Adding --checksum to avoid CIS-DI-0009

Add hadolint inline ignore to prevent ignoring it globally

Author: waja

Dockerfile

@@ -46,9 +46,14 @@ RUN \
 ARG FROM
 FROM ${FROM} AS main
 
+ARG NGINX_KEYRING_SHA256_SUM=7d3d5a7adf37e17d6882e2f6f55324b9a8f978ef3c99c50fe801af67c9847c91
 COPY docker/unit.list /etc/apt/sources.list.d/unit.list
-ADD --chmod=444 --chown=0:0 https://unit.nginx.org/keys/nginx-keyring.gpg /usr/share/keyrings/nginx-keyring.gpg
+# hadolint ignore=DL3020
+# ADD https://unit.nginx.org/keys/nginx-keyring.gpg /usr/share/keyrings/nginx-keyring.gpg --chown=0:0 --chmod=444 --checksum=sha256:${NGINX_KEYRING_SHA256_SUM}
+ADD https://unit.nginx.org/keys/nginx-keyring.gpg /usr/share/keyrings/nginx-keyring.gpg --checksum=sha256:${NGINX_KEYRING_SHA256_SUM}
 RUN export DEBIAN_FRONTEND=noninteractive \
+    && chown 0:0 /usr/share/keyrings/nginx-keyring.gpg \
+    && chmod 444 /usr/share/keyrings/nginx-keyring.gpg \
     && apt-get update -qq \
     && apt-get upgrade \
       --yes -qq --no-install-recommends \