From 3df6c3ab7199e11013bfc5e78bae2482c8e2ebcf Mon Sep 17 00:00:00 2001 From: Alexis Saettler Date: Fri, 15 May 2020 21:04:26 +0200 Subject: [PATCH] Use gpg sign to check content (#13) --- Dockerfile-alpine.template | 24 ++++++++++++++++++------ Dockerfile-debian.template | 33 ++++++++++++++++++++++++++------- apache/Dockerfile | 33 ++++++++++++++++++++++++++------- fpm-alpine/Dockerfile | 24 ++++++++++++++++++------ fpm/Dockerfile | 33 ++++++++++++++++++++++++++------- update.sh | 2 -- 6 files changed, 114 insertions(+), 35 deletions(-) diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index 243d4ef..a98d2c7 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -104,20 +104,32 @@ RUN set -ex; \ WORKDIR /var/www/html -# Define Monica version and expected SHA512 signature +# Define Monica version ENV MONICA_VERSION %%VERSION%% -ENV MONICA_SHA512 %%SHA512%% RUN set -ex; \ apk add --no-cache --virtual .fetch-deps \ bzip2 \ + gnupg \ ; \ \ - curl -fsSL -o monica.tar.bz2 "https://github.com/monicahq/monica/releases/download/${MONICA_VERSION}/monica-${MONICA_VERSION}.tar.bz2"; \ - echo "$MONICA_SHA512 monica.tar.bz2" | sha512sum -c -; \ + for ext in tar.bz2 tar.bz2.asc; do \ + curl -fsSL -o monica-${MONICA_VERSION}.$ext "https://github.com/monicahq/monica/releases/download/${MONICA_VERSION}/monica-${MONICA_VERSION}.$ext"; \ + done; \ \ - tar -xf monica.tar.bz2 -C /var/www/html --strip-components=1; \ - rm monica.tar.bz2; \ + GPGKEY='BDAB0D0D36A00466A2964E85DE15667131EA6018'; \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$GPGKEY" \ + || gpg --batch --keyserver ipv4.pool.sks-keyservers.net --recv-keys "$GPGKEY" \ + || gpg --batch --keyserver keys.gnupg.net --recv-keys "$GPGKEY" \ + || gpg --batch --keyserver pgp.mit.edu --recv-keys "$GPGKEY" \ + || gpg --batch --keyserver keyserver.pgp.com --recv-keys "$GPGKEY"; \ + gpg --batch --verify monica-${MONICA_VERSION}.tar.bz2.asc monica-${MONICA_VERSION}.tar.bz2; \ + \ + tar -xf monica-${MONICA_VERSION}.tar.bz2 -C /var/www/html --strip-components=1; \ + \ + gpgconf --kill all; \ + rm -r "$GNUPGHOME" monica-${MONICA_VERSION}.tar.bz2 monica-${MONICA_VERSION}.tar.bz2.asc; \ \ cp /var/www/html/.env.example /var/www/html/.env; \ chown -R www-data:www-data /var/www/html; \ diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template index d172c22..2a7a5f2 100644 --- a/Dockerfile-debian.template +++ b/Dockerfile-debian.template @@ -115,22 +115,41 @@ RUN set -ex; \ WORKDIR /var/www/html -# Define Monica version and expected SHA512 signature +# Define Monica version ENV MONICA_VERSION %%VERSION%% -ENV MONICA_SHA512 %%SHA512%% %%APACHE_DOCUMENT%% RUN set -ex; \ + fetchDeps=" \ + gnupg \ + "; \ + apt-get update; \ + apt-get install -y --no-install-recommends $fetchDeps; \ \ - curl -fsSL -o monica.tar.bz2 "https://github.com/monicahq/monica/releases/download/${MONICA_VERSION}/monica-${MONICA_VERSION}.tar.bz2"; \ - echo "$MONICA_SHA512 monica.tar.bz2" | sha512sum -c -; \ + for ext in tar.bz2 tar.bz2.asc; do \ + curl -fsSL -o monica-${MONICA_VERSION}.$ext "https://github.com/monicahq/monica/releases/download/${MONICA_VERSION}/monica-${MONICA_VERSION}.$ext"; \ + done; \ \ - tar -xf monica.tar.bz2 -C /var/www/html --strip-components=1; \ - rm monica.tar.bz2; \ + GPGKEY='BDAB0D0D36A00466A2964E85DE15667131EA6018'; \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$GPGKEY" \ + || gpg --batch --keyserver ipv4.pool.sks-keyservers.net --recv-keys "$GPGKEY" \ + || gpg --batch --keyserver keys.gnupg.net --recv-keys "$GPGKEY" \ + || gpg --batch --keyserver pgp.mit.edu --recv-keys "$GPGKEY" \ + || gpg --batch --keyserver keyserver.pgp.com --recv-keys "$GPGKEY"; \ + gpg --batch --verify monica-${MONICA_VERSION}.tar.bz2.asc monica-${MONICA_VERSION}.tar.bz2; \ + \ + tar -xf monica-${MONICA_VERSION}.tar.bz2 -C /var/www/html --strip-components=1; \ + \ + gpgconf --kill all; \ + rm -r "$GNUPGHOME" monica-${MONICA_VERSION}.tar.bz2 monica-${MONICA_VERSION}.tar.bz2.asc; \ \ cp /var/www/html/.env.example /var/www/html/.env; \ - chown -R www-data:www-data /var/www/html + chown -R www-data:www-data /var/www/html; \ + \ + apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false $fetchDeps; \ + rm -rf /var/lib/apt/lists/* COPY entrypoint.sh \ queue.sh \ diff --git a/apache/Dockerfile b/apache/Dockerfile index 3e673c2..968a867 100644 --- a/apache/Dockerfile +++ b/apache/Dockerfile @@ -122,24 +122,43 @@ RUN set -ex; \ WORKDIR /var/www/html -# Define Monica version and expected SHA512 signature +# Define Monica version ENV MONICA_VERSION v2.17.0 -ENV MONICA_SHA512 9e208f3aee15eb8ffcd33aa834fc2a4c07ef3396234132d76e2563e0c17c596e5f505aa6527625b13be1f564f8583c4bbd2a54c44d26f8e9c8418d9636c8720b ENV APACHE_DOCUMENT_ROOT /var/www/html/public RUN set -eu; sed -ri -e "s!/var/www/html!${APACHE_DOCUMENT_ROOT}!g" /etc/apache2/sites-available/*.conf; \ sed -ri -e "s!/var/www/!${APACHE_DOCUMENT_ROOT}!g" /etc/apache2/apache2.conf /etc/apache2/conf-available/*.conf RUN set -ex; \ + fetchDeps=" \ + gnupg \ + "; \ + apt-get update; \ + apt-get install -y --no-install-recommends $fetchDeps; \ \ - curl -fsSL -o monica.tar.bz2 "https://github.com/monicahq/monica/releases/download/${MONICA_VERSION}/monica-${MONICA_VERSION}.tar.bz2"; \ - echo "$MONICA_SHA512 monica.tar.bz2" | sha512sum -c -; \ + for ext in tar.bz2 tar.bz2.asc; do \ + curl -fsSL -o monica-${MONICA_VERSION}.$ext "https://github.com/monicahq/monica/releases/download/${MONICA_VERSION}/monica-${MONICA_VERSION}.$ext"; \ + done; \ \ - tar -xf monica.tar.bz2 -C /var/www/html --strip-components=1; \ - rm monica.tar.bz2; \ + GPGKEY='BDAB0D0D36A00466A2964E85DE15667131EA6018'; \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$GPGKEY" \ + || gpg --batch --keyserver ipv4.pool.sks-keyservers.net --recv-keys "$GPGKEY" \ + || gpg --batch --keyserver keys.gnupg.net --recv-keys "$GPGKEY" \ + || gpg --batch --keyserver pgp.mit.edu --recv-keys "$GPGKEY" \ + || gpg --batch --keyserver keyserver.pgp.com --recv-keys "$GPGKEY"; \ + gpg --batch --verify monica-${MONICA_VERSION}.tar.bz2.asc monica-${MONICA_VERSION}.tar.bz2; \ + \ + tar -xf monica-${MONICA_VERSION}.tar.bz2 -C /var/www/html --strip-components=1; \ + \ + gpgconf --kill all; \ + rm -r "$GNUPGHOME" monica-${MONICA_VERSION}.tar.bz2 monica-${MONICA_VERSION}.tar.bz2.asc; \ \ cp /var/www/html/.env.example /var/www/html/.env; \ - chown -R www-data:www-data /var/www/html + chown -R www-data:www-data /var/www/html; \ + \ + apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false $fetchDeps; \ + rm -rf /var/lib/apt/lists/* COPY entrypoint.sh \ queue.sh \ diff --git a/fpm-alpine/Dockerfile b/fpm-alpine/Dockerfile index 663bdc4..43735e0 100644 --- a/fpm-alpine/Dockerfile +++ b/fpm-alpine/Dockerfile @@ -111,20 +111,32 @@ RUN set -ex; \ WORKDIR /var/www/html -# Define Monica version and expected SHA512 signature +# Define Monica version ENV MONICA_VERSION v2.17.0 -ENV MONICA_SHA512 9e208f3aee15eb8ffcd33aa834fc2a4c07ef3396234132d76e2563e0c17c596e5f505aa6527625b13be1f564f8583c4bbd2a54c44d26f8e9c8418d9636c8720b RUN set -ex; \ apk add --no-cache --virtual .fetch-deps \ bzip2 \ + gnupg \ ; \ \ - curl -fsSL -o monica.tar.bz2 "https://github.com/monicahq/monica/releases/download/${MONICA_VERSION}/monica-${MONICA_VERSION}.tar.bz2"; \ - echo "$MONICA_SHA512 monica.tar.bz2" | sha512sum -c -; \ + for ext in tar.bz2 tar.bz2.asc; do \ + curl -fsSL -o monica-${MONICA_VERSION}.$ext "https://github.com/monicahq/monica/releases/download/${MONICA_VERSION}/monica-${MONICA_VERSION}.$ext"; \ + done; \ \ - tar -xf monica.tar.bz2 -C /var/www/html --strip-components=1; \ - rm monica.tar.bz2; \ + GPGKEY='BDAB0D0D36A00466A2964E85DE15667131EA6018'; \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$GPGKEY" \ + || gpg --batch --keyserver ipv4.pool.sks-keyservers.net --recv-keys "$GPGKEY" \ + || gpg --batch --keyserver keys.gnupg.net --recv-keys "$GPGKEY" \ + || gpg --batch --keyserver pgp.mit.edu --recv-keys "$GPGKEY" \ + || gpg --batch --keyserver keyserver.pgp.com --recv-keys "$GPGKEY"; \ + gpg --batch --verify monica-${MONICA_VERSION}.tar.bz2.asc monica-${MONICA_VERSION}.tar.bz2; \ + \ + tar -xf monica-${MONICA_VERSION}.tar.bz2 -C /var/www/html --strip-components=1; \ + \ + gpgconf --kill all; \ + rm -r "$GNUPGHOME" monica-${MONICA_VERSION}.tar.bz2 monica-${MONICA_VERSION}.tar.bz2.asc; \ \ cp /var/www/html/.env.example /var/www/html/.env; \ chown -R www-data:www-data /var/www/html; \ diff --git a/fpm/Dockerfile b/fpm/Dockerfile index ca8675b..7bb5abd 100644 --- a/fpm/Dockerfile +++ b/fpm/Dockerfile @@ -122,22 +122,41 @@ RUN set -ex; \ WORKDIR /var/www/html -# Define Monica version and expected SHA512 signature +# Define Monica version ENV MONICA_VERSION v2.17.0 -ENV MONICA_SHA512 9e208f3aee15eb8ffcd33aa834fc2a4c07ef3396234132d76e2563e0c17c596e5f505aa6527625b13be1f564f8583c4bbd2a54c44d26f8e9c8418d9636c8720b RUN set -ex; \ + fetchDeps=" \ + gnupg \ + "; \ + apt-get update; \ + apt-get install -y --no-install-recommends $fetchDeps; \ \ - curl -fsSL -o monica.tar.bz2 "https://github.com/monicahq/monica/releases/download/${MONICA_VERSION}/monica-${MONICA_VERSION}.tar.bz2"; \ - echo "$MONICA_SHA512 monica.tar.bz2" | sha512sum -c -; \ + for ext in tar.bz2 tar.bz2.asc; do \ + curl -fsSL -o monica-${MONICA_VERSION}.$ext "https://github.com/monicahq/monica/releases/download/${MONICA_VERSION}/monica-${MONICA_VERSION}.$ext"; \ + done; \ \ - tar -xf monica.tar.bz2 -C /var/www/html --strip-components=1; \ - rm monica.tar.bz2; \ + GPGKEY='BDAB0D0D36A00466A2964E85DE15667131EA6018'; \ + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$GPGKEY" \ + || gpg --batch --keyserver ipv4.pool.sks-keyservers.net --recv-keys "$GPGKEY" \ + || gpg --batch --keyserver keys.gnupg.net --recv-keys "$GPGKEY" \ + || gpg --batch --keyserver pgp.mit.edu --recv-keys "$GPGKEY" \ + || gpg --batch --keyserver keyserver.pgp.com --recv-keys "$GPGKEY"; \ + gpg --batch --verify monica-${MONICA_VERSION}.tar.bz2.asc monica-${MONICA_VERSION}.tar.bz2; \ + \ + tar -xf monica-${MONICA_VERSION}.tar.bz2 -C /var/www/html --strip-components=1; \ + \ + gpgconf --kill all; \ + rm -r "$GNUPGHOME" monica-${MONICA_VERSION}.tar.bz2 monica-${MONICA_VERSION}.tar.bz2.asc; \ \ cp /var/www/html/.env.example /var/www/html/.env; \ - chown -R www-data:www-data /var/www/html + chown -R www-data:www-data /var/www/html; \ + \ + apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false $fetchDeps; \ + rm -rf /var/lib/apt/lists/* COPY entrypoint.sh \ queue.sh \ diff --git a/update.sh b/update.sh index 086e5ff..478d20c 100755 --- a/update.sh +++ b/update.sh @@ -72,7 +72,6 @@ declare -A pecl_versions=( version="$(curl -fsSL 'https://api.github.com/repos/monicahq/monica/releases/latest' | jq -r '.tag_name')" commit="$(curl -fsSL 'https://api.github.com/repos/monicahq/monica/tags' | jq -r 'map(select(.name | contains ("'$version'"))) | .[].commit.sha')" -sha512="$(curl -fsSL "https://github.com/monicahq/monica/releases/download/$version/monica-$version.sha512" | grep monica-$version.tar.bz2 | awk '{ print $1 }')" set -x @@ -88,7 +87,6 @@ for variant in apache fpm fpm-alpine; do s#%%LABEL%%#'"$label"'#; s/%%VERSION%%/'"$version"'/; s/%%COMMIT%%/'"$commit"'/; - s/%%SHA512%%/'"$sha512"'/; s/%%CMD%%/'"${cmd[$variant]}"'/; s#%%APACHE_DOCUMENT%%#'"${document[$variant]}"'#; s/%%APCU_VERSION%%/'"${pecl_versions[APCu]}"'/;