Skip to content

Commit

Permalink
Update GPG keys used to sign packages
Browse files Browse the repository at this point in the history 
* Fix issue with Alpine variants no longer accepting untrusted keys since `apk index` 2.14.2
* Refactor Dockerfile ENV instruction to use `=` instead of whitespace per the latest guidelines
  • Loading branch information
@alessfg
alessfg committed Jun 25, 2024
1 parent c3359ff commit 733cbb6
Show file tree
Hide file tree
Showing 12 changed files with 66 additions and 60 deletions.
2 changes: 1 addition & 1 deletion Dockerfile-alpine-perl.template
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ RUN set -x \
&& cd pkg-oss-%%REVISION%% \
&& cd alpine \
&& make %%BUILDTARGET%% \
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
" \
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
Expand Down
6 changes: 3 additions & 3 deletions Dockerfile-alpine-slim.template
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@ FROM $IMAGE

LABEL maintainer="NGINX Docker Maintainers <[email protected]>"

ENV NGINX_VERSION %%NGINX_VERSION%%
ENV PKG_RELEASE %%PKG_RELEASE%%
ENV NGINX_VERSION=%%NGINX_VERSION%%
ENV PKG_RELEASE=%%PKG_RELEASE%%

ARG UID=101
ARG GID=101
Expand Down Expand Up @@ -66,7 +66,7 @@ RUN set -x \
&& cd pkg-oss-%%REVISION%% \
&& cd alpine \
&& make %%BUILDTARGET%% \
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
" \
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
Expand Down
6 changes: 3 additions & 3 deletions Dockerfile-alpine.template
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
ARG IMAGE=nginxinc/nginx-unprivileged:%%NGINX_VERSION%%-alpine-slim
FROM $IMAGE

ENV NJS_VERSION %%NJS_VERSION%%
ENV NJS_RELEASE %%NJS_RELEASE%%
ENV NJS_VERSION=%%NJS_VERSION%%
ENV NJS_RELEASE=%%NJS_RELEASE%%

ARG UID=101
ARG GID=101
Expand Down Expand Up @@ -57,7 +57,7 @@ RUN set -x \
&& cd pkg-oss-%%REVISION%% \
&& cd alpine \
&& make %%BUILDTARGET%% \
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
" \
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
Expand Down
28 changes: 15 additions & 13 deletions Dockerfile-debian.template
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@ FROM $IMAGE

LABEL maintainer="NGINX Docker Maintainers <[email protected]>"

ENV NGINX_VERSION %%NGINX_VERSION%%
ENV NJS_VERSION %%NJS_VERSION%%
ENV NJS_RELEASE %%NJS_RELEASE%%
ENV PKG_RELEASE %%PKG_RELEASE%%
ENV NGINX_VERSION=%%NGINX_VERSION%%
ENV NJS_VERSION=%%NJS_VERSION%%
ENV NJS_RELEASE=%%NJS_RELEASE%%
ENV PKG_RELEASE=%%PKG_RELEASE%%

ARG UID=101
ARG GID=101
Expand All @@ -18,19 +18,21 @@ RUN set -x \
&& apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
&& \
NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \
NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
export GNUPGHOME="$(mktemp -d)"; \
found=''; \
for server in \
hkp://keyserver.ubuntu.com:80 \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
done; \
for NGINX_GPGKEY in $NGINX_GPGKEYS; do \
for server in \
hkp://keyserver.ubuntu.com:80 \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
done; \
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
done; \
gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
rm -rf "$GNUPGHOME"; \
apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
&& dpkgArch="$(dpkg --print-architecture)" \
Expand Down
2 changes: 1 addition & 1 deletion mainline/alpine-perl/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ RUN set -x \
&& cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \
&& cd alpine \
&& make module-perl \
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
" \
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
Expand Down
6 changes: 3 additions & 3 deletions mainline/alpine-slim/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ FROM $IMAGE

LABEL maintainer="NGINX Docker Maintainers <[email protected]>"

ENV NGINX_VERSION 1.27.0
ENV PKG_RELEASE 2
ENV NGINX_VERSION=1.27.0
ENV PKG_RELEASE=2

ARG UID=101
ARG GID=101
Expand Down Expand Up @@ -72,7 +72,7 @@ RUN set -x \
&& cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \
&& cd alpine \
&& make base \
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
" \
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
Expand Down
6 changes: 3 additions & 3 deletions mainline/alpine/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
ARG IMAGE=nginxinc/nginx-unprivileged:1.27.0-alpine-slim
FROM $IMAGE

ENV NJS_VERSION 0.8.4
ENV NJS_RELEASE 2
ENV NJS_VERSION=0.8.4
ENV NJS_RELEASE=2

ARG UID=101
ARG GID=101
Expand Down Expand Up @@ -67,7 +67,7 @@ RUN set -x \
&& cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \
&& cd alpine \
&& make module-geoip module-image-filter module-njs module-xslt \
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
" \
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
Expand Down
28 changes: 15 additions & 13 deletions mainline/debian/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,10 @@ FROM $IMAGE

LABEL maintainer="NGINX Docker Maintainers <[email protected]>"

ENV NGINX_VERSION 1.27.0
ENV NJS_VERSION 0.8.4
ENV NJS_RELEASE 2~bookworm
ENV PKG_RELEASE 2~bookworm
ENV NGINX_VERSION=1.27.0
ENV NJS_VERSION=0.8.4
ENV NJS_RELEASE=2~bookworm
ENV PKG_RELEASE=2~bookworm

ARG UID=101
ARG GID=101
Expand All @@ -23,19 +23,21 @@ RUN set -x \
&& apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
&& \
NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \
NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
export GNUPGHOME="$(mktemp -d)"; \
found=''; \
for server in \
hkp://keyserver.ubuntu.com:80 \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
done; \
for NGINX_GPGKEY in $NGINX_GPGKEYS; do \
for server in \
hkp://keyserver.ubuntu.com:80 \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
done; \
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
done; \
gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
rm -rf "$GNUPGHOME"; \
apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
&& dpkgArch="$(dpkg --print-architecture)" \
Expand Down
2 changes: 1 addition & 1 deletion stable/alpine-perl/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ RUN set -x \
&& cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \
&& cd alpine \
&& make module-perl \
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
" \
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
Expand Down
6 changes: 3 additions & 3 deletions stable/alpine-slim/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ FROM $IMAGE

LABEL maintainer="NGINX Docker Maintainers <[email protected]>"

ENV NGINX_VERSION 1.26.1
ENV PKG_RELEASE 2
ENV NGINX_VERSION=1.26.1
ENV PKG_RELEASE=2

ARG UID=101
ARG GID=101
Expand Down Expand Up @@ -72,7 +72,7 @@ RUN set -x \
&& cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \
&& cd alpine \
&& make base \
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
" \
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
Expand Down
6 changes: 3 additions & 3 deletions stable/alpine/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
ARG IMAGE=nginxinc/nginx-unprivileged:1.26.1-alpine-slim
FROM $IMAGE

ENV NJS_VERSION 0.8.4
ENV NJS_RELEASE 2
ENV NJS_VERSION=0.8.4
ENV NJS_RELEASE=2

ARG UID=101
ARG GID=101
Expand Down Expand Up @@ -67,7 +67,7 @@ RUN set -x \
&& cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \
&& cd alpine \
&& make module-geoip module-image-filter module-njs module-xslt \
&& apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \
&& abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \
" \
&& cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \
Expand Down
28 changes: 15 additions & 13 deletions stable/debian/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,10 +8,10 @@ FROM $IMAGE

LABEL maintainer="NGINX Docker Maintainers <[email protected]>"

ENV NGINX_VERSION 1.26.1
ENV NJS_VERSION 0.8.4
ENV NJS_RELEASE 2~bookworm
ENV PKG_RELEASE 2~bookworm
ENV NGINX_VERSION=1.26.1
ENV NJS_VERSION=0.8.4
ENV NJS_RELEASE=2~bookworm
ENV PKG_RELEASE=2~bookworm

ARG UID=101
ARG GID=101
Expand All @@ -23,19 +23,21 @@ RUN set -x \
&& apt-get update \
&& apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
&& \
NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \
NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
export GNUPGHOME="$(mktemp -d)"; \
found=''; \
for server in \
hkp://keyserver.ubuntu.com:80 \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
done; \
for NGINX_GPGKEY in $NGINX_GPGKEYS; do \
for server in \
hkp://keyserver.ubuntu.com:80 \
pgp.mit.edu \
; do \
echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
done; \
test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
done; \
gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
rm -rf "$GNUPGHOME"; \
apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
&& dpkgArch="$(dpkg --print-architecture)" \
Expand Down

0 comments on commit 733cbb6

Please sign in to comment.