docker-library
/
hello-world
mirror of https://github.com/docker-library/hello-world.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Upgrade from GnuPG to sq 

This requires doing a lot more backflipping to accept the musl key because it frankly should probably be replaced with something newer (at least since 2023, if not since 2013).
This commit is contained in:
Tianon Gravi 2025-08-12 16:30:44 -07:00
parent 6930d60e10
commit 6db82638bd
1 changed files with 23 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
Dockerfile.build
View File

@ -5,7 +5,7 @@ RUN set -eux; \
dpkgArch="$(dpkg --print-architecture)"; \
apt-get install --update -y --no-install-recommends \
ca-certificates \
gnupg \
sq \
wget \
\
gcc \
@ -43,14 +43,28 @@ RUN set -eux; \
# https://musl.libc.org/releases.html
ENV MUSL_VERSION 1.2.5
RUN set -eux; \
wget -O musl.tgz.asc "https://musl.libc.org/releases/musl-$MUSL_VERSION.tar.gz.asc"; \
wget -O musl.tgz "https://musl.libc.org/releases/musl-$MUSL_VERSION.tar.gz"; \
\
export GNUPGHOME="$(mktemp -d)"; \
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys '836489290BB6B70F99FFDA0556BCDB593020450F'; \
gpg --batch --verify musl.tgz.asc musl.tgz; \
gpgconf --kill all; \
rm -rf "$GNUPGHOME" musl.tgz.asc; \
# > Since 1.1.7, releases are signed with the project GPG key. Its fingerprint is 8364 8929 0BB6 B70F 99FF DA05 56BC DB59 3020 450F.
muslKey='8364 8929 0BB6 B70F 99FF DA05 56BC DB59 3020 450F'; \
#
# Error: No binding signature at time 2025-08-12T23:23:25Z
# because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
# because: SHA1 is not considered secure since 2023-02-01T00:00:00Z
#
# and then:
#
# Error: Policy rejected non-revocation signature (Binary) requiring collision resistance
# because: SHA1 is not considered secure since 2013-02-01T00:00:00Z
# 0 authenticated signatures, 1 bad signature.
#
sq='sq --policy-as-of 2013-01-01T00:00:00Z'; \
$sq network search "$muslKey"; \
$sq pki link add --cert "$muslKey" --userid 'musl libc <musl@libc.org>'; \
$sq download \
--output 'musl.tgz' \
--url "https://musl.libc.org/releases/musl-$MUSL_VERSION.tar.gz" \
--signature-url "https://musl.libc.org/releases/musl-$MUSL_VERSION.tar.gz.asc" \
--signer "$muslKey" \
; \
\
mkdir /usr/local/src/musl; \
tar --extract --file musl.tgz --directory /usr/local/src/musl --strip-components 1; \