From eac33f601ec635b4e0ce921efc6ac63884abceaf Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Fri, 31 May 2024 09:03:04 +1000 Subject: [PATCH] ubi: Restrict rpmkey import to specific keys And not just whatever key is in the downloaded key file. There could be more than one key included. Per review: https://github.com/docker-library/official-images/pull/16872#issuecomment-2140726603 by @tianon. --- 10.11-ubi/Dockerfile | 11 ++++++++--- 10.6-ubi/Dockerfile | 11 ++++++++--- 11.4-ubi/Dockerfile | 11 ++++++++--- 11.5-ubi/Dockerfile | 11 ++++++++--- Dockerfile-ubi.template | 11 ++++++++--- 5 files changed, 40 insertions(+), 15 deletions(-) diff --git a/10.11-ubi/Dockerfile b/10.11-ubi/Dockerfile index eb29cc6..0483d78 100644 --- a/10.11-ubi/Dockerfile +++ b/10.11-ubi/Dockerfile @@ -63,18 +63,23 @@ ARG MARIADB_VERSION=10.11.8 # procps, pv(epel) - missing dependencies of galera sst script # tzdata re-installed as only a fake version is part of the ubi-minimal base image. # FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key +# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key RUN set -eux ; \ curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \ - gpg --import-options show-only --import --with-colons /tmp/epelkey.txt | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \ + gpg --batch --import /tmp/epelkey.txt ; \ + gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \ rpmkeys --import /tmp/epelkey.txt ; \ curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \ rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \ rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \ rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \ curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \ - gpg --import-options show-only --import --with-colons /tmp/MariaDB-Server-GPG-KEY | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \ + gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \ + gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \ rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \ - rm /tmp/MariaDB-Server-GPG-KEY ; \ + rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \ + unset GNUPGHOME ; \ microdnf update -y ; \ microdnf reinstall -y tzdata ; \ microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ diff --git a/10.6-ubi/Dockerfile b/10.6-ubi/Dockerfile index 217f8a8..d4dc725 100644 --- a/10.6-ubi/Dockerfile +++ b/10.6-ubi/Dockerfile @@ -64,18 +64,23 @@ ARG MARIADB_VERSION=10.6.18 # procps, pv(epel) - missing dependencies of galera sst script # tzdata re-installed as only a fake version is part of the ubi-minimal base image. # FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key +# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key RUN set -eux ; \ curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \ - gpg --import-options show-only --import --with-colons /tmp/epelkey.txt | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \ + gpg --batch --import /tmp/epelkey.txt ; \ + gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \ rpmkeys --import /tmp/epelkey.txt ; \ curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \ rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \ rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \ rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \ curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \ - gpg --import-options show-only --import --with-colons /tmp/MariaDB-Server-GPG-KEY | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \ + gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \ + gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \ rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \ - rm /tmp/MariaDB-Server-GPG-KEY ; \ + rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \ + unset GNUPGHOME ; \ microdnf update -y ; \ microdnf reinstall -y tzdata ; \ microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ diff --git a/11.4-ubi/Dockerfile b/11.4-ubi/Dockerfile index a889670..6a367f7 100644 --- a/11.4-ubi/Dockerfile +++ b/11.4-ubi/Dockerfile @@ -63,18 +63,23 @@ ARG MARIADB_VERSION=11.4.2 # procps, pv(epel) - missing dependencies of galera sst script # tzdata re-installed as only a fake version is part of the ubi-minimal base image. # FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key +# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key RUN set -eux ; \ curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \ - gpg --import-options show-only --import --with-colons /tmp/epelkey.txt | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \ + gpg --batch --import /tmp/epelkey.txt ; \ + gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \ rpmkeys --import /tmp/epelkey.txt ; \ curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \ rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \ rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \ rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \ curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \ - gpg --import-options show-only --import --with-colons /tmp/MariaDB-Server-GPG-KEY | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \ + gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \ + gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \ rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \ - rm /tmp/MariaDB-Server-GPG-KEY ; \ + rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \ + unset GNUPGHOME ; \ microdnf update -y ; \ microdnf reinstall -y tzdata ; \ microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ diff --git a/11.5-ubi/Dockerfile b/11.5-ubi/Dockerfile index 9243b25..f9e272e 100644 --- a/11.5-ubi/Dockerfile +++ b/11.5-ubi/Dockerfile @@ -63,18 +63,23 @@ ARG MARIADB_VERSION=11.5.1 # procps, pv(epel) - missing dependencies of galera sst script # tzdata re-installed as only a fake version is part of the ubi-minimal base image. # FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key +# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key RUN set -eux ; \ curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \ - gpg --import-options show-only --import --with-colons /tmp/epelkey.txt | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \ + gpg --batch --import /tmp/epelkey.txt ; \ + gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \ rpmkeys --import /tmp/epelkey.txt ; \ curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \ rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \ rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \ rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \ curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \ - gpg --import-options show-only --import --with-colons /tmp/MariaDB-Server-GPG-KEY | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \ + gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \ + gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \ rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \ - rm /tmp/MariaDB-Server-GPG-KEY ; \ + rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \ + unset GNUPGHOME ; \ microdnf update -y ; \ microdnf reinstall -y tzdata ; \ microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \ diff --git a/Dockerfile-ubi.template b/Dockerfile-ubi.template index c04dbdc..807d9b7 100644 --- a/Dockerfile-ubi.template +++ b/Dockerfile-ubi.template @@ -64,18 +64,23 @@ ARG MARIADB_VERSION=%%MARIADB_VERSION%% # procps, pv(epel) - missing dependencies of galera sst script # tzdata re-installed as only a fake version is part of the ubi-minimal base image. # FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key +# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key RUN set -eux ; \ curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \ - gpg --import-options show-only --import --with-colons /tmp/epelkey.txt | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \ + gpg --batch --import /tmp/epelkey.txt ; \ + gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \ rpmkeys --import /tmp/epelkey.txt ; \ curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \ rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \ rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \ rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \ curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \ - gpg --import-options show-only --import --with-colons /tmp/MariaDB-Server-GPG-KEY | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \ + gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \ + gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \ rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \ - rm /tmp/MariaDB-Server-GPG-KEY ; \ + rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \ + unset GNUPGHOME ; \ microdnf update -y ; \ microdnf reinstall -y tzdata ; \ microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \