From fb7a0de4facb272965558fb9319aaf33b19f7529 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Fri, 26 Feb 2016 16:34:38 -0800 Subject: [PATCH] Fix "gpg" usage to stop relying on deprecated and insecure behavior --- Dockerfile | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9c6ebbc5..605fec6e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,20 +2,22 @@ FROM node:4.2-slim RUN groupadd user && useradd --create-home --home-dir /home/user -g user user -RUN set -x \ - && apt-get update \ - && apt-get install -y --no-install-recommends curl ca-certificates \ - && rm -rf /var/lib/apt/lists/* +RUN apt-get update && apt-get install -y \ + ca-certificates \ + wget \ + --no-install-recommends && rm -rf /var/lib/apt/lists/* # grab gosu for easy step-down from root -RUN gpg --keyserver pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 -RUN arch="$(dpkg --print-architecture)" \ - && set -x \ - && curl -o /usr/local/bin/gosu -fSL "https://github.com/tianon/gosu/releases/download/1.7/gosu-$arch" \ - && curl -o /usr/local/bin/gosu.asc -fSL "https://github.com/tianon/gosu/releases/download/1.7/gosu-$arch.asc" \ - && gpg --verify /usr/local/bin/gosu.asc \ - && rm /usr/local/bin/gosu.asc \ - && chmod +x /usr/local/bin/gosu +ENV GOSU_VERSION 1.7 +RUN set -x \ + && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" \ + && wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc" \ + && export GNUPGHOME="$(mktemp -d)" \ + && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \ + && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \ + && rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc \ + && chmod +x /usr/local/bin/gosu \ + && gosu nobody true ENV GHOST_SOURCE /usr/src/ghost WORKDIR $GHOST_SOURCE @@ -30,7 +32,7 @@ RUN buildDeps=' \ ' \ && set -x \ && apt-get update && apt-get install -y $buildDeps --no-install-recommends && rm -rf /var/lib/apt/lists/* \ - && curl -sSL "https://ghost.org/archives/ghost-${GHOST_VERSION}.zip" -o ghost.zip \ + && wget -O ghost.zip "https://ghost.org/archives/ghost-${GHOST_VERSION}.zip" \ && unzip ghost.zip \ && npm install --production \ && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false -o APT::AutoRemove::SuggestsImportant=false $buildDeps \