Upgrade from GnuPG to sq
This requires doing a lot more backflipping to accept the musl key because it frankly should probably be replaced with something newer (at least since 2023, if not since 2013).
This commit is contained in:
Tianon Gravi
parent
6930d60e10
commit
6db82638bd
|
|
@ -5,7 +5,7 @@ RUN set -eux; \
|
||||||
dpkgArch="$(dpkg --print-architecture)"; \
|
dpkgArch="$(dpkg --print-architecture)"; \
|
||||||
apt-get install --update -y --no-install-recommends \
|
apt-get install --update -y --no-install-recommends \
|
||||||
ca-certificates \
|
ca-certificates \
|
||||||
gnupg \
|
sq \
|
||||||
wget \
|
wget \
|
||||||
\
|
\
|
||||||
gcc \
|
gcc \
|
||||||
|
|
@ -43,14 +43,28 @@ RUN set -eux; \
|
||||||
# https://musl.libc.org/releases.html
|
# https://musl.libc.org/releases.html
|
||||||
ENV MUSL_VERSION 1.2.5
|
ENV MUSL_VERSION 1.2.5
|
||||||
RUN set -eux; \
|
RUN set -eux; \
|
||||||
wget -O musl.tgz.asc "https://musl.libc.org/releases/musl-$MUSL_VERSION.tar.gz.asc"; \
|
# > Since 1.1.7, releases are signed with the project GPG key. Its fingerprint is 8364 8929 0BB6 B70F 99FF DA05 56BC DB59 3020 450F.
|
||||||
wget -O musl.tgz "https://musl.libc.org/releases/musl-$MUSL_VERSION.tar.gz"; \
|
muslKey='8364 8929 0BB6 B70F 99FF DA05 56BC DB59 3020 450F'; \
|
||||||
\
|
#
|
||||||
export GNUPGHOME="$(mktemp -d)"; \
|
# Error: No binding signature at time 2025-08-12T23:23:25Z
|
||||||
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys '836489290BB6B70F99FFDA0556BCDB593020450F'; \
|
# because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
|
||||||
gpg --batch --verify musl.tgz.asc musl.tgz; \
|
# because: SHA1 is not considered secure since 2023-02-01T00:00:00Z
|
||||||
gpgconf --kill all; \
|
#
|
||||||
rm -rf "$GNUPGHOME" musl.tgz.asc; \
|
# and then:
|
||||||
|
#
|
||||||
|
# Error: Policy rejected non-revocation signature (Binary) requiring collision resistance
|
||||||
|
# because: SHA1 is not considered secure since 2013-02-01T00:00:00Z
|
||||||
|
# 0 authenticated signatures, 1 bad signature.
|
||||||
|
#
|
||||||
|
sq='sq --policy-as-of 2013-01-01T00:00:00Z'; \
|
||||||
|
$sq network search "$muslKey"; \
|
||||||
|
$sq pki link add --cert "$muslKey" --userid 'musl libc <musl@libc.org>'; \
|
||||||
|
$sq download \
|
||||||
|
--output 'musl.tgz' \
|
||||||
|
--url "https://musl.libc.org/releases/musl-$MUSL_VERSION.tar.gz" \
|
||||||
|
--signature-url "https://musl.libc.org/releases/musl-$MUSL_VERSION.tar.gz.asc" \
|
||||||
|
--signer "$muslKey" \
|
||||||
|
; \
|
||||||
\
|
\
|
||||||
mkdir /usr/local/src/musl; \
|
mkdir /usr/local/src/musl; \
|
||||||
tar --extract --file musl.tgz --directory /usr/local/src/musl --strip-components 1; \
|
tar --extract --file musl.tgz --directory /usr/local/src/musl --strip-components 1; \
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue