From 733cbb628d54bfb4fd4f4a3c7b6b1304ad4dfe32 Mon Sep 17 00:00:00 2001 From: Alessandro Fael Garcia Date: Tue, 25 Jun 2024 21:38:40 +0200 Subject: [PATCH] Update GPG keys used to sign packages * Fix issue with Alpine variants no longer accepting untrusted keys since `apk index` 2.14.2 * Refactor Dockerfile ENV instruction to use `=` instead of whitespace per the latest guidelines --- Dockerfile-alpine-perl.template | 2 +- Dockerfile-alpine-slim.template | 6 +++--- Dockerfile-alpine.template | 6 +++--- Dockerfile-debian.template | 28 +++++++++++++++------------- mainline/alpine-perl/Dockerfile | 2 +- mainline/alpine-slim/Dockerfile | 6 +++--- mainline/alpine/Dockerfile | 6 +++--- mainline/debian/Dockerfile | 28 +++++++++++++++------------- stable/alpine-perl/Dockerfile | 2 +- stable/alpine-slim/Dockerfile | 6 +++--- stable/alpine/Dockerfile | 6 +++--- stable/debian/Dockerfile | 28 +++++++++++++++------------- 12 files changed, 66 insertions(+), 60 deletions(-) diff --git a/Dockerfile-alpine-perl.template b/Dockerfile-alpine-perl.template index 085664b..3e582db 100644 --- a/Dockerfile-alpine-perl.template +++ b/Dockerfile-alpine-perl.template @@ -51,7 +51,7 @@ RUN set -x \ && cd pkg-oss-%%REVISION%% \ && cd alpine \ && make %%BUILDTARGET%% \ - && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ + && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ diff --git a/Dockerfile-alpine-slim.template b/Dockerfile-alpine-slim.template index 0a75849..46bc5b7 100644 --- a/Dockerfile-alpine-slim.template +++ b/Dockerfile-alpine-slim.template @@ -3,8 +3,8 @@ FROM $IMAGE LABEL maintainer="NGINX Docker Maintainers " -ENV NGINX_VERSION %%NGINX_VERSION%% -ENV PKG_RELEASE %%PKG_RELEASE%% +ENV NGINX_VERSION=%%NGINX_VERSION%% +ENV PKG_RELEASE=%%PKG_RELEASE%% ARG UID=101 ARG GID=101 @@ -66,7 +66,7 @@ RUN set -x \ && cd pkg-oss-%%REVISION%% \ && cd alpine \ && make %%BUILDTARGET%% \ - && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ + && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index 0fd42ed..2b94d93 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -1,8 +1,8 @@ ARG IMAGE=nginxinc/nginx-unprivileged:%%NGINX_VERSION%%-alpine-slim FROM $IMAGE -ENV NJS_VERSION %%NJS_VERSION%% -ENV NJS_RELEASE %%NJS_RELEASE%% +ENV NJS_VERSION=%%NJS_VERSION%% +ENV NJS_RELEASE=%%NJS_RELEASE%% ARG UID=101 ARG GID=101 @@ -57,7 +57,7 @@ RUN set -x \ && cd pkg-oss-%%REVISION%% \ && cd alpine \ && make %%BUILDTARGET%% \ - && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ + && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template index bcfde29..ff211c7 100644 --- a/Dockerfile-debian.template +++ b/Dockerfile-debian.template @@ -3,10 +3,10 @@ FROM $IMAGE LABEL maintainer="NGINX Docker Maintainers " -ENV NGINX_VERSION %%NGINX_VERSION%% -ENV NJS_VERSION %%NJS_VERSION%% -ENV NJS_RELEASE %%NJS_RELEASE%% -ENV PKG_RELEASE %%PKG_RELEASE%% +ENV NGINX_VERSION=%%NGINX_VERSION%% +ENV NJS_VERSION=%%NJS_VERSION%% +ENV NJS_RELEASE=%%NJS_RELEASE%% +ENV PKG_RELEASE=%%PKG_RELEASE%% ARG UID=101 ARG GID=101 @@ -18,19 +18,21 @@ RUN set -x \ && apt-get update \ && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \ && \ - NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \ + NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \ NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \ export GNUPGHOME="$(mktemp -d)"; \ found=''; \ - for server in \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu \ - ; do \ - echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ - gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ - done; \ + for NGINX_GPGKEY in $NGINX_GPGKEYS; do \ + for server in \ + hkp://keyserver.ubuntu.com:80 \ + pgp.mit.edu \ + ; do \ + echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ + gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ + done; \ test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ - gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \ + done; \ + gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \ rm -rf "$GNUPGHOME"; \ apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \ && dpkgArch="$(dpkg --print-architecture)" \ diff --git a/mainline/alpine-perl/Dockerfile b/mainline/alpine-perl/Dockerfile index fecbc1d..f1c1b85 100644 --- a/mainline/alpine-perl/Dockerfile +++ b/mainline/alpine-perl/Dockerfile @@ -62,7 +62,7 @@ RUN set -x \ && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \ && cd alpine \ && make module-perl \ - && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ + && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ diff --git a/mainline/alpine-slim/Dockerfile b/mainline/alpine-slim/Dockerfile index dfcac96..08825d2 100644 --- a/mainline/alpine-slim/Dockerfile +++ b/mainline/alpine-slim/Dockerfile @@ -8,8 +8,8 @@ FROM $IMAGE LABEL maintainer="NGINX Docker Maintainers " -ENV NGINX_VERSION 1.27.0 -ENV PKG_RELEASE 2 +ENV NGINX_VERSION=1.27.0 +ENV PKG_RELEASE=2 ARG UID=101 ARG GID=101 @@ -72,7 +72,7 @@ RUN set -x \ && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \ && cd alpine \ && make base \ - && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ + && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ diff --git a/mainline/alpine/Dockerfile b/mainline/alpine/Dockerfile index ed1a968..d109e6d 100644 --- a/mainline/alpine/Dockerfile +++ b/mainline/alpine/Dockerfile @@ -6,8 +6,8 @@ ARG IMAGE=nginxinc/nginx-unprivileged:1.27.0-alpine-slim FROM $IMAGE -ENV NJS_VERSION 0.8.4 -ENV NJS_RELEASE 2 +ENV NJS_VERSION=0.8.4 +ENV NJS_RELEASE=2 ARG UID=101 ARG GID=101 @@ -67,7 +67,7 @@ RUN set -x \ && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \ && cd alpine \ && make module-geoip module-image-filter module-njs module-xslt \ - && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ + && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ diff --git a/mainline/debian/Dockerfile b/mainline/debian/Dockerfile index bd46b9d..fdff420 100644 --- a/mainline/debian/Dockerfile +++ b/mainline/debian/Dockerfile @@ -8,10 +8,10 @@ FROM $IMAGE LABEL maintainer="NGINX Docker Maintainers " -ENV NGINX_VERSION 1.27.0 -ENV NJS_VERSION 0.8.4 -ENV NJS_RELEASE 2~bookworm -ENV PKG_RELEASE 2~bookworm +ENV NGINX_VERSION=1.27.0 +ENV NJS_VERSION=0.8.4 +ENV NJS_RELEASE=2~bookworm +ENV PKG_RELEASE=2~bookworm ARG UID=101 ARG GID=101 @@ -23,19 +23,21 @@ RUN set -x \ && apt-get update \ && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \ && \ - NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \ + NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \ NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \ export GNUPGHOME="$(mktemp -d)"; \ found=''; \ - for server in \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu \ - ; do \ - echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ - gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ - done; \ + for NGINX_GPGKEY in $NGINX_GPGKEYS; do \ + for server in \ + hkp://keyserver.ubuntu.com:80 \ + pgp.mit.edu \ + ; do \ + echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ + gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ + done; \ test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ - gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \ + done; \ + gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \ rm -rf "$GNUPGHOME"; \ apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \ && dpkgArch="$(dpkg --print-architecture)" \ diff --git a/stable/alpine-perl/Dockerfile b/stable/alpine-perl/Dockerfile index 94f5019..f5088a3 100644 --- a/stable/alpine-perl/Dockerfile +++ b/stable/alpine-perl/Dockerfile @@ -62,7 +62,7 @@ RUN set -x \ && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \ && cd alpine \ && make module-perl \ - && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ + && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ diff --git a/stable/alpine-slim/Dockerfile b/stable/alpine-slim/Dockerfile index cbd0374..9cf5244 100644 --- a/stable/alpine-slim/Dockerfile +++ b/stable/alpine-slim/Dockerfile @@ -8,8 +8,8 @@ FROM $IMAGE LABEL maintainer="NGINX Docker Maintainers " -ENV NGINX_VERSION 1.26.1 -ENV PKG_RELEASE 2 +ENV NGINX_VERSION=1.26.1 +ENV PKG_RELEASE=2 ARG UID=101 ARG GID=101 @@ -72,7 +72,7 @@ RUN set -x \ && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \ && cd alpine \ && make base \ - && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ + && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ diff --git a/stable/alpine/Dockerfile b/stable/alpine/Dockerfile index 271f5dd..5d6967b 100644 --- a/stable/alpine/Dockerfile +++ b/stable/alpine/Dockerfile @@ -6,8 +6,8 @@ ARG IMAGE=nginxinc/nginx-unprivileged:1.26.1-alpine-slim FROM $IMAGE -ENV NJS_VERSION 0.8.4 -ENV NJS_RELEASE 2 +ENV NJS_VERSION=0.8.4 +ENV NJS_RELEASE=2 ARG UID=101 ARG GID=101 @@ -67,7 +67,7 @@ RUN set -x \ && cd pkg-oss-${NGINX_VERSION}-${PKG_RELEASE} \ && cd alpine \ && make module-geoip module-image-filter module-njs module-xslt \ - && apk index -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ + && apk index --allow-untrusted -o ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz ${tempDir}/packages/alpine/${apkArch}/*.apk \ && abuild-sign -k ${tempDir}/.abuild/abuild-key.rsa ${tempDir}/packages/alpine/${apkArch}/APKINDEX.tar.gz \ " \ && cp ${tempDir}/.abuild/abuild-key.rsa.pub /etc/apk/keys/ \ diff --git a/stable/debian/Dockerfile b/stable/debian/Dockerfile index 7dcecb7..a2710c0 100644 --- a/stable/debian/Dockerfile +++ b/stable/debian/Dockerfile @@ -8,10 +8,10 @@ FROM $IMAGE LABEL maintainer="NGINX Docker Maintainers " -ENV NGINX_VERSION 1.26.1 -ENV NJS_VERSION 0.8.4 -ENV NJS_RELEASE 2~bookworm -ENV PKG_RELEASE 2~bookworm +ENV NGINX_VERSION=1.26.1 +ENV NJS_VERSION=0.8.4 +ENV NJS_RELEASE=2~bookworm +ENV PKG_RELEASE=2~bookworm ARG UID=101 ARG GID=101 @@ -23,19 +23,21 @@ RUN set -x \ && apt-get update \ && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \ && \ - NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \ + NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \ NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \ export GNUPGHOME="$(mktemp -d)"; \ found=''; \ - for server in \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu \ - ; do \ - echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ - gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ - done; \ + for NGINX_GPGKEY in $NGINX_GPGKEYS; do \ + for server in \ + hkp://keyserver.ubuntu.com:80 \ + pgp.mit.edu \ + ; do \ + echo "Fetching GPG key $NGINX_GPGKEY from $server"; \ + gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \ + done; \ test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ - gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \ + done; \ + gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \ rm -rf "$GNUPGHOME"; \ apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \ && dpkgArch="$(dpkg --print-architecture)" \