Verify integrity when bootstrapping rustup

[tabbyrobin]

I noticed that the Dockerfile here does not verify the integrity of the rustup installer: https://github.com/pyca/infra/blob/1383f9c10f0749c4c7ed33265ad8558ed30384f4/cryptography-linux/Dockerfile#L34

This contrasts with the bootstrapping for openssl and nodejs, which do verify by checksum:

https://github.com/pyca/infra/blob/1383f9c10f0749c4c7ed33265ad8558ed30384f4/staticnode/Dockerfile#L14-L15

https://github.com/pyca/infra/blob/1383f9c10f0749c4c7ed33265ad8558ed30384f4/cryptography-linux/install_openssl.sh#L7-L8

I would suggest fixing this by pinning the version and checksum of the rustup-init.sh script, for example:

RUN  <<-EOF
RUSTUP_VERSION=1.28.2
RUSTUP_SHA256=17247e4bcacf6027ec2e11c79a72c494c9af69ac8d1abcc1b271fa4375a106c2
curl -O https://raw.githubusercontent.com/rust-lang/rustup/refs/tags/${RUSTUP_VERSION}/rustup-init.sh
{ echo "${RUSTUP_SHA256}  rustup-init.sh" | sha256sum -c - ; } || exit 1
sh rustup-init.sh -y --default-toolchain stable --profile minimal 
EOF

I have not yet tested this snippet; just providing it for illustration.

Of course this is not a full verification, since rustup will then do downloads from the internet: "rustup performs all downloads over HTTPS, but does not yet validate signatures of downloads." https://rust-lang.github.io/rustup/security.html

But this seems like a reasonable incremental improvement.

(Alternatives would be to manually pull binaries, or to pull a rust source archive and compile it. However, at least some parts of the PyCA infrastructure seem to depend on rustup itself, not just rustc/cargo, for example RUSTUP_HOME: /root/.rustup.)