Skip to content

Commit 99683bf

Browse files
rasmunkrasmunk
authored
Rework gpg key import to try keyserver protocols in turn (PR131 follow-up) (#132)
Rework gpg key import from PR #131 to try keyserver protocols in turn for robust handling where e.g. strict firewalls prevent the default.
2 parents 1cb2fba + e516a29 commit 99683bf

File tree

2 files changed

+18
-6
lines changed

2 files changed

+18
-6
lines changed

Dockerfile.rocky8

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1732,11 +1732,17 @@ ARG TINI_GPG_KEY=0527A9B7
17321732
#ADD --checksum=${TINI_CHECKSUM} https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
17331733
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
17341734
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini.asc /tini.asc
1735-
RUN gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys ${TINI_GPG_KEY} \
1736-
&& if ! gpg --verify /tini.asc /tini ; then \
1735+
# NOTE: some build environments with strict firewalling may not allow e.g. hkp.
1736+
# For robustness try different methods in turn until key import succeeds.
1737+
RUN for key in ${TINI_GPG_KEY}; do \
1738+
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys "$key" || \
1739+
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys "$key" || \
1740+
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys "$key" ; \
1741+
done && \
1742+
if ! gpg --verify /tini.asc /tini ; then \
17371743
echo "FATAL: failed to verify tini binary"; \
17381744
exit 1 ; \
1739-
fi
1745+
fi
17401746
RUN chmod +x /tini
17411747
ENTRYPOINT ["/tini", "--"]
17421748

Dockerfile.rocky9

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1619,11 +1619,17 @@ ARG TINI_GPG_KEY=0527A9B7
16191619
#ADD --checksum=${TINI_CHECKSUM} https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
16201620
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
16211621
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini.asc /tini.asc
1622-
RUN gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys ${TINI_GPG_KEY} \
1623-
&& if ! gpg --verify /tini.asc /tini ; then \
1622+
# NOTE: some build environments with strict firewalling may not allow e.g. hkp.
1623+
# For robustness try different methods in turn until key import succeeds.
1624+
RUN for key in ${TINI_GPG_KEY}; do \
1625+
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys "$key" || \
1626+
gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys "$key" || \
1627+
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys "$key" ; \
1628+
done && \
1629+
if ! gpg --verify /tini.asc /tini ; then \
16241630
echo "FATAL: failed to verify tini binary"; \
16251631
exit 1 ; \
1626-
fi
1632+
fi
16271633
RUN chmod +x /tini
16281634
ENTRYPOINT ["/tini", "--"]
16291635

0 commit comments

Comments
 (0)