@@ -5,7 +5,7 @@ RUN set -eux; \
55 dpkgArch="$(dpkg --print-architecture)"; \
66 apt-get install --update -y --no-install-recommends \
77 ca-certificates \
8- gnupg \
8+ sq \
99 wget \
1010 \
1111 gcc \
@@ -43,14 +43,28 @@ RUN set -eux; \
4343# https://musl.libc.org/releases.html
4444ENV MUSL_VERSION 1.2.5
4545RUN set -eux; \
46- wget -O musl.tgz.asc "https://musl.libc.org/releases/musl-$MUSL_VERSION.tar.gz.asc"; \
47- wget -O musl.tgz "https://musl.libc.org/releases/musl-$MUSL_VERSION.tar.gz"; \
48- \
49- export GNUPGHOME="$(mktemp -d)"; \
50- gpg --batch --keyserver keyserver.ubuntu.com --recv-keys '836489290BB6B70F99FFDA0556BCDB593020450F'; \
51- gpg --batch --verify musl.tgz.asc musl.tgz; \
52- gpgconf --kill all; \
53- rm -rf "$GNUPGHOME" musl.tgz.asc; \
46+ # > Since 1.1.7, releases are signed with the project GPG key. Its fingerprint is 8364 8929 0BB6 B70F 99FF DA05 56BC DB59 3020 450F.
47+ muslKey='8364 8929 0BB6 B70F 99FF DA05 56BC DB59 3020 450F'; \
48+ #
49+ # Error: No binding signature at time 2025-08-12T23:23:25Z
50+ # because: Policy rejected non-revocation signature (PositiveCertification) requiring second pre-image resistance
51+ # because: SHA1 is not considered secure since 2023-02-01T00:00:00Z
52+ #
53+ # and then:
54+ #
55+ # Error: Policy rejected non-revocation signature (Binary) requiring collision resistance
56+ # because: SHA1 is not considered secure since 2013-02-01T00:00:00Z
57+ # 0 authenticated signatures, 1 bad signature.
58+ #
59+ sq='sq --policy-as-of 2013-01-01T00:00:00Z'; \
60+ $sq network search "$muslKey"; \
61+ $sq pki link add --cert "$muslKey" --userid 'musl libc <musl@libc.org>'; \
62+ $sq download \
63+ --output 'musl.tgz' \
64+ --url "https://musl.libc.org/releases/musl-$MUSL_VERSION.tar.gz" \
65+ --signature-url "https://musl.libc.org/releases/musl-$MUSL_VERSION.tar.gz.asc" \
66+ --signer "$muslKey" \
67+ ; \
5468 \
5569 mkdir /usr/local/src/musl; \
5670 tar --extract --file musl.tgz --directory /usr/local/src/musl --strip-components 1; \
0 commit comments