Verify integrity when bootstrapping rustup

[tabbyrobin]

I noticed that the Dockerfile here does not verify the integrity of the rustup installer:

infra/cryptography-linux/Dockerfile

Line 34 in 1383f9c

RUN curl https://sh.rustup.rs -sSf | sh -s -- -y --default-toolchain stable --profile minimal

This contrasts with the bootstrapping for openssl and nodejs, which do verify by checksum:

infra/staticnode/Dockerfile

Lines 14 to 15 in 1383f9c

	RUN curl -O https://nodejs.org/dist/$VERSION/node-$VERSION.tar.gz
	RUN echo "$SHA256SUM node-$VERSION.tar.gz" | sha256sum -c -

infra/cryptography-linux/install_openssl.sh

Lines 7 to 8 in 1383f9c

	curl -#LO "${OPENSSL_URL}/${OPENSSL_VERSION}/${OPENSSL_VERSION}.tar.gz"
	echo "${OPENSSL_SHA256} ${OPENSSL_VERSION}.tar.gz" | sha256sum -c -

I would suggest fixing this by pinning the version and checksum of the rustup-init.sh script, for example:

RUN  <<-EOF
RUSTUP_VERSION=1.28.2
RUSTUP_SHA256=17247e4bcacf6027ec2e11c79a72c494c9af69ac8d1abcc1b271fa4375a106c2
curl -O https://raw.githubusercontent.com/rust-lang/rustup/refs/tags/${RUSTUP_VERSION}/rustup-init.sh
{ echo "${RUSTUP_SHA256}  rustup-init.sh" | sha256sum -c - ; } || exit 1
sh rustup-init.sh -y --default-toolchain stable --profile minimal 
EOF

I have not yet tested this snippet; just providing it for illustration.

Of course this is not a full verification, since rustup will then do downloads from the internet: "rustup performs all downloads over HTTPS, but does not yet validate signatures of downloads." https://rust-lang.github.io/rustup/security.html

But this seems like a reasonable incremental improvement.

(Alternatives would be to manually pull binaries, or to pull a rust source archive and compile it. However, at least some parts of the PyCA infrastructure seem to depend on rustup itself, not just rustc/cargo, for example RUSTUP_HOME: /root/.rustup.)