executes it. ```Dockerfile RUN cd PocketMine-MP && wget -q -O - http://cdn.pocketmine.net/installer.sh | bash -s - -v beta ```