From eac33f601ec635b4e0ce921efc6ac63884abceaf Mon Sep 17 00:00:00 2001
From: Daniel Black <daniel@mariadb.org>
Date: Fri, 31 May 2024 09:03:04 +1000
Subject: [PATCH] ubi: Restrict rpmkey import to specific keys

And not just whatever key is in the downloaded key file.

There could be more than one key included.

Per review: https://github.com/docker-library/official-images/pull/16872#issuecomment-2140726603
by @tianon.
---
 10.11-ubi/Dockerfile    | 11 ++++++++---
 10.6-ubi/Dockerfile     | 11 ++++++++---
 11.4-ubi/Dockerfile     | 11 ++++++++---
 11.5-ubi/Dockerfile     | 11 ++++++++---
 Dockerfile-ubi.template | 11 ++++++++---
 5 files changed, 40 insertions(+), 15 deletions(-)

diff --git a/10.11-ubi/Dockerfile b/10.11-ubi/Dockerfile
index eb29cc6..0483d78 100644
--- a/10.11-ubi/Dockerfile
+++ b/10.11-ubi/Dockerfile
@@ -63,18 +63,23 @@ ARG MARIADB_VERSION=10.11.8
 # procps, pv(epel) - missing dependencies of galera sst script
 # tzdata re-installed as only a fake version is part of the ubi-minimal base image.
 # FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key
+# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key
 RUN set -eux ; \
 	curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \
-	gpg --import-options show-only --import  --with-colons /tmp/epelkey.txt  | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \
+	GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \
+	gpg --batch --import /tmp/epelkey.txt ; \
+	gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \
 	rpmkeys --import /tmp/epelkey.txt ; \
 	curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \
 	rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \
 	rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \
 	rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \
 	curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \
-	gpg --import-options show-only --import  --with-colons /tmp/MariaDB-Server-GPG-KEY  | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \
+	gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \
+	gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \
 	rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \
-	rm /tmp/MariaDB-Server-GPG-KEY ; \
+	rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \
+	unset GNUPGHOME ; \
 	microdnf update -y ; \
 	microdnf reinstall -y tzdata ; \
 	microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \
diff --git a/10.6-ubi/Dockerfile b/10.6-ubi/Dockerfile
index 217f8a8..d4dc725 100644
--- a/10.6-ubi/Dockerfile
+++ b/10.6-ubi/Dockerfile
@@ -64,18 +64,23 @@ ARG MARIADB_VERSION=10.6.18
 # procps, pv(epel) - missing dependencies of galera sst script
 # tzdata re-installed as only a fake version is part of the ubi-minimal base image.
 # FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key
+# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key
 RUN set -eux ; \
 	curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \
-	gpg --import-options show-only --import  --with-colons /tmp/epelkey.txt  | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \
+	GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \
+	gpg --batch --import /tmp/epelkey.txt ; \
+	gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \
 	rpmkeys --import /tmp/epelkey.txt ; \
 	curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \
 	rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \
 	rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \
 	rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \
 	curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \
-	gpg --import-options show-only --import  --with-colons /tmp/MariaDB-Server-GPG-KEY  | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \
+	gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \
+	gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \
 	rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \
-	rm /tmp/MariaDB-Server-GPG-KEY ; \
+	rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \
+	unset GNUPGHOME ; \
 	microdnf update -y ; \
 	microdnf reinstall -y tzdata ; \
 	microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \
diff --git a/11.4-ubi/Dockerfile b/11.4-ubi/Dockerfile
index a889670..6a367f7 100644
--- a/11.4-ubi/Dockerfile
+++ b/11.4-ubi/Dockerfile
@@ -63,18 +63,23 @@ ARG MARIADB_VERSION=11.4.2
 # procps, pv(epel) - missing dependencies of galera sst script
 # tzdata re-installed as only a fake version is part of the ubi-minimal base image.
 # FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key
+# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key
 RUN set -eux ; \
 	curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \
-	gpg --import-options show-only --import  --with-colons /tmp/epelkey.txt  | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \
+	GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \
+	gpg --batch --import /tmp/epelkey.txt ; \
+	gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \
 	rpmkeys --import /tmp/epelkey.txt ; \
 	curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \
 	rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \
 	rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \
 	rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \
 	curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \
-	gpg --import-options show-only --import  --with-colons /tmp/MariaDB-Server-GPG-KEY  | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \
+	gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \
+	gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \
 	rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \
-	rm /tmp/MariaDB-Server-GPG-KEY ; \
+	rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \
+	unset GNUPGHOME ; \
 	microdnf update -y ; \
 	microdnf reinstall -y tzdata ; \
 	microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \
diff --git a/11.5-ubi/Dockerfile b/11.5-ubi/Dockerfile
index 9243b25..f9e272e 100644
--- a/11.5-ubi/Dockerfile
+++ b/11.5-ubi/Dockerfile
@@ -63,18 +63,23 @@ ARG MARIADB_VERSION=11.5.1
 # procps, pv(epel) - missing dependencies of galera sst script
 # tzdata re-installed as only a fake version is part of the ubi-minimal base image.
 # FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key
+# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key
 RUN set -eux ; \
 	curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \
-	gpg --import-options show-only --import  --with-colons /tmp/epelkey.txt  | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \
+	GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \
+	gpg --batch --import /tmp/epelkey.txt ; \
+	gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \
 	rpmkeys --import /tmp/epelkey.txt ; \
 	curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \
 	rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \
 	rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \
 	rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \
 	curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \
-	gpg --import-options show-only --import  --with-colons /tmp/MariaDB-Server-GPG-KEY  | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \
+	gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \
+	gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \
 	rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \
-	rm /tmp/MariaDB-Server-GPG-KEY ; \
+	rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \
+	unset GNUPGHOME ; \
 	microdnf update -y ; \
 	microdnf reinstall -y tzdata ; \
 	microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \
diff --git a/Dockerfile-ubi.template b/Dockerfile-ubi.template
index c04dbdc..807d9b7 100644
--- a/Dockerfile-ubi.template
+++ b/Dockerfile-ubi.template
@@ -64,18 +64,23 @@ ARG MARIADB_VERSION=%%MARIADB_VERSION%%
 # procps, pv(epel) - missing dependencies of galera sst script
 # tzdata re-installed as only a fake version is part of the ubi-minimal base image.
 # FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key
+# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key
 RUN set -eux ; \
 	curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \
-	gpg --import-options show-only --import  --with-colons /tmp/epelkey.txt  | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \
+	GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \
+	gpg --batch --import /tmp/epelkey.txt ; \
+	gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \
 	rpmkeys --import /tmp/epelkey.txt ; \
 	curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \
 	rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \
 	rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \
 	rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \
 	curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \
-	gpg --import-options show-only --import  --with-colons /tmp/MariaDB-Server-GPG-KEY  | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \
+	gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \
+	gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \
 	rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \
-	rm /tmp/MariaDB-Server-GPG-KEY ; \
+	rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \
+	unset GNUPGHOME ; \
 	microdnf update -y ; \
 	microdnf reinstall -y tzdata ; \
 	microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \