Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use "/etc/apt/trusted.gpg.d" instead of "apt-key adv" #254

Merged
merged 1 commit into from
Jan 12, 2017

Conversation

tianon
Copy link
Member

@tianon tianon commented Jan 10, 2017

Note: Instead of using this command a keyring should be placed
directly in the /etc/apt/trusted.gpg.d/ directory with a
descriptive name and either "gpg" or "asc" as file extension.

https://manpages.debian.org/cgi-bin/man.cgi?query=apt-key&manpath=Debian+testing+stretch

See also docker-library/cassandra#91, MariaDB/mariadb-docker#93, and docker-library/mongo#132.

cc @ltangvald

Copy link
Collaborator

@ltangvald ltangvald left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it need the apt-key list command at the end, or will that just produce a lot of extra output?

@tianon
Copy link
Member Author

tianon commented Jan 12, 2017

Yeah, apt-get list was just to verify the result -- happy to remove it if you'd prefer. 👍

@tianon
Copy link
Member Author

tianon commented Jan 12, 2017

(Or pipe it's output to /dev/null -- it does verify that the /etc/apt/trusted.gpg.d bits don't have something obviously wrong that might blow up apt-get later, so probably still useful to have in)

@ltangvald
Copy link
Collaborator

Yeah, might be useful to keep it as a test. I didn't check in a fresh Docker container, but on my regular box the command produces a lot of output, so maybe hide the standard output

@tianon
Copy link
Member Author

tianon commented Jan 12, 2017

It's not too bad:

Step 7 : RUN set -ex; 	key='A4A9406876FCBD3C456770C88C718D3B5072E1F5'; 	export GNUPGHOME="$(mktemp -d)"; 	gpg --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; 	gpg --export "$key" > /etc/apt/trusted.gpg.d/mysql.gpg; 	rm -r "$GNUPGHOME"; 	apt-key list
 ---> Running in 6775d7946c13
+ key=A4A9406876FCBD3C456770C88C718D3B5072E1F5
+ mktemp -d
+ export GNUPGHOME=/tmp/tmp.kXDjUCKend
+ gpg --keyserver ha.pool.sks-keyservers.net --recv-keys A4A9406876FCBD3C456770C88C718D3B5072E1F5
gpg: keyring `/tmp/tmp.kXDjUCKend/secring.gpg' created
gpg: keyring `/tmp/tmp.kXDjUCKend/pubring.gpg' created
gpg: requesting key 5072E1F5 from hkp server ha.pool.sks-keyservers.net
gpg: /tmp/tmp.kXDjUCKend/trustdb.gpg: trustdb created
gpg: key 5072E1F5: public key "MySQL Release Engineering <[email protected]>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1
+ gpg --export A4A9406876FCBD3C456770C88C718D3B5072E1F5
+ rm -r /tmp/tmp.kXDjUCKend
+ apt-key list
/etc/apt/trusted.gpg.d/debian-archive-jessie-automatic.gpg
----------------------------------------------------------
pub   4096R/2B90D010 2014-11-21 [expires: 2022-11-19]
uid                  Debian Archive Automatic Signing Key (8/jessie) <[email protected]>

/etc/apt/trusted.gpg.d/debian-archive-jessie-security-automatic.gpg
-------------------------------------------------------------------
pub   4096R/C857C906 2014-11-21 [expires: 2022-11-19]
uid                  Debian Security Archive Automatic Signing Key (8/jessie) <[email protected]>

/etc/apt/trusted.gpg.d/debian-archive-jessie-stable.gpg
-------------------------------------------------------
pub   4096R/518E17E1 2013-08-17 [expires: 2021-08-15]
uid                  Jessie Stable Release Key <[email protected]>

/etc/apt/trusted.gpg.d/debian-archive-squeeze-automatic.gpg
-----------------------------------------------------------
pub   4096R/473041FA 2010-08-27 [expires: 2018-03-05]
uid                  Debian Archive Automatic Signing Key (6.0/squeeze) <[email protected]>

/etc/apt/trusted.gpg.d/debian-archive-squeeze-stable.gpg
--------------------------------------------------------
pub   4096R/B98321F9 2010-08-07 [expires: 2017-08-05]
uid                  Squeeze Stable Release Key <[email protected]>

/etc/apt/trusted.gpg.d/debian-archive-wheezy-automatic.gpg
----------------------------------------------------------
pub   4096R/46925553 2012-04-27 [expires: 2020-04-25]
uid                  Debian Archive Automatic Signing Key (7.0/wheezy) <[email protected]>

/etc/apt/trusted.gpg.d/debian-archive-wheezy-stable.gpg
-------------------------------------------------------
pub   4096R/65FFB764 2012-05-08 [expires: 2019-05-07]
uid                  Wheezy Stable Release Key <[email protected]>

/etc/apt/trusted.gpg.d/mysql.gpg
--------------------------------
pub   1024D/5072E1F5 2003-02-03 [expires: 2017-02-16]
uid                  MySQL Release Engineering <[email protected]>

@tianon
Copy link
Member Author

tianon commented Jan 12, 2017

(but I'll go update to pipe that to /dev/null anyhow)

> Note: Instead of using this command a keyring should be placed
> directly in the /etc/apt/trusted.gpg.d/ directory with a
> descriptive name and either "gpg" or "asc" as file extension.

https://manpages.debian.org/cgi-bin/man.cgi?query=apt-key&manpath=Debian+testing+stretch
@yosifkit
Copy link
Member

I double checked that an invalid key file in mysql.gpg would cause apt-key list > /dev/null to fail with semi-useful information. So, LGTM

@yosifkit yosifkit merged commit 64e0cf2 into docker-library:master Jan 12, 2017
@yosifkit yosifkit deleted the trusted.gpg.d branch January 12, 2017 22:53
tianon added a commit to infosiftr/stackbrew that referenced this pull request Jan 13, 2017
- `busybox`: 1.26.2
- `docker`: 1.13.0-rc6
- `elasticsearch`: 5.1.2, 2.4.4
- `ghost`: 0.11.4
- `haproxy`: 1.7.2
- `hello-seattle`: Hub->Cloud, Account->ID (docker-library/hello-world#25)
- `hello-world`: Hub->Cloud, Account->ID (docker-library/hello-world#25)
- `hola-mundo`: Hub->Cloud, Account->ID (docker-library/hello-world#25)
- `httpd`: 2.2.32
- `kibana`: 5.1.2, 4.6.4
- `logstash`: 5.1.2
- `mariadb`: 10.0.29+maria-1~jessie
- `mysql`: use `/etc/apt/trusted.gpg.d` instead of `apt-key adv` (docker-library/mysql#254)
- `rocket.chat`: 0.49.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants