Open-Harbor/docker-odoo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

[FIX] Odoo 10.0-12.0: use a more secure way to download keys

Browse Source 
At build time, curl is used to download gnupg keys without any
verification.

This does not meet the Docker hub requirements:
https://github.com/docker-library/official-images#security

With this commit, gpg is used to download the keys with the best method
specified in the requirements.
This commit is contained in:
Christophe Monniez
2019-01-30 15:43:24 +01:00
parent 4ab6185614
commit 87f0174dca
3 changed files with 23 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
11.0/Dockerfile
+6 -1
View File
@@ -10,6 +10,7 @@ RUN set -x; \
&& apt-get install -y --no-install-recommends \
ca-certificates \
curl \
dirmngr \
fonts-noto-cjk \
gnupg \
libssl1.0-dev \
@@ -31,7 +32,11 @@ RUN set -x; \
# install latest postgresql-client
RUN set -x; \
echo 'deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main' > etc/apt/sources.list.d/pgdg.list \
&& curl -sSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \
&& export GNUPGHOME="$(mktemp -d)" \
&& gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ACCC4CF8 \
&& gpg --armor --export ACCC4CF8 | apt-key add - \
&& gpgconf --kill all \
&& rm -rf "$GNUPGHOME" \
&& apt-get update \
&& apt-get install -y postgresql-client