From 048e15a4a57e821cf61a0c11968d029933cf0e2e Mon Sep 17 00:00:00 2001 From: Jeremy Studer Date: Wed, 8 Aug 2018 22:11:44 -0400 Subject: [PATCH 1/4] Store all intermediate files in temp dir Makes for easy cleanup. --- Dockerfile | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 811f59e..ff74ffb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,19 +12,20 @@ RUN buildDeps=' \ libencode-perl \ make \ ' \ + tmpdir="$(mktemp -d)" \ && set -x \ && apt-get update \ && apt-get --yes install --no-install-recommends $buildDeps \ && rm -rf /var/lib/apt/lists/* \ - && mkdir /root/rakudo \ - && curl -fsSL http://rakudo.org/downloads/star/rakudo-star-${rakudo_version}.tar.gz -o rakudo.tar.gz \ - && tar xzf rakudo.tar.gz --strip-components=1 -C /root/rakudo \ + && mkdir ${tmpdir}/rakudo \ + && curl -fsSL http://rakudo.org/downloads/star/rakudo-star-${rakudo_version}.tar.gz -o ${tmpdir}/rakudo.tar.gz \ + && tar xzf ${tmpdir}/rakudo.tar.gz --strip-components=1 -C ${tmpdir}/rakudo \ && ( \ - cd /root/rakudo \ + cd ${tmpdir}/rakudo \ && perl Configure.pl --prefix=/usr --gen-moar \ && make install \ ) \ - && rm -rf /rakudo.tar.gz /root/rakudo \ + && rm -rf $tmpdir \ && apt-get purge -y --auto-remove $buildDeps ENV PATH=$PATH:/usr/share/perl6/site/bin From 33cba95cd446d00816f0cd5c9ba97edef75ae6a5 Mon Sep 17 00:00:00 2001 From: Jeremy Studer Date: Wed, 8 Aug 2018 23:28:31 -0400 Subject: [PATCH 2/4] Upgrade security of Dockerfile * Use https to retrieve archive from Rakudo server * Retrieve PGP signature from Rakudo server (https) * Retrieve PGP public key over hkps and using full fingerprint * Verify archive using signature (explicitly with gpg2) --- Dockerfile | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ff74ffb..41d4b7f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,13 +12,22 @@ RUN buildDeps=' \ libencode-perl \ make \ ' \ + url="https://rakudo.org/downloads/star/rakudo-star-${rakudo_version}.tar.gz" \ + keyserver='hkps.pool.sks-keyservers.net' \ + keyfp='ECF8B611205B447E091246AF959E3D6197190DD5' \ tmpdir="$(mktemp -d)" \ && set -x \ + && export GNUPGHOME="$tmpdir" \ && apt-get update \ && apt-get --yes install --no-install-recommends $buildDeps \ && rm -rf /var/lib/apt/lists/* \ && mkdir ${tmpdir}/rakudo \ - && curl -fsSL http://rakudo.org/downloads/star/rakudo-star-${rakudo_version}.tar.gz -o ${tmpdir}/rakudo.tar.gz \ + \ + && curl -fsSL ${url}.asc -o ${tmpdir}/rakudo.tar.gz.asc \ + && curl -fsSL $url -o ${tmpdir}/rakudo.tar.gz \ + && gpg2 --keyserver $keyserver --recv-keys $keyfp \ + && gpg2 --batch --verify ${tmpdir}/rakudo.tar.gz.asc ${tmpdir}/rakudo.tar.gz \ + \ && tar xzf ${tmpdir}/rakudo.tar.gz --strip-components=1 -C ${tmpdir}/rakudo \ && ( \ cd ${tmpdir}/rakudo \ From 91de061fd67d0567194233a356e0e32d11a9cff1 Mon Sep 17 00:00:00 2001 From: Jeremy Studer Date: Thu, 9 Aug 2018 07:52:12 -0400 Subject: [PATCH 3/4] Use "High Availabilty" Keyserver Pool Use the 'ha' keyserver pool as... * GPG already provides strong guaranty when using a full fingerprint * Using hkps reduces reliability enhancements Docker provides for official images Thanks to tianon++ for the review. See [here](https://github.com/perl6/docker/pull/18/files#r208803260) for more details. --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 41d4b7f..49d0db7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ RUN buildDeps=' \ make \ ' \ url="https://rakudo.org/downloads/star/rakudo-star-${rakudo_version}.tar.gz" \ - keyserver='hkps.pool.sks-keyservers.net' \ + keyserver='ha.pool.sks-keyservers.net' \ keyfp='ECF8B611205B447E091246AF959E3D6197190DD5' \ tmpdir="$(mktemp -d)" \ && set -x \ From 944167b6d478a9bf8c337536c62b3c00af5590ee Mon Sep 17 00:00:00 2001 From: Jeremy Studer Date: Thu, 9 Aug 2018 08:48:08 -0400 Subject: [PATCH 4/4] Use 'gpg' as opposed to explicit 'gpg2' Travis was failing due to being unable to find 'gpg2' and gpg is already an alias for gpg2 in the base image. Thanks to zakame++ for verification. --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 49d0db7..f4aeef9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -25,8 +25,8 @@ RUN buildDeps=' \ \ && curl -fsSL ${url}.asc -o ${tmpdir}/rakudo.tar.gz.asc \ && curl -fsSL $url -o ${tmpdir}/rakudo.tar.gz \ - && gpg2 --keyserver $keyserver --recv-keys $keyfp \ - && gpg2 --batch --verify ${tmpdir}/rakudo.tar.gz.asc ${tmpdir}/rakudo.tar.gz \ + && gpg --keyserver $keyserver --recv-keys $keyfp \ + && gpg --batch --verify ${tmpdir}/rakudo.tar.gz.asc ${tmpdir}/rakudo.tar.gz \ \ && tar xzf ${tmpdir}/rakudo.tar.gz --strip-components=1 -C ${tmpdir}/rakudo \ && ( \