Skip to content

Commit d78e8df

Browse files
tianontianon
committed
Update all gpg --recv-keys invocations with explicit "did it download" checks
This solves for the case of `gpg --recv-keys` receiving enough valid data that it doesn't return a non-zero exit code, but that it also doesn't import a key by explicitly checking afterwards that it did import the key we asked for (so that the fallback to keyserver.ubuntu.com actually happens appropriately for keys whose UID are no longer validated on keys.openpgp.org).
1 parent 89b29ef commit d78e8df

File tree

21 files changed

+84
-84
lines changed

21 files changed

+84
-84
lines changed

20/alpine3.21/Dockerfile

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -50,8 +50,8 @@ RUN addgroup -g 1000 node \
5050
108F52B48DB57BB0CC439B2997B01419BD92F80A \
5151
A363A499291CBBC940DD62E41F10027AF002F8B0 \
5252
; do \
53-
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
54-
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
53+
{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \
54+
{ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \
5555
done \
5656
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" \
5757
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \
@@ -86,8 +86,8 @@ RUN apk add --no-cache --virtual .build-deps-yarn curl gnupg tar \
8686
&& for key in \
8787
6A010C5166006599AA17F08146C2130DFD2497F5 \
8888
; do \
89-
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
90-
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
89+
{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \
90+
{ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \
9191
done \
9292
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz" \
9393
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc" \

20/alpine3.22/Dockerfile

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -50,8 +50,8 @@ RUN addgroup -g 1000 node \
5050
108F52B48DB57BB0CC439B2997B01419BD92F80A \
5151
A363A499291CBBC940DD62E41F10027AF002F8B0 \
5252
; do \
53-
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
54-
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
53+
{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \
54+
{ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \
5555
done \
5656
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" \
5757
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \
@@ -86,8 +86,8 @@ RUN apk add --no-cache --virtual .build-deps-yarn curl gnupg tar \
8686
&& for key in \
8787
6A010C5166006599AA17F08146C2130DFD2497F5 \
8888
; do \
89-
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
90-
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
89+
{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \
90+
{ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \
9191
done \
9292
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz" \
9393
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc" \

20/bookworm-slim/Dockerfile

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -32,8 +32,8 @@ RUN ARCH= OPENSSL_ARCH= && dpkgArch="$(dpkg --print-architecture)" \
3232
108F52B48DB57BB0CC439B2997B01419BD92F80A \
3333
A363A499291CBBC940DD62E41F10027AF002F8B0 \
3434
; do \
35-
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
36-
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
35+
{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \
36+
{ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \
3737
done \
3838
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \
3939
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \
@@ -71,8 +71,8 @@ RUN set -ex \
7171
&& for key in \
7272
6A010C5166006599AA17F08146C2130DFD2497F5 \
7373
; do \
74-
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
75-
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
74+
{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \
75+
{ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \
7676
done \
7777
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz" \
7878
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc" \

20/bookworm/Dockerfile

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -29,8 +29,8 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \
2929
108F52B48DB57BB0CC439B2997B01419BD92F80A \
3030
A363A499291CBBC940DD62E41F10027AF002F8B0 \
3131
; do \
32-
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
33-
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
32+
{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \
33+
{ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \
3434
done \
3535
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \
3636
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \
@@ -54,8 +54,8 @@ RUN set -ex \
5454
&& for key in \
5555
6A010C5166006599AA17F08146C2130DFD2497F5 \
5656
; do \
57-
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
58-
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
57+
{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \
58+
{ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \
5959
done \
6060
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz" \
6161
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc" \

20/bullseye-slim/Dockerfile

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -32,8 +32,8 @@ RUN ARCH= OPENSSL_ARCH= && dpkgArch="$(dpkg --print-architecture)" \
3232
108F52B48DB57BB0CC439B2997B01419BD92F80A \
3333
A363A499291CBBC940DD62E41F10027AF002F8B0 \
3434
; do \
35-
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
36-
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
35+
{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \
36+
{ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \
3737
done \
3838
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \
3939
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \
@@ -71,8 +71,8 @@ RUN set -ex \
7171
&& for key in \
7272
6A010C5166006599AA17F08146C2130DFD2497F5 \
7373
; do \
74-
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
75-
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
74+
{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \
75+
{ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \
7676
done \
7777
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz" \
7878
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc" \

20/bullseye/Dockerfile

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -29,8 +29,8 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \
2929
108F52B48DB57BB0CC439B2997B01419BD92F80A \
3030
A363A499291CBBC940DD62E41F10027AF002F8B0 \
3131
; do \
32-
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
33-
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
32+
{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \
33+
{ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \
3434
done \
3535
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \
3636
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \
@@ -54,8 +54,8 @@ RUN set -ex \
5454
&& for key in \
5555
6A010C5166006599AA17F08146C2130DFD2497F5 \
5656
; do \
57-
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
58-
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
57+
{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \
58+
{ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \
5959
done \
6060
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz" \
6161
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc" \

22/alpine3.21/Dockerfile

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -50,8 +50,8 @@ RUN addgroup -g 1000 node \
5050
108F52B48DB57BB0CC439B2997B01419BD92F80A \
5151
A363A499291CBBC940DD62E41F10027AF002F8B0 \
5252
; do \
53-
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
54-
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
53+
{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \
54+
{ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \
5555
done \
5656
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" \
5757
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \
@@ -86,8 +86,8 @@ RUN apk add --no-cache --virtual .build-deps-yarn curl gnupg tar \
8686
&& for key in \
8787
6A010C5166006599AA17F08146C2130DFD2497F5 \
8888
; do \
89-
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
90-
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
89+
{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \
90+
{ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \
9191
done \
9292
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz" \
9393
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc" \

22/alpine3.22/Dockerfile

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -50,8 +50,8 @@ RUN addgroup -g 1000 node \
5050
108F52B48DB57BB0CC439B2997B01419BD92F80A \
5151
A363A499291CBBC940DD62E41F10027AF002F8B0 \
5252
; do \
53-
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
54-
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
53+
{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \
54+
{ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \
5555
done \
5656
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" \
5757
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \
@@ -86,8 +86,8 @@ RUN apk add --no-cache --virtual .build-deps-yarn curl gnupg tar \
8686
&& for key in \
8787
6A010C5166006599AA17F08146C2130DFD2497F5 \
8888
; do \
89-
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
90-
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
89+
{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \
90+
{ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \
9191
done \
9292
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz" \
9393
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc" \

22/bookworm-slim/Dockerfile

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -32,8 +32,8 @@ RUN ARCH= OPENSSL_ARCH= && dpkgArch="$(dpkg --print-architecture)" \
3232
108F52B48DB57BB0CC439B2997B01419BD92F80A \
3333
A363A499291CBBC940DD62E41F10027AF002F8B0 \
3434
; do \
35-
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
36-
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
35+
{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \
36+
{ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \
3737
done \
3838
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \
3939
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \
@@ -71,8 +71,8 @@ RUN set -ex \
7171
&& for key in \
7272
6A010C5166006599AA17F08146C2130DFD2497F5 \
7373
; do \
74-
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
75-
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
74+
{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \
75+
{ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \
7676
done \
7777
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz" \
7878
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc" \

22/bookworm/Dockerfile

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -29,8 +29,8 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \
2929
108F52B48DB57BB0CC439B2997B01419BD92F80A \
3030
A363A499291CBBC940DD62E41F10027AF002F8B0 \
3131
; do \
32-
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
33-
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
32+
{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \
33+
{ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \
3434
done \
3535
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \
3636
&& curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \
@@ -54,8 +54,8 @@ RUN set -ex \
5454
&& for key in \
5555
6A010C5166006599AA17F08146C2130DFD2497F5 \
5656
; do \
57-
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
58-
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
57+
{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \
58+
{ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \
5959
done \
6060
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz" \
6161
&& curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc" \

0 commit comments

Comments
 (0)