From 87f0174dca7fb69e504d0720104779989f00b368 Mon Sep 17 00:00:00 2001 From: Christophe Monniez Date: Wed, 30 Jan 2019 15:43:24 +0100 Subject: [PATCH] [FIX] Odoo 10.0-12.0: use a more secure way to download keys At build time, curl is used to download gnupg keys without any verification. This does not meet the Docker hub requirements: https://github.com/docker-library/official-images#security With this commit, gpg is used to download the keys with the best method specified in the requirements. --- 10.0/Dockerfile | 6 +++++- 11.0/Dockerfile | 7 ++++++- 12.0/Dockerfile | 15 ++++++++++++--- 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/10.0/Dockerfile b/10.0/Dockerfile index 967a5b1..dabd05a 100644 --- a/10.0/Dockerfile +++ b/10.0/Dockerfile @@ -7,6 +7,7 @@ RUN set -x; \ && apt-get install -y --no-install-recommends \ ca-certificates \ curl \ + dirmngr \ node-less \ python-gevent \ python-ldap \ @@ -27,7 +28,10 @@ RUN set -x; \ # install latest postgresql-client RUN set -x; \ echo 'deb http://apt.postgresql.org/pub/repos/apt/ jessie-pgdg main' > etc/apt/sources.list.d/pgdg.list \ - && curl -sSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \ + && export GNUPGHOME="$(mktemp -d)" \ + && gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ACCC4CF8 \ + && gpg --armor --export ACCC4CF8 | apt-key add - \ + && rm -rf "$GNUPGHOME" \ && apt-get update \ && apt-get install -y postgresql-client diff --git a/11.0/Dockerfile b/11.0/Dockerfile index 328aa18..1b3f376 100644 --- a/11.0/Dockerfile +++ b/11.0/Dockerfile @@ -10,6 +10,7 @@ RUN set -x; \ && apt-get install -y --no-install-recommends \ ca-certificates \ curl \ + dirmngr \ fonts-noto-cjk \ gnupg \ libssl1.0-dev \ @@ -31,7 +32,11 @@ RUN set -x; \ # install latest postgresql-client RUN set -x; \ echo 'deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main' > etc/apt/sources.list.d/pgdg.list \ - && curl -sSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \ + && export GNUPGHOME="$(mktemp -d)" \ + && gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ACCC4CF8 \ + && gpg --armor --export ACCC4CF8 | apt-key add - \ + && gpgconf --kill all \ + && rm -rf "$GNUPGHOME" \ && apt-get update \ && apt-get install -y postgresql-client diff --git a/12.0/Dockerfile b/12.0/Dockerfile index 3c24fdc..380a7bf 100644 --- a/12.0/Dockerfile +++ b/12.0/Dockerfile @@ -10,6 +10,7 @@ RUN set -x; \ && apt-get install -y --no-install-recommends \ ca-certificates \ curl \ + dirmngr \ fonts-noto-cjk \ gnupg \ libssl1.0-dev \ @@ -31,14 +32,22 @@ RUN set -x; \ # install latest postgresql-client RUN set -x; \ echo 'deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main' > etc/apt/sources.list.d/pgdg.list \ - && curl -sSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \ + && export GNUPGHOME="$(mktemp -d)" \ + && gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ACCC4CF8 \ + && gpg --armor --export ACCC4CF8 | apt-key add - \ + && gpgconf --kill all \ + && rm -rf "$GNUPGHOME" \ && apt-get update \ && apt-get install -y postgresql-client # Install rtlcss (on Debian stretch) RUN set -x;\ - curl -sSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add - \ - && echo "deb http://deb.nodesource.com/node_8.x stretch main" > /etc/apt/sources.list.d/nodesource.list \ + echo "deb http://deb.nodesource.com/node_8.x stretch main" > /etc/apt/sources.list.d/nodesource.list \ + && export GNUPGHOME="$(mktemp -d)" \ + && gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 68576280 \ + && gpg --armor --export 68576280 | apt-key add - \ + && gpgconf --kill all \ + && rm -rf "$GNUPGHOME" \ && apt-get update \ && apt-get install -y nodejs \ && npm install -g rtlcss