-
Notifications
You must be signed in to change notification settings - Fork 46
Issue #113 Use an image containing a KEYS file to avoid downloading keys #114
Conversation
…erify distribution Signed-off-by: olivier lamy <olamy@apache.org>
Signed-off-by: olivier lamy <olamy@apache.org>
Signed-off-by: olivier lamy <olamy@apache.org>
Signed-off-by: olivier lamy <olamy@apache.org>
See https://github.com/docker-library/official-images#repeatability, especially:
Additionally https://github.com/docker-library/faq#openpgp--gnupg-keys-and-verification, especially:
(emphasis mine) |
@tianon jettyproject:keys image is an official image published by a Jetty committer but I'm not sure what "official image" means in the docker world..... |
@olamy what is your comment about multistage builds referring to? If multistage builds are an option, I could see having a stage that has enough to build the GPG keyring and uses the usual @tianon apologies if this is something I could easily look up, but are multistage |
The benefit of having the key fetching in a separate stage is that we may be able to make that stage simple enough that it can be cached more robustly by Docker build servers, but maybe that's a negligible impact. |
Here's what I have in mind: FROM openjdk:11-jre AS keys # change this to a smaller, simpler base, maybe one with a minimal GPG setup
# GPG Keys are personal keys of Jetty committers (see https://github.com/eclipse/jetty.project/blob/0607c0e66e44b9c12a62b85551da3a0edce0281e/KEYS.txt)
ENV JETTY_GPG_KEYS \
# Jan Bartel <janb@mortbay.com>
AED5EE6C45D0FE8D5D1B164F27DED4BF6216DB8F \
# Jesse McConnell <jesse.mcconnell@gmail.com>
2A684B57436A81FA8706B53C61C3351A438A3B7D \
# Joakim Erdfelt <joakim.erdfelt@gmail.com>
5989BAF76217B843D66BE55B2D0E1FB8FE4B68B4 \
# Joakim Erdfelt <joakim@apache.org>
B59B67FD7904984367F931800818D9D68FB67BAC \
# Joakim Erdfelt <joakim@erdfelt.com>
BFBB21C246D7776836287A48A04E0C74ABB35FEA \
# Simone Bordet <simone.bordet@gmail.com>
8B096546B1A8F02656B15D3B1677D141BCF3584D \
# Greg Wilkins <gregw@webtide.com>
FBA2B18D238AB852DF95745C76157BDF03D0DCD6 \
# Greg Wilkins <gregw@webtide.com>
5C9579B3DB2E506429319AAEF33B071B29559E1E
RUN mkdir /jetty-keys
RUN set -xe \
&& export GNUPGHOME=/jetty-keys \
# Make this as robust as it needs to be, possibly using a helper script
&& for key in $JETTY_GPG_KEYS; do \
gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; done
FROM openjdk:11-jre
# Some stuff
COPY --from=keys /jetty-keys/trustdb.gpg /jetty-keys/trustdb.gpg
RUN set -xe \
&& curl -SL "$JETTY_TGZ_URL" -o jetty.tar.gz \
&& curl -SL "$JETTY_TGZ_URL.asc" -o jetty.tar.gz.asc \
&& GNUPGHOME=/jetty-keys gpg --batch --verify jetty.tar.gz.asc jetty.tar.gz \
&& tar -xvf jetty.tar.gz --strip-components=1 \
&& sed -i '/jetty-logging/d' etc/jetty.conf \
&& rm jetty.tar.gz* \
&& rm -rf /tmp/hsperfdata_root
# Some other stuff |
If there were a simple "add gpg key" helper script and some reasonable approach to |
this will not prevent fetching an external server... the main goal here is avoid such download because those datas never change. |
I think in light of the section @tianon quoted, that goal should be reconsidered. At this point, the OpenPGP pool seems like a better option to me |
The keys themselves may not change, but hopefully the metadata does (key
expiration date, for example).
|
so I guess we abandon this and simply change the server and keep duplicating keys in different files? |
@olamy I think so. The multistage Dockerfile as suggest above looks like it will give many of the benefits of this PR as it will build a base image containing the keys that will only be rebuilt if that section of the Dockerfile changes |
fix #113