From dd2019015a7f6eb94c478c0572bd81cd083c44aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joakim=20Nohlg=C3=A5rd?= <joakim@nohlgard.se>
Date: Sat, 30 May 2026 16:36:41 +0200
Subject: [PATCH] base: Verify GitHub CLI `gh` download via checksums file

---
 base/ubi10/Dockerfile | 6 +++++-
 base/ubi9/Dockerfile  | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/base/ubi10/Dockerfile b/base/ubi10/Dockerfile
index 827ce782..6a965d1a 100644
--- a/base/ubi10/Dockerfile
+++ b/base/ubi10/Dockerfile
@@ -66,9 +66,13 @@ RUN \
     esac && \
     GH_TGZ="gh_${GH_VERSION}_${GH_ARCH}.tar.gz" && \
     GH_TGZ_URL="https://github.com/cli/cli/releases/download/v${GH_VERSION}/${GH_TGZ}" && \
+    GH_CHECKSUMS="gh_${GH_VERSION}_checksums.txt" && \
+    GH_CHECKSUMS_URL="https://github.com/cli/cli/releases/download/v${GH_VERSION}/${GH_CHECKSUMS}" && \
     echo "Downloading ${GH_TGZ_URL}..." && \
     if curl -fsSL "${GH_TGZ_URL}" -o "${GH_TGZ}"; then \
-        if file "${GH_TGZ}" | grep -q 'gzip compressed'; then \
+        curl -fsSL "${GH_CHECKSUMS_URL}" -o "${GH_CHECKSUMS}" && \
+        grep -F -e " ${GH_TGZ}" "${GH_CHECKSUMS}" > "${GH_TGZ}.sha256" && \
+        if sha256sum -c "${GH_TGZ}.sha256"; then \
             tar -zxv --no-same-owner -f "${GH_TGZ}" && \
             mv "gh_${GH_VERSION}_${GH_ARCH}"/bin/gh /usr/local/bin/ && \
             mv "gh_${GH_VERSION}_${GH_ARCH}"/share/man/man1/* /usr/local/share/man/man1; \
diff --git a/base/ubi9/Dockerfile b/base/ubi9/Dockerfile
index 077c35b5..265d98ae 100644
--- a/base/ubi9/Dockerfile
+++ b/base/ubi9/Dockerfile
@@ -49,9 +49,13 @@ RUN \
     esac && \
     GH_TGZ="gh_${GH_VERSION}_${GH_ARCH}.tar.gz" && \
     GH_TGZ_URL="https://github.com/cli/cli/releases/download/v${GH_VERSION}/${GH_TGZ}" && \
+    GH_CHECKSUMS="gh_${GH_VERSION}_checksums.txt" && \
+    GH_CHECKSUMS_URL="https://github.com/cli/cli/releases/download/v${GH_VERSION}/${GH_CHECKSUMS}" && \
     echo "Downloading ${GH_TGZ_URL}..." && \
     if curl -fsSL "${GH_TGZ_URL}" -o "${GH_TGZ}"; then \
-        if file "${GH_TGZ}" | grep -q 'gzip compressed'; then \
+        curl -fsSL "${GH_CHECKSUMS_URL}" -o "${GH_CHECKSUMS}" && \
+        grep -F -e " ${GH_TGZ}" "${GH_CHECKSUMS}" > "${GH_TGZ}.sha256" && \
+        if sha256sum -c "${GH_TGZ}.sha256"; then \
             tar -zxv --no-same-owner -f "${GH_TGZ}" && \
             mv "gh_${GH_VERSION}_${GH_ARCH}"/bin/gh /usr/local/bin/ && \
             mv "gh_${GH_VERSION}_${GH_ARCH}"/share/man/man1/* /usr/local/share/man/man1; \