From 99ca245191755904aae331ace12f68d50d5ec89d Mon Sep 17 00:00:00 2001 From: Dean Coakley Date: Mon, 6 Nov 2023 15:32:23 +0000 Subject: [PATCH 1/3] Fix alpine plus dockerfile for alpine>=3.17 * Signature verificaiton failure due to openssl=v3.x --- scripts/docker/nginx-plus/alpine/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/docker/nginx-plus/alpine/Dockerfile b/scripts/docker/nginx-plus/alpine/Dockerfile index a3f077006..caffe73f0 100644 --- a/scripts/docker/nginx-plus/alpine/Dockerfile +++ b/scripts/docker/nginx-plus/alpine/Dockerfile @@ -20,7 +20,7 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem \ && apk add --no-cache --virtual .cert-deps \ openssl \ && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \ - && if [ "$(openssl rsa -pubin -in /tmp/nginx_signing.rsa.pub -text -noout | openssl sha512 -r)" = "$KEY_SHA512" ]; then \ + && if [ "$(openssl rsa -pubin -in /tmp/nginx_signing.rsa.pub -text -noout | sed -e 's/Public-Key/RSA Public-Key/' | openssl sha512 -r)" = "$KEY_SHA512" ]; then \ echo "key verification succeeded!"; \ mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \ else \ From e91716b656e4b648884b3a4ae3bd53d6755ce110 Mon Sep 17 00:00:00 2001 From: Dean Coakley Date: Mon, 6 Nov 2023 15:42:15 +0000 Subject: [PATCH 2/3] Update expected key and to newer format --- scripts/docker/nginx-plus/alpine/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/docker/nginx-plus/alpine/Dockerfile b/scripts/docker/nginx-plus/alpine/Dockerfile index caffe73f0..0586273a8 100644 --- a/scripts/docker/nginx-plus/alpine/Dockerfile +++ b/scripts/docker/nginx-plus/alpine/Dockerfile @@ -16,11 +16,11 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem \ && addgroup -g 101 -S nginx \ && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \ # Check signing key - && KEY_SHA512="e7fa8303923d9b95db37a77ad46c68fd4755ff935d0a534d26eba83de193c76166c68bfe7f65471bf8881004ef4aa6df3e34689c305662750c0172fca5d8552a *stdin" \ + && KEY_SHA512="de7031fdac1354096d3388d6f711a508328ce66c168967ee0658c294226d6e7a161ce7f2628d577d56f8b63ff6892cc576af6f7ef2a6aa2e17c62ff7b6bf0d98 *stdin" \ && apk add --no-cache --virtual .cert-deps \ openssl \ && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \ - && if [ "$(openssl rsa -pubin -in /tmp/nginx_signing.rsa.pub -text -noout | sed -e 's/Public-Key/RSA Public-Key/' | openssl sha512 -r)" = "$KEY_SHA512" ]; then \ + && if [ "$(openssl rsa -pubin -in /tmp/nginx_signing.rsa.pub -text -noout | sed -e 's/RSA Public-Key/Public-Key/' | openssl sha512 -r)" = "$KEY_SHA512" ]; then \ echo "key verification succeeded!"; \ mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \ else \ From e427b12073860eb71f21dc7376a8aec941e7a593 Mon Sep 17 00:00:00 2001 From: Dean Coakley Date: Mon, 6 Nov 2023 15:45:02 +0000 Subject: [PATCH 3/3] Add note --- scripts/docker/nginx-plus/alpine/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/docker/nginx-plus/alpine/Dockerfile b/scripts/docker/nginx-plus/alpine/Dockerfile index 0586273a8..09a229de9 100644 --- a/scripts/docker/nginx-plus/alpine/Dockerfile +++ b/scripts/docker/nginx-plus/alpine/Dockerfile @@ -20,6 +20,7 @@ RUN --mount=type=secret,id=nginx-crt,dst=/etc/apk/cert.pem \ && apk add --no-cache --virtual .cert-deps \ openssl \ && wget -O /tmp/nginx_signing.rsa.pub https://nginx.org/keys/nginx_signing.rsa.pub \ + # sed replace is required for openssl=v1.x which is used in alpine<=3.16 && if [ "$(openssl rsa -pubin -in /tmp/nginx_signing.rsa.pub -text -noout | sed -e 's/RSA Public-Key/Public-Key/' | openssl sha512 -r)" = "$KEY_SHA512" ]; then \ echo "key verification succeeded!"; \ mv /tmp/nginx_signing.rsa.pub /etc/apk/keys/; \