Always verify the integrity of downloaded binaries for security. For tini we

jonasbardino · jonasbardino · commit 4ce2159b01d7 · 2025-08-16T12:19:34.000+02:00
use the checksum of the binary that was released and gpg-signed by the author.
Fix a FROM ... AS ... case mismatch as pointed out by docker compose.
diff --git a/Dockerfile.rocky8 b/Dockerfile.rocky8
@@ -1713,8 +1713,10 @@ FROM --platform=linux/$ARCH setup_mig_configs AS start_mig
 ARG DOMAIN
 
 # Reap defuncted/orphaned processes
+# IMPORTANT: always verify tini gpg signature and use checksum in download here
 ARG TINI_VERSION=v0.18.0
-ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
+ARG TINI_CHECKSUM=sha256:12d20136605531b09a2c2dac02ccee85e1b874eb322ef6baf7561cd93f93c855
+ADD --checksum=${TINI_CHECKSUM} https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
 RUN chmod +x /tini
 ENTRYPOINT ["/tini", "--"]
 
diff --git a/Dockerfile.rocky9 b/Dockerfile.rocky9
@@ -302,7 +302,7 @@ RUN echo "Enable python3 support: $WITH_PY3"
 #RUN echo "Enable git checkout: $WITH_GIT"
 
 #------------------------- next stage -----------------------------#
-FROM --platform=linux/$ARCH init as base
+FROM --platform=linux/$ARCH init AS base
 ARG DOMAIN
 ARG WILDCARD_DOMAIN
 ARG ENABLE_GDP
@@ -1600,8 +1600,10 @@ FROM --platform=linux/$ARCH setup_mig_configs AS start_mig
 ARG DOMAIN
 
 # Reap defuncted/orphaned processes
+# IMPORTANT: always verify tini gpg signature and use checksum in download here
 ARG TINI_VERSION=v0.18.0
-ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
+ARG TINI_CHECKSUM=sha256:12d20136605531b09a2c2dac02ccee85e1b874eb322ef6baf7561cd93f93c855
+ADD --checksum=${TINI_CHECKSUM} https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
 RUN chmod +x /tini
 ENTRYPOINT ["/tini", "--"]
 
