1berry/mariadb-docker
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ubi: Restrict rpmkey import to specific keys

Browse Source 
And not just whatever key is in the downloaded key file.

There could be more than one key included.

Per review: https://github.com/docker-library/official-images/pull/16872#issuecomment-2140726603
by @tianon.
This commit is contained in:
Daniel Black 2024-05-31 09:03:04 +10:00
parent bd76785957
commit eac33f601e
5 changed files with 40 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
10.11-ubi/Dockerfile
View File

@ -63,18 +63,23 @@ ARG MARIADB_VERSION=10.11.8
# procps, pv(epel) - missing dependencies of galera sst script
# tzdata re-installed as only a fake version is part of the ubi-minimal base image.
# FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key
# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key
RUN set -eux ; \
curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \
gpg --import-options show-only --import --with-colons /tmp/epelkey.txt | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \
GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \
gpg --batch --import /tmp/epelkey.txt ; \
gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \
rpmkeys --import /tmp/epelkey.txt ; \
curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \
rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \
rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \
rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \
curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \
gpg --import-options show-only --import --with-colons /tmp/MariaDB-Server-GPG-KEY | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \
gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \
gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \
rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \
rm /tmp/MariaDB-Server-GPG-KEY ; \
rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \
unset GNUPGHOME ; \
microdnf update -y ; \
microdnf reinstall -y tzdata ; \
microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \

11
10.6-ubi/Dockerfile
View File

@ -64,18 +64,23 @@ ARG MARIADB_VERSION=10.6.18
# procps, pv(epel) - missing dependencies of galera sst script
# tzdata re-installed as only a fake version is part of the ubi-minimal base image.
# FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key
# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key
RUN set -eux ; \
curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \
gpg --import-options show-only --import --with-colons /tmp/epelkey.txt | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \
GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \
gpg --batch --import /tmp/epelkey.txt ; \
gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \
rpmkeys --import /tmp/epelkey.txt ; \
curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \
rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \
rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \
rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \
curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \
gpg --import-options show-only --import --with-colons /tmp/MariaDB-Server-GPG-KEY | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \
gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \
gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \
rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \
rm /tmp/MariaDB-Server-GPG-KEY ; \
rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \
unset GNUPGHOME ; \
microdnf update -y ; \
microdnf reinstall -y tzdata ; \
microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \

11
11.4-ubi/Dockerfile
View File

@ -63,18 +63,23 @@ ARG MARIADB_VERSION=11.4.2
# procps, pv(epel) - missing dependencies of galera sst script
# tzdata re-installed as only a fake version is part of the ubi-minimal base image.
# FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key
# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key
RUN set -eux ; \
curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \
gpg --import-options show-only --import --with-colons /tmp/epelkey.txt | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \
GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \
gpg --batch --import /tmp/epelkey.txt ; \
gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \
rpmkeys --import /tmp/epelkey.txt ; \
curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \
rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \
rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \
rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \
curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \
gpg --import-options show-only --import --with-colons /tmp/MariaDB-Server-GPG-KEY | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \
gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \
gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \
rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \
rm /tmp/MariaDB-Server-GPG-KEY ; \
rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \
unset GNUPGHOME ; \
microdnf update -y ; \
microdnf reinstall -y tzdata ; \
microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \

11
11.5-ubi/Dockerfile
View File

@ -63,18 +63,23 @@ ARG MARIADB_VERSION=11.5.1
# procps, pv(epel) - missing dependencies of galera sst script
# tzdata re-installed as only a fake version is part of the ubi-minimal base image.
# FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key
# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key
RUN set -eux ; \
curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \
gpg --import-options show-only --import --with-colons /tmp/epelkey.txt | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \
GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \
gpg --batch --import /tmp/epelkey.txt ; \
gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \
rpmkeys --import /tmp/epelkey.txt ; \
curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \
rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \
rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \
rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \
curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \
gpg --import-options show-only --import --with-colons /tmp/MariaDB-Server-GPG-KEY | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \
gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \
gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \
rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \
rm /tmp/MariaDB-Server-GPG-KEY ; \
rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \
unset GNUPGHOME ; \
microdnf update -y ; \
microdnf reinstall -y tzdata ; \
microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \

11
Dockerfile-ubi.template
View File

@ -64,18 +64,23 @@ ARG MARIADB_VERSION=%%MARIADB_VERSION%%
# procps, pv(epel) - missing dependencies of galera sst script
# tzdata re-installed as only a fake version is part of the ubi-minimal base image.
# FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key
# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key
RUN set -eux ; \
curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \
gpg --import-options show-only --import --with-colons /tmp/epelkey.txt | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \
GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \
gpg --batch --import /tmp/epelkey.txt ; \
gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \
rpmkeys --import /tmp/epelkey.txt ; \
curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \
rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \
rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \
rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \
curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \
gpg --import-options show-only --import --with-colons /tmp/MariaDB-Server-GPG-KEY | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \
gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \
gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \
rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \
rm /tmp/MariaDB-Server-GPG-KEY ; \
rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \
unset GNUPGHOME ; \
microdnf update -y ; \
microdnf reinstall -y tzdata ; \
microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \