From 99752f3d9bc5ccd9f69d16e2105d287df17f5ac2 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Mon, 29 Feb 2016 09:45:28 -0800 Subject: [PATCH] Fix "gpg" usage to stop relying on deprecated and insecure behavior --- 2.6/Dockerfile | 25 ++++++++++++++++++------- 3.0/Dockerfile | 25 ++++++++++++++++++------- 3.1/Dockerfile | 25 ++++++++++++++++++------- 3.2/Dockerfile | 25 ++++++++++++++++++------- Dockerfile.template | 25 ++++++++++++++++++------- 5 files changed, 90 insertions(+), 35 deletions(-) diff --git a/2.6/Dockerfile b/2.6/Dockerfile index d4f00b0a..153142a4 100644 --- a/2.6/Dockerfile +++ b/2.6/Dockerfile @@ -4,15 +4,26 @@ FROM ruby:2.2-slim RUN groupadd -r redmine && useradd -r -g redmine redmine # grab gosu for easy step-down from root -RUN gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 -RUN curl -o /usr/local/bin/gosu -SL "https://github.com/tianon/gosu/releases/download/1.2/gosu-$(dpkg --print-architecture)" \ - && curl -o /usr/local/bin/gosu.asc -SL "https://github.com/tianon/gosu/releases/download/1.2/gosu-$(dpkg --print-architecture).asc" \ - && gpg --verify /usr/local/bin/gosu.asc \ - && rm /usr/local/bin/gosu.asc \ - && chmod +x /usr/local/bin/gosu +ENV GOSU_VERSION 1.7 +RUN set -x \ + && curl -fSL -o /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" \ + && curl -fSL -o /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc" \ + && export GNUPGHOME="$(mktemp -d)" \ + && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \ + && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \ + && rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc \ + && chmod +x /usr/local/bin/gosu \ + && gosu nobody true +# grab tini for signal processing and zombie killing +ENV TINI_VERSION v0.9.0 RUN set -x \ - && curl -fSL "https://github.com/krallin/tini/releases/download/v0.5.0/tini" -o /usr/local/bin/tini \ + && curl -fSL -o /usr/local/bin/tini "https://github.com/krallin/tini/releases/download/$TINI_VERSION/tini" \ + && curl -fSL -o /usr/local/bin/tini.asc "https://github.com/krallin/tini/releases/download/$TINI_VERSION/tini.asc" \ + && export GNUPGHOME="$(mktemp -d)" \ + && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 6380DC428747F6C393FEACA59A84159D7001A4E5 \ + && gpg --batch --verify /usr/local/bin/tini.asc /usr/local/bin/tini \ + && rm -r "$GNUPGHOME" /usr/local/bin/tini.asc \ && chmod +x /usr/local/bin/tini \ && tini -h diff --git a/3.0/Dockerfile b/3.0/Dockerfile index d6706888..b80f5886 100644 --- a/3.0/Dockerfile +++ b/3.0/Dockerfile @@ -4,15 +4,26 @@ FROM ruby:2.2-slim RUN groupadd -r redmine && useradd -r -g redmine redmine # grab gosu for easy step-down from root -RUN gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 -RUN curl -o /usr/local/bin/gosu -SL "https://github.com/tianon/gosu/releases/download/1.2/gosu-$(dpkg --print-architecture)" \ - && curl -o /usr/local/bin/gosu.asc -SL "https://github.com/tianon/gosu/releases/download/1.2/gosu-$(dpkg --print-architecture).asc" \ - && gpg --verify /usr/local/bin/gosu.asc \ - && rm /usr/local/bin/gosu.asc \ - && chmod +x /usr/local/bin/gosu +ENV GOSU_VERSION 1.7 +RUN set -x \ + && curl -fSL -o /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" \ + && curl -fSL -o /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc" \ + && export GNUPGHOME="$(mktemp -d)" \ + && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \ + && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \ + && rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc \ + && chmod +x /usr/local/bin/gosu \ + && gosu nobody true +# grab tini for signal processing and zombie killing +ENV TINI_VERSION v0.9.0 RUN set -x \ - && curl -fSL "https://github.com/krallin/tini/releases/download/v0.5.0/tini" -o /usr/local/bin/tini \ + && curl -fSL -o /usr/local/bin/tini "https://github.com/krallin/tini/releases/download/$TINI_VERSION/tini" \ + && curl -fSL -o /usr/local/bin/tini.asc "https://github.com/krallin/tini/releases/download/$TINI_VERSION/tini.asc" \ + && export GNUPGHOME="$(mktemp -d)" \ + && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 6380DC428747F6C393FEACA59A84159D7001A4E5 \ + && gpg --batch --verify /usr/local/bin/tini.asc /usr/local/bin/tini \ + && rm -r "$GNUPGHOME" /usr/local/bin/tini.asc \ && chmod +x /usr/local/bin/tini \ && tini -h diff --git a/3.1/Dockerfile b/3.1/Dockerfile index 30c21437..6212347e 100644 --- a/3.1/Dockerfile +++ b/3.1/Dockerfile @@ -4,15 +4,26 @@ FROM ruby:2.2-slim RUN groupadd -r redmine && useradd -r -g redmine redmine # grab gosu for easy step-down from root -RUN gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 -RUN curl -o /usr/local/bin/gosu -SL "https://github.com/tianon/gosu/releases/download/1.2/gosu-$(dpkg --print-architecture)" \ - && curl -o /usr/local/bin/gosu.asc -SL "https://github.com/tianon/gosu/releases/download/1.2/gosu-$(dpkg --print-architecture).asc" \ - && gpg --verify /usr/local/bin/gosu.asc \ - && rm /usr/local/bin/gosu.asc \ - && chmod +x /usr/local/bin/gosu +ENV GOSU_VERSION 1.7 +RUN set -x \ + && curl -fSL -o /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" \ + && curl -fSL -o /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc" \ + && export GNUPGHOME="$(mktemp -d)" \ + && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \ + && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \ + && rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc \ + && chmod +x /usr/local/bin/gosu \ + && gosu nobody true +# grab tini for signal processing and zombie killing +ENV TINI_VERSION v0.9.0 RUN set -x \ - && curl -fSL "https://github.com/krallin/tini/releases/download/v0.5.0/tini" -o /usr/local/bin/tini \ + && curl -fSL -o /usr/local/bin/tini "https://github.com/krallin/tini/releases/download/$TINI_VERSION/tini" \ + && curl -fSL -o /usr/local/bin/tini.asc "https://github.com/krallin/tini/releases/download/$TINI_VERSION/tini.asc" \ + && export GNUPGHOME="$(mktemp -d)" \ + && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 6380DC428747F6C393FEACA59A84159D7001A4E5 \ + && gpg --batch --verify /usr/local/bin/tini.asc /usr/local/bin/tini \ + && rm -r "$GNUPGHOME" /usr/local/bin/tini.asc \ && chmod +x /usr/local/bin/tini \ && tini -h diff --git a/3.2/Dockerfile b/3.2/Dockerfile index b37da619..e3633916 100644 --- a/3.2/Dockerfile +++ b/3.2/Dockerfile @@ -4,15 +4,26 @@ FROM ruby:2.2-slim RUN groupadd -r redmine && useradd -r -g redmine redmine # grab gosu for easy step-down from root -RUN gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 -RUN curl -o /usr/local/bin/gosu -SL "https://github.com/tianon/gosu/releases/download/1.2/gosu-$(dpkg --print-architecture)" \ - && curl -o /usr/local/bin/gosu.asc -SL "https://github.com/tianon/gosu/releases/download/1.2/gosu-$(dpkg --print-architecture).asc" \ - && gpg --verify /usr/local/bin/gosu.asc \ - && rm /usr/local/bin/gosu.asc \ - && chmod +x /usr/local/bin/gosu +ENV GOSU_VERSION 1.7 +RUN set -x \ + && curl -fSL -o /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" \ + && curl -fSL -o /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc" \ + && export GNUPGHOME="$(mktemp -d)" \ + && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \ + && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \ + && rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc \ + && chmod +x /usr/local/bin/gosu \ + && gosu nobody true +# grab tini for signal processing and zombie killing +ENV TINI_VERSION v0.9.0 RUN set -x \ - && curl -fSL "https://github.com/krallin/tini/releases/download/v0.5.0/tini" -o /usr/local/bin/tini \ + && curl -fSL -o /usr/local/bin/tini "https://github.com/krallin/tini/releases/download/$TINI_VERSION/tini" \ + && curl -fSL -o /usr/local/bin/tini.asc "https://github.com/krallin/tini/releases/download/$TINI_VERSION/tini.asc" \ + && export GNUPGHOME="$(mktemp -d)" \ + && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 6380DC428747F6C393FEACA59A84159D7001A4E5 \ + && gpg --batch --verify /usr/local/bin/tini.asc /usr/local/bin/tini \ + && rm -r "$GNUPGHOME" /usr/local/bin/tini.asc \ && chmod +x /usr/local/bin/tini \ && tini -h diff --git a/Dockerfile.template b/Dockerfile.template index 5cb683dc..9de9c68b 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -4,15 +4,26 @@ FROM ruby:2.2-slim RUN groupadd -r redmine && useradd -r -g redmine redmine # grab gosu for easy step-down from root -RUN gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 -RUN curl -o /usr/local/bin/gosu -SL "https://github.com/tianon/gosu/releases/download/1.2/gosu-$(dpkg --print-architecture)" \ - && curl -o /usr/local/bin/gosu.asc -SL "https://github.com/tianon/gosu/releases/download/1.2/gosu-$(dpkg --print-architecture).asc" \ - && gpg --verify /usr/local/bin/gosu.asc \ - && rm /usr/local/bin/gosu.asc \ - && chmod +x /usr/local/bin/gosu +ENV GOSU_VERSION 1.7 +RUN set -x \ + && curl -fSL -o /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" \ + && curl -fSL -o /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc" \ + && export GNUPGHOME="$(mktemp -d)" \ + && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \ + && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \ + && rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc \ + && chmod +x /usr/local/bin/gosu \ + && gosu nobody true +# grab tini for signal processing and zombie killing +ENV TINI_VERSION v0.9.0 RUN set -x \ - && curl -fSL "https://github.com/krallin/tini/releases/download/v0.5.0/tini" -o /usr/local/bin/tini \ + && curl -fSL -o /usr/local/bin/tini "https://github.com/krallin/tini/releases/download/$TINI_VERSION/tini" \ + && curl -fSL -o /usr/local/bin/tini.asc "https://github.com/krallin/tini/releases/download/$TINI_VERSION/tini.asc" \ + && export GNUPGHOME="$(mktemp -d)" \ + && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 6380DC428747F6C393FEACA59A84159D7001A4E5 \ + && gpg --batch --verify /usr/local/bin/tini.asc /usr/local/bin/tini \ + && rm -r "$GNUPGHOME" /usr/local/bin/tini.asc \ && chmod +x /usr/local/bin/tini \ && tini -h