tor_build_scripts/Dockerfile-linux at master · brave/tor_build_scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
FROM ubuntu:noble

ARG zlib_version
ARG zlib_hash

ARG libevent_version
ARG libevent_hash

ARG openssl_version
ARG openssl_hash

ARG tor_version
ARG tor_hash

ARG jobs

COPY gpg-keys/* /
COPY patch /patch

RUN \
  DEBIAN_FRONTEND=noninteractive \
  apt-get update -qq && apt-get install --no-install-recommends -qq \
  automake \
  autotools-dev \
  build-essential \
  curl \
  ca-certificates \
  file \
  gnupg \
  libcap-dev \
  python-is-python3 \
  ; # end of apt-get install

SHELL ["/bin/bash", "-o", "pipefail", "-c"]

# Download and verify all tarballs

RUN \
  curl --proto '=https' --tlsv1.3 -fsSL "https://zlib.net/zlib-${zlib_version}.tar.gz" -o "zlib-$zlib_version.tar.gz" && \
  curl --proto '=https' --tlsv1.3 -fsSL "https://zlib.net/zlib-${zlib_version}.tar.gz.asc" -o "zlib-$zlib_version.tar.gz.asc" && \
  gpg --keyring /zlib.gpg --verify "zlib-$zlib_version.tar.gz.asc" "zlib-$zlib_version.tar.gz" && \
  echo "$zlib_hash  zlib-$zlib_version.tar.gz" | shasum -a 256 -c - && \
  tar -zxvf "zlib-$zlib_version.tar.gz"

RUN \
  curl --proto '=https' --tlsv1.3 -fsSL "https://github.com/openssl/openssl/releases/download/openssl-$openssl_version/openssl-$openssl_version.tar.gz" -o "openssl-$openssl_version.tar.gz" && \
  curl --proto '=https' --tlsv1.3 -fsSL "https://github.com/openssl/openssl/releases/download/openssl-$openssl_version/openssl-$openssl_version.tar.gz.asc" -o "openssl-$openssl_version.tar.gz.asc" && \
  gpg --keyring /openssl.gpg --verify "openssl-$openssl_version.tar.gz.asc" "openssl-$openssl_version.tar.gz" && \
  echo "$openssl_hash  openssl-$openssl_version.tar.gz" | shasum -a 256 -c - && \
  tar -xvzf "openssl-$openssl_version.tar.gz"

RUN \
  curl --proto '=https' --tlsv1.3 -fsSL "https://github.com/libevent/libevent/releases/download/release-$libevent_version/libevent-$libevent_version.tar.gz" -o "libevent-$libevent_version.tar.gz" && \
  curl --proto '=https' --tlsv1.3 -fsSL "https://github.com/libevent/libevent/releases/download/release-$libevent_version/libevent-$libevent_version.tar.gz.asc" -o "libevent-$libevent_version.tar.gz.asc" && \
  gpg --keyring /libevent.gpg --verify "libevent-$libevent_version.tar.gz.asc" "libevent-$libevent_version.tar.gz" && \
  echo "$libevent_hash  libevent-$libevent_version.tar.gz" | shasum -a 256 -c - && \
  tar -zxvf "libevent-$libevent_version.tar.gz"

RUN \
  curl --proto '=https' --tlsv1.3 -fsSL "https://dist.torproject.org/tor-$tor_version.tar.gz" -o "tor-$tor_version.tar.gz" && \
  curl --proto '=https' --tlsv1.3 -fsSL "https://dist.torproject.org/tor-$tor_version.tar.gz.sha256sum.asc" -o "tor-$tor_version.tar.gz.sha256sum.asc" && \
  echo "$tor_hash  tor-$tor_version.tar.gz" > "tor-$tor_version.tar.gz.sha256sum" && \
  gpg --keyring /tor.gpg --verify "tor-$tor_version.tar.gz.sha256sum.asc" "tor-$tor_version.tar.gz.sha256sum" && \
  sha256sum -c "tor-$tor_version.tar.gz.sha256sum" && \
  tar -xvzf "tor-$tor_version.tar.gz"

# Configure and compile everything

RUN \
  cd "zlib-$zlib_version" && \
  ./configure --prefix="$PWD/root" --static && \
  make ${jobs:+-j${jobs}} && \
  make ${jobs:+-j${jobs}} check && \
  make install

RUN \
  cd "openssl-$openssl_version" && \
  ./config --prefix="$PWD/root" --libdir=lib \
    no-apps \
    no-cmp \
    no-cms \
    no-comp \
    no-ct \
    no-dgram \
    no-docs \
    no-dso \
    no-ec2m \
    no-engine \
    no-http \
    no-legacy \
    no-module \
    no-nextprotoneg \
    no-ocsp \
    no-padlockeng \
    no-psk \
    no-quic \
    no-rfc3779 \
    no-shared \
    no-srp \
    no-srtp \
    no-ssl-trace \
    no-static-engine \
    no-ts \
    no-ui-console \
    no-uplink && \
  make ${jobs:+-j${jobs}} && \
  make test && \
  make install

RUN \
  cd "libevent-$libevent_version" && \
  patch -p0 < /patch/libevent/regress_dns.c.patch && \
  ./configure \
              --disable-openssl \
              --prefix="$PWD/install" \
              --disable-shared \
              --enable-gcc-hardening \
              --enable-static \
              --with-pic && \
  ulimit -n 65536 && \
  make ${jobs:+-j${jobs}} && \
  make ${jobs:+-j${jobs}} check && \
  make install

RUN \
  cd "tor-$tor_version" && \
  ./configure --prefix="$PWD/install" \
              --enable-static-tor \
              --with-libevent-dir="$PWD/../libevent-$libevent_version/install" \
              --with-openssl-dir="$PWD/../openssl-$openssl_version/root" \
              --with-zlib-dir="$PWD/../zlib-$zlib_version/root" \
              --disable-asciidoc \
              --disable-html-manual \
              --disable-lzma \
              --disable-manpage \
              --disable-zstd \
              --disable-module-relay \
              --disable-module-dirauth \
              && \
  make ${jobs:+-j${jobs}} && \
  make ${jobs:+-j${jobs}} check && \
  make install

ENTRYPOINT ["sh", "-c", "while true; do sleep 2; done"]