From 6db82638bddf9445ea59efdbdffae7caf633cb1c Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Tue, 12 Aug 2025 16:30:44 -0700 Subject: [PATCH] Upgrade from GnuPG to sq This requires doing a lot more backflipping to accept the musl key because it frankly should probably be replaced with something newer (at least since 2023, if not since 2013). --- Dockerfile.build | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) diff --git a/Dockerfile.build b/Dockerfile.build index 4cbf0be..d3c3c9b 100644 --- a/Dockerfile.build +++ b/Dockerfile.build @@ -5,7 +5,7 @@ RUN set -eux; \ dpkgArch="$(dpkg --print-architecture)"; \ apt-get install --update -y --no-install-recommends \ ca-certificates \ - gnupg \ + sq \ wget \ \ gcc \ @@ -43,14 +43,28 @@ RUN set -eux; \ # https://musl.libc.org/releases.html ENV MUSL_VERSION 1.2.5 RUN set -eux; \ - wget -O musl.tgz.asc "https://musl.libc.org/releases/musl-$MUSL_VERSION.tar.gz.asc"; \ - wget -O musl.tgz "https://musl.libc.org/releases/musl-$MUSL_VERSION.tar.gz"; \ - \ - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys '836489290BB6B70F99FFDA0556BCDB593020450F'; \ - gpg --batch --verify musl.tgz.asc musl.tgz; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" musl.tgz.asc; \ +# > Since 1.1.7, releases are signed with the project GPG key. Its fingerprint is 8364 8929 0BB6 B70F 99FF DA05 56BC DB59 3020 450F. + muslKey='8364 8929 0BB6 B70F 99FF DA05 56BC DB59 3020 450F'; \ +# +# Error: No binding signature at time 2025-08-12T23:23:25Z +# because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance +# because: SHA1 is not considered secure since 2023-02-01T00:00:00Z +# +# and then: +# +# Error: Policy rejected non-revocation signature (Binary) requiring collision resistance +# because: SHA1 is not considered secure since 2013-02-01T00:00:00Z +# 0 authenticated signatures, 1 bad signature. +# + sq='sq --policy-as-of 2013-01-01T00:00:00Z'; \ + $sq network search "$muslKey"; \ + $sq pki link add --cert "$muslKey" --userid 'musl libc '; \ + $sq download \ + --output 'musl.tgz' \ + --url "https://musl.libc.org/releases/musl-$MUSL_VERSION.tar.gz" \ + --signature-url "https://musl.libc.org/releases/musl-$MUSL_VERSION.tar.gz.asc" \ + --signer "$muslKey" \ + ; \ \ mkdir /usr/local/src/musl; \ tar --extract --file musl.tgz --directory /usr/local/src/musl --strip-components 1; \