From bcdceb7d9d7e26a386fd03a34e94820a61a70726 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?B=C3=A1lint=20Bokros?= <balint.bokros@avatao.com>
Date: Fri, 12 Jan 2018 13:42:04 +0100
Subject: [PATCH] Make pyenv install MitM-resilient

---
 Dockerfile | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index d70b4f1..10b595c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -27,11 +27,18 @@ RUN apt-get update && \
 
 USER ${AVATAO_USER}
 
-COPY .pyenvrc /home/${AVATAO_USER}/.pyenvrc
+WORKDIR /home/${AVATAO_USER}
+COPY .pyenvrc .
 ENV PYTHON_VERSION="3.6.4"
-RUN curl -L https://raw.githubusercontent.com/pyenv/pyenv-installer/master/bin/pyenv-installer | bash && \
-    echo "source $HOME/.pyenvrc" >> "$HOME/.bashrc" && \
-    . "$HOME/.pyenvrc" && \
+# no GitHub releases are available, so current tip of head is hardcoded to avoid surprises
+ENV PYENV_INSTALLER_URL="https://raw.githubusercontent.com/pyenv/pyenv-installer/78cfd4d/bin/pyenv-installer"
+ENV PYENV_INSTALLER_HASH=9509348b828f0564358fff456f7f693dd9ace351dc3f240854d7685ad8a8e1dd
+RUN curl -fSL -o pyenv-installer ${PYENV_INSTALLER_URL} && \
+    echo "${PYENV_INSTALLER_HASH} *pyenv-installer" | sha256sum -c - && \
+    bash pyenv-installer && \
+    rm pyenv-installer && \
+    echo "source $HOME/.pyenvrc" >> .bashrc && \
+    . $HOME/.pyenvrc && \
     pyenv install ${PYTHON_VERSION} && \
     pyenv global ${PYTHON_VERSION} && \
     pip install tornado pyzmq transitions