Use gpg sign to check content (#13)
This commit is contained in:
Alexis Saettler
GitHub
parent
a01ff8e203
commit
3df6c3ab71
@ -104,20 +104,32 @@ RUN set -ex; \
|
||||
|
||||
WORKDIR /var/www/html
|
||||
|
||||
# Define Monica version and expected SHA512 signature
|
||||
# Define Monica version
|
||||
ENV MONICA_VERSION %%VERSION%%
|
||||
ENV MONICA_SHA512 %%SHA512%%
|
||||
|
||||
RUN set -ex; \
|
||||
apk add --no-cache --virtual .fetch-deps \
|
||||
bzip2 \
|
||||
gnupg \
|
||||
; \
|
||||
\
|
||||
curl -fsSL -o monica.tar.bz2 "https://github.com/monicahq/monica/releases/download/${MONICA_VERSION}/monica-${MONICA_VERSION}.tar.bz2"; \
|
||||
echo "$MONICA_SHA512 monica.tar.bz2" | sha512sum -c -; \
|
||||
for ext in tar.bz2 tar.bz2.asc; do \
|
||||
curl -fsSL -o monica-${MONICA_VERSION}.$ext "https://github.com/monicahq/monica/releases/download/${MONICA_VERSION}/monica-${MONICA_VERSION}.$ext"; \
|
||||
done; \
|
||||
\
|
||||
tar -xf monica.tar.bz2 -C /var/www/html --strip-components=1; \
|
||||
rm monica.tar.bz2; \
|
||||
GPGKEY='BDAB0D0D36A00466A2964E85DE15667131EA6018'; \
|
||||
export GNUPGHOME="$(mktemp -d)"; \
|
||||
gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$GPGKEY" \
|
||||
|| gpg --batch --keyserver ipv4.pool.sks-keyservers.net --recv-keys "$GPGKEY" \
|
||||
|| gpg --batch --keyserver keys.gnupg.net --recv-keys "$GPGKEY" \
|
||||
|| gpg --batch --keyserver pgp.mit.edu --recv-keys "$GPGKEY" \
|
||||
|| gpg --batch --keyserver keyserver.pgp.com --recv-keys "$GPGKEY"; \
|
||||
gpg --batch --verify monica-${MONICA_VERSION}.tar.bz2.asc monica-${MONICA_VERSION}.tar.bz2; \
|
||||
\
|
||||
tar -xf monica-${MONICA_VERSION}.tar.bz2 -C /var/www/html --strip-components=1; \
|
||||
\
|
||||
gpgconf --kill all; \
|
||||
rm -r "$GNUPGHOME" monica-${MONICA_VERSION}.tar.bz2 monica-${MONICA_VERSION}.tar.bz2.asc; \
|
||||
\
|
||||
cp /var/www/html/.env.example /var/www/html/.env; \
|
||||
chown -R www-data:www-data /var/www/html; \
|
||||
|
||||
@ -115,22 +115,41 @@ RUN set -ex; \
|
||||
|
||||
WORKDIR /var/www/html
|
||||
|
||||
# Define Monica version and expected SHA512 signature
|
||||
# Define Monica version
|
||||
ENV MONICA_VERSION %%VERSION%%
|
||||
ENV MONICA_SHA512 %%SHA512%%
|
||||
|
||||
%%APACHE_DOCUMENT%%
|
||||
|
||||
RUN set -ex; \
|
||||
fetchDeps=" \
|
||||
gnupg \
|
||||
"; \
|
||||
apt-get update; \
|
||||
apt-get install -y --no-install-recommends $fetchDeps; \
|
||||
\
|
||||
curl -fsSL -o monica.tar.bz2 "https://github.com/monicahq/monica/releases/download/${MONICA_VERSION}/monica-${MONICA_VERSION}.tar.bz2"; \
|
||||
echo "$MONICA_SHA512 monica.tar.bz2" | sha512sum -c -; \
|
||||
for ext in tar.bz2 tar.bz2.asc; do \
|
||||
curl -fsSL -o monica-${MONICA_VERSION}.$ext "https://github.com/monicahq/monica/releases/download/${MONICA_VERSION}/monica-${MONICA_VERSION}.$ext"; \
|
||||
done; \
|
||||
\
|
||||
tar -xf monica.tar.bz2 -C /var/www/html --strip-components=1; \
|
||||
rm monica.tar.bz2; \
|
||||
GPGKEY='BDAB0D0D36A00466A2964E85DE15667131EA6018'; \
|
||||
export GNUPGHOME="$(mktemp -d)"; \
|
||||
gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$GPGKEY" \
|
||||
|| gpg --batch --keyserver ipv4.pool.sks-keyservers.net --recv-keys "$GPGKEY" \
|
||||
|| gpg --batch --keyserver keys.gnupg.net --recv-keys "$GPGKEY" \
|
||||
|| gpg --batch --keyserver pgp.mit.edu --recv-keys "$GPGKEY" \
|
||||
|| gpg --batch --keyserver keyserver.pgp.com --recv-keys "$GPGKEY"; \
|
||||
gpg --batch --verify monica-${MONICA_VERSION}.tar.bz2.asc monica-${MONICA_VERSION}.tar.bz2; \
|
||||
\
|
||||
tar -xf monica-${MONICA_VERSION}.tar.bz2 -C /var/www/html --strip-components=1; \
|
||||
\
|
||||
gpgconf --kill all; \
|
||||
rm -r "$GNUPGHOME" monica-${MONICA_VERSION}.tar.bz2 monica-${MONICA_VERSION}.tar.bz2.asc; \
|
||||
\
|
||||
cp /var/www/html/.env.example /var/www/html/.env; \
|
||||
chown -R www-data:www-data /var/www/html
|
||||
chown -R www-data:www-data /var/www/html; \
|
||||
\
|
||||
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false $fetchDeps; \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
|
||||
COPY entrypoint.sh \
|
||||
queue.sh \
|
||||
|
||||
@ -122,24 +122,43 @@ RUN set -ex; \
|
||||
|
||||
WORKDIR /var/www/html
|
||||
|
||||
# Define Monica version and expected SHA512 signature
|
||||
# Define Monica version
|
||||
ENV MONICA_VERSION v2.17.0
|
||||
ENV MONICA_SHA512 9e208f3aee15eb8ffcd33aa834fc2a4c07ef3396234132d76e2563e0c17c596e5f505aa6527625b13be1f564f8583c4bbd2a54c44d26f8e9c8418d9636c8720b
|
||||
|
||||
ENV APACHE_DOCUMENT_ROOT /var/www/html/public
|
||||
RUN set -eu; sed -ri -e "s!/var/www/html!${APACHE_DOCUMENT_ROOT}!g" /etc/apache2/sites-available/*.conf; \
|
||||
sed -ri -e "s!/var/www/!${APACHE_DOCUMENT_ROOT}!g" /etc/apache2/apache2.conf /etc/apache2/conf-available/*.conf
|
||||
|
||||
RUN set -ex; \
|
||||
fetchDeps=" \
|
||||
gnupg \
|
||||
"; \
|
||||
apt-get update; \
|
||||
apt-get install -y --no-install-recommends $fetchDeps; \
|
||||
\
|
||||
curl -fsSL -o monica.tar.bz2 "https://github.com/monicahq/monica/releases/download/${MONICA_VERSION}/monica-${MONICA_VERSION}.tar.bz2"; \
|
||||
echo "$MONICA_SHA512 monica.tar.bz2" | sha512sum -c -; \
|
||||
for ext in tar.bz2 tar.bz2.asc; do \
|
||||
curl -fsSL -o monica-${MONICA_VERSION}.$ext "https://github.com/monicahq/monica/releases/download/${MONICA_VERSION}/monica-${MONICA_VERSION}.$ext"; \
|
||||
done; \
|
||||
\
|
||||
tar -xf monica.tar.bz2 -C /var/www/html --strip-components=1; \
|
||||
rm monica.tar.bz2; \
|
||||
GPGKEY='BDAB0D0D36A00466A2964E85DE15667131EA6018'; \
|
||||
export GNUPGHOME="$(mktemp -d)"; \
|
||||
gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$GPGKEY" \
|
||||
|| gpg --batch --keyserver ipv4.pool.sks-keyservers.net --recv-keys "$GPGKEY" \
|
||||
|| gpg --batch --keyserver keys.gnupg.net --recv-keys "$GPGKEY" \
|
||||
|| gpg --batch --keyserver pgp.mit.edu --recv-keys "$GPGKEY" \
|
||||
|| gpg --batch --keyserver keyserver.pgp.com --recv-keys "$GPGKEY"; \
|
||||
gpg --batch --verify monica-${MONICA_VERSION}.tar.bz2.asc monica-${MONICA_VERSION}.tar.bz2; \
|
||||
\
|
||||
tar -xf monica-${MONICA_VERSION}.tar.bz2 -C /var/www/html --strip-components=1; \
|
||||
\
|
||||
gpgconf --kill all; \
|
||||
rm -r "$GNUPGHOME" monica-${MONICA_VERSION}.tar.bz2 monica-${MONICA_VERSION}.tar.bz2.asc; \
|
||||
\
|
||||
cp /var/www/html/.env.example /var/www/html/.env; \
|
||||
chown -R www-data:www-data /var/www/html
|
||||
chown -R www-data:www-data /var/www/html; \
|
||||
\
|
||||
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false $fetchDeps; \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
|
||||
COPY entrypoint.sh \
|
||||
queue.sh \
|
||||
|
||||
@ -111,20 +111,32 @@ RUN set -ex; \
|
||||
|
||||
WORKDIR /var/www/html
|
||||
|
||||
# Define Monica version and expected SHA512 signature
|
||||
# Define Monica version
|
||||
ENV MONICA_VERSION v2.17.0
|
||||
ENV MONICA_SHA512 9e208f3aee15eb8ffcd33aa834fc2a4c07ef3396234132d76e2563e0c17c596e5f505aa6527625b13be1f564f8583c4bbd2a54c44d26f8e9c8418d9636c8720b
|
||||
|
||||
RUN set -ex; \
|
||||
apk add --no-cache --virtual .fetch-deps \
|
||||
bzip2 \
|
||||
gnupg \
|
||||
; \
|
||||
\
|
||||
curl -fsSL -o monica.tar.bz2 "https://github.com/monicahq/monica/releases/download/${MONICA_VERSION}/monica-${MONICA_VERSION}.tar.bz2"; \
|
||||
echo "$MONICA_SHA512 monica.tar.bz2" | sha512sum -c -; \
|
||||
for ext in tar.bz2 tar.bz2.asc; do \
|
||||
curl -fsSL -o monica-${MONICA_VERSION}.$ext "https://github.com/monicahq/monica/releases/download/${MONICA_VERSION}/monica-${MONICA_VERSION}.$ext"; \
|
||||
done; \
|
||||
\
|
||||
tar -xf monica.tar.bz2 -C /var/www/html --strip-components=1; \
|
||||
rm monica.tar.bz2; \
|
||||
GPGKEY='BDAB0D0D36A00466A2964E85DE15667131EA6018'; \
|
||||
export GNUPGHOME="$(mktemp -d)"; \
|
||||
gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$GPGKEY" \
|
||||
|| gpg --batch --keyserver ipv4.pool.sks-keyservers.net --recv-keys "$GPGKEY" \
|
||||
|| gpg --batch --keyserver keys.gnupg.net --recv-keys "$GPGKEY" \
|
||||
|| gpg --batch --keyserver pgp.mit.edu --recv-keys "$GPGKEY" \
|
||||
|| gpg --batch --keyserver keyserver.pgp.com --recv-keys "$GPGKEY"; \
|
||||
gpg --batch --verify monica-${MONICA_VERSION}.tar.bz2.asc monica-${MONICA_VERSION}.tar.bz2; \
|
||||
\
|
||||
tar -xf monica-${MONICA_VERSION}.tar.bz2 -C /var/www/html --strip-components=1; \
|
||||
\
|
||||
gpgconf --kill all; \
|
||||
rm -r "$GNUPGHOME" monica-${MONICA_VERSION}.tar.bz2 monica-${MONICA_VERSION}.tar.bz2.asc; \
|
||||
\
|
||||
cp /var/www/html/.env.example /var/www/html/.env; \
|
||||
chown -R www-data:www-data /var/www/html; \
|
||||
|
||||
@ -122,22 +122,41 @@ RUN set -ex; \
|
||||
|
||||
WORKDIR /var/www/html
|
||||
|
||||
# Define Monica version and expected SHA512 signature
|
||||
# Define Monica version
|
||||
ENV MONICA_VERSION v2.17.0
|
||||
ENV MONICA_SHA512 9e208f3aee15eb8ffcd33aa834fc2a4c07ef3396234132d76e2563e0c17c596e5f505aa6527625b13be1f564f8583c4bbd2a54c44d26f8e9c8418d9636c8720b
|
||||
|
||||
|
||||
|
||||
RUN set -ex; \
|
||||
fetchDeps=" \
|
||||
gnupg \
|
||||
"; \
|
||||
apt-get update; \
|
||||
apt-get install -y --no-install-recommends $fetchDeps; \
|
||||
\
|
||||
curl -fsSL -o monica.tar.bz2 "https://github.com/monicahq/monica/releases/download/${MONICA_VERSION}/monica-${MONICA_VERSION}.tar.bz2"; \
|
||||
echo "$MONICA_SHA512 monica.tar.bz2" | sha512sum -c -; \
|
||||
for ext in tar.bz2 tar.bz2.asc; do \
|
||||
curl -fsSL -o monica-${MONICA_VERSION}.$ext "https://github.com/monicahq/monica/releases/download/${MONICA_VERSION}/monica-${MONICA_VERSION}.$ext"; \
|
||||
done; \
|
||||
\
|
||||
tar -xf monica.tar.bz2 -C /var/www/html --strip-components=1; \
|
||||
rm monica.tar.bz2; \
|
||||
GPGKEY='BDAB0D0D36A00466A2964E85DE15667131EA6018'; \
|
||||
export GNUPGHOME="$(mktemp -d)"; \
|
||||
gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$GPGKEY" \
|
||||
|| gpg --batch --keyserver ipv4.pool.sks-keyservers.net --recv-keys "$GPGKEY" \
|
||||
|| gpg --batch --keyserver keys.gnupg.net --recv-keys "$GPGKEY" \
|
||||
|| gpg --batch --keyserver pgp.mit.edu --recv-keys "$GPGKEY" \
|
||||
|| gpg --batch --keyserver keyserver.pgp.com --recv-keys "$GPGKEY"; \
|
||||
gpg --batch --verify monica-${MONICA_VERSION}.tar.bz2.asc monica-${MONICA_VERSION}.tar.bz2; \
|
||||
\
|
||||
tar -xf monica-${MONICA_VERSION}.tar.bz2 -C /var/www/html --strip-components=1; \
|
||||
\
|
||||
gpgconf --kill all; \
|
||||
rm -r "$GNUPGHOME" monica-${MONICA_VERSION}.tar.bz2 monica-${MONICA_VERSION}.tar.bz2.asc; \
|
||||
\
|
||||
cp /var/www/html/.env.example /var/www/html/.env; \
|
||||
chown -R www-data:www-data /var/www/html
|
||||
chown -R www-data:www-data /var/www/html; \
|
||||
\
|
||||
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false $fetchDeps; \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
|
||||
COPY entrypoint.sh \
|
||||
queue.sh \
|
||||
|
||||
@ -72,7 +72,6 @@ declare -A pecl_versions=(
|
||||
|
||||
version="$(curl -fsSL 'https://api.github.com/repos/monicahq/monica/releases/latest' | jq -r '.tag_name')"
|
||||
commit="$(curl -fsSL 'https://api.github.com/repos/monicahq/monica/tags' | jq -r 'map(select(.name | contains ("'$version'"))) | .[].commit.sha')"
|
||||
sha512="$(curl -fsSL "https://github.com/monicahq/monica/releases/download/$version/monica-$version.sha512" | grep monica-$version.tar.bz2 | awk '{ print $1 }')"
|
||||
|
||||
set -x
|
||||
|
||||
@ -88,7 +87,6 @@ for variant in apache fpm fpm-alpine; do
|
||||
s#%%LABEL%%#'"$label"'#;
|
||||
s/%%VERSION%%/'"$version"'/;
|
||||
s/%%COMMIT%%/'"$commit"'/;
|
||||
s/%%SHA512%%/'"$sha512"'/;
|
||||
s/%%CMD%%/'"${cmd[$variant]}"'/;
|
||||
s#%%APACHE_DOCUMENT%%#'"${document[$variant]}"'#;
|
||||
s/%%APCU_VERSION%%/'"${pecl_versions[APCu]}"'/;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user