Security: Add checksum verification for downloaded binaries in Python 3.12 images

[coderabbitai]

Summary

The new Python 3.12 notebook images download external binaries (OpenShift CLI and ROCm components) without checksum verification, which poses a security risk. We should add checksum verification to ensure the integrity and authenticity of downloaded components.

Security Concern

Downloaded binaries without checksum verification could potentially be compromised, leading to supply chain attacks. This is particularly important for production environments where these images will be deployed.

Affected Components

Based on the Python 3.12 implementation:

OpenShift CLI (oc)

• Downloaded in multiple Dockerfiles without checksum verification
• Used across minimal, datascience, and pytorch variants

ROCm Components

• ROCm runtime and development packages installed via package manager
• While using official repositories, additional verification would strengthen security posture

Recommended Implementation

1. For OpenShift CLI:

   • Obtain SHA256 checksums from official releases
   • Add checksum verification after download
   • Example: echo "<expected_sha256> oc-client.tar.gz" | sha256sum -c

2. For ROCm packages:

   • Verify GPG signatures of repository metadata
   • Consider pinning specific package versions with checksums

Code Locations

The downloads occur in the following Python 3.12 Dockerfiles:

• jupyter/minimal/ubi9-python-3.12/Dockerfile.cpu
• jupyter/minimal/ubi9-python-3.12/Dockerfile.cuda
• jupyter/minimal/ubi9-python-3.12/Dockerfile.rocm
• jupyter/datascience/ubi9-python-3.12/Dockerfile.cpu
• jupyter/pytorch/ubi9-python-3.12/Dockerfile.cuda

Context

This issue was identified during the review of PR #1230 which introduces Python 3.12 support. The implementation is otherwise excellent, but this security enhancement should be added in a follow-up.

Backlinks:

• PR: RHOAIENG-28511: merge the python-3.12 branch to opendatahub-io/notebooks#main #1230
• Review comment: RHOAIENG-28511: merge the python-3.12 branch to opendatahub-io/notebooks#main #1230 (comment)

Priority

Medium - Security enhancement that should be addressed before production deployment of Python 3.12 images.

Acceptance Criteria

• Add SHA256 checksum verification for OpenShift CLI downloads
• Implement GPG signature verification for ROCm repository setup
• Update all affected Python 3.12 Dockerfiles
• Document the security verification process
• Test that builds still work with verification enabled

[coderabbitai]

Additional scope: The new ROCm TensorFlow image being added in PR #1259 also downloads the oc client without checksum verification.

File: jupyter/rocm/tensorflow/ubi9-python-3.12/Dockerfile.rocm (lines 34-37)
Code:

RUN curl -L https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/stable/openshift-client-linux.tar.gz \
        -o /tmp/openshift-client-linux.tar.gz && \
    tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \
    rm -f /tmp/openshift-client-linux.tar.gz

This follows the same pattern as other Python 3.12 images and should be included in the scope of this security enhancement.

References:

• PR: RHOAIENG-27434: Create Rocm Tensorflow Python 3.12 Image #1259
• Review comment: RHOAIENG-27434: Create Rocm Tensorflow Python 3.12 Image #1259 (comment)

[coderabbitai]

Additional Security Concern: Code-server RPM Installation

While reviewing PR #1258 (Allow ODH codeserver image to be built for arm64), I identified another instance of downloading binaries without checksum verification that should be included in this comprehensive security issue.

Location: codeserver/ubi9-python-3.11/Dockerfile.cpu lines 55-56

Current Implementation:

RUN yum install -y "https://github.com/coder/code-server/releases/download/${CODESERVER_VERSION}/code-server-${CODESERVER_VERSION/v/}-${TARGETARCH}.rpm" && \
    yum -y clean all --enablerepo='*'

Security Risk:
The code-server RPM is installed directly from a remote URL without verifying its authenticity or integrity, which exposes the image to supply-chain attacks if GitHub or DNS is ever spoofed.

Recommended Fix:

1. Download the RPM using curl with proper flags (--fail, --location, --silent, --show-error)
2. Verify SHA-256 checksum against expected value stored as build argument
3. Install after successful verification
4. Clean up temporary files

Example Implementation:

RUN curl -L --fail -o /tmp/code-server.rpm \
        "https://github.com/coder/code-server/releases/download/${CODESERVER_VERSION}/code-server-${CODESERVER_VERSION/v/}-${TARGETARCH}.rpm" \
    && echo "${CODE_SERVER_SHA256}  /tmp/code-server.rpm" | sha256sum -c - \
    && yum install -y /tmp/code-server.rpm \
    && rm /tmp/code-server.rpm \
    && yum -y clean all --enablerepo='*'

This should be added to the acceptance criteria for this issue to ensure comprehensive coverage of all downloaded binaries across the repository.

Context:

• PR: RHOAIENG-28774: allow ODH codeserver image to be built for arm64 #1258
• Review comment: RHOAIENG-28774: allow ODH codeserver image to be built for arm64 #1258 (comment)