Add support for Arch Linux Dockerfiles

[kpcyrd]

It's half-working, it currently fails with this error:

#15 21.96 (231/236) xz-5.2.7-1-x86_64.pkg.tar.zst Already installed
#15 21.96 (232/236) xz-5.2.7-1-x86_64.pkg.tar.zst.sig Cached
#15 21.96 (233/236) zlib-1:1.2.13-1-x86_64.pkg.tar.zst Already installed
#15 21.96 (234/236) zlib-1:1.2.13-1-x86_64.pkg.tar.zst.sig Cached
#15 21.96 (235/236) zstd-1.5.2-7-x86_64.pkg.tar.zst Already installed
#15 21.96 (236/236) zstd-1.5.2-7-x86_64.pkg.tar.zst.sig Cached
#15 21.96 time="2022-10-21T20:51:59Z" level=info msg="Running '/usr/sbin/pacman-key --verify ...' with 118 signatures"
#15 21.98 ==> Checking /tmp/repro-get-pacman-3422555567.tmp/acl-2.3.1-2-x86_64.pkg.tar.zst.sig... (detached)
#15 21.99 gpg: Signature made Tue Feb  1 15:50:49 2022 UTC
#15 21.99 gpg:                using EDDSA key 0429897DE5F3BDAC537A30696D42BDD116E0068F
#15 21.99 gpg: BAD signature from "Christian Hesse (Arch Linux Package Signing) <arch@eworm.de>" [full]
#15 22.00 ==> ERROR: The signature identified by /tmp/repro-get-pacman-3422555567.tmp/acl-2.3.1-2-x86_64.pkg.tar.zst.sig could not be verified.
#15 22.01 time="2022-10-21T20:51:59Z" level=fatal msg="exit status 1"

I'm not sure why, adding pacman-key -l 0429897DE5F3BDAC537A30696D42BDD116E0068F to the Dockerfile shows that the key is present, yet pacman-key --verify is failing.

[kpcyrd]

I fixed the signature error, pacman-key --verify is a very thin wrapper around gnupg and passing multiple signatures at once doesn't work, it would try to read the 2nd signature as the package for the 1st signature. I've fixed this now but the way the Dockerfile works it still uses repro-get 0.2.0 which doesn't contain my fix.

[AkihiroSuda]

This has to be executed with https://archive.archlinux.org/repos/yyyy/MM/dd that corresponds to the SOURCE_DATE_EPOCH .

[kpcyrd]

Done, but in practice I would most likely want to override this to get the latest security patches when updating my SHA256SUMS file. :)

[AkihiroSuda]

The default mode should maximize reproducibility/non-determinism, but having an ARG option to get the latest updates sounds good as well

[AkihiroSuda]

?

[kpcyrd]

pacman-key is a thin wrapper around gnupg, and instead of "trust every key in our keyring package" it evaluates the pgp web-of-trust client side during an upgrade to ensure every packager key is trusted by multiple Arch Linux master keys (as a defense in depth mechanism, Debian and Alpine are more pragmatic in that regard).

To process this graph, gnupg needs to use lsign and to do that it needs access to a private key (that's what pacman-key --init does, among other things). This key should not remain in the final image tho, leaking the private key while the public key is also still trusted in the final image would be very bad, for that reason it's best to just nuke the whole folder that contains the pgp web-of-trust stuff after we're done with it.

[AkihiroSuda]

Thanks, could you add that explanation to the comment lines in Dockerfile.tmpl ?

[kpcyrd]

Done

[AkihiroSuda]

Thanks