[FIX] Odoo 10.0-12.0: use a more secure way to download keys

At build time, curl is used to download gnupg keys without any verification. This does not meet the Docker hub requirements: https://github.com/docker-library/official-images#security With this commit, gpg is used to download the keys with the best method specified in the requirements.
2019-01-30 15:43:24 +01:00 · 2019-01-30 15:43:24 +01:00 · 87f0174dca
commit 87f0174dca
parent 4ab6185614
3 changed files with 23 additions and 5 deletions
--- a/10.0/Dockerfile
+++ b/10.0/Dockerfile
@ -7,6 +7,7 @@ RUN set -x; \
        && apt-get install -y --no-install-recommends \
            ca-certificates \
            curl \
+            dirmngr \
            node-less \
            python-gevent \
            python-ldap \
@ -27,7 +28,10 @@ RUN set -x; \
 # install latest postgresql-client
 RUN set -x; \
        echo 'deb http://apt.postgresql.org/pub/repos/apt/ jessie-pgdg main' > etc/apt/sources.list.d/pgdg.list \
-        && curl -sSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \
+        && export GNUPGHOME="$(mktemp -d)" \
+        && gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ACCC4CF8 \
+        && gpg --armor --export ACCC4CF8 | apt-key add - \
+        && rm -rf "$GNUPGHOME" \
        && apt-get update  \
        && apt-get install -y postgresql-client

--- a/11.0/Dockerfile
+++ b/11.0/Dockerfile
@ -10,6 +10,7 @@ RUN set -x; \
        && apt-get install -y --no-install-recommends \
            ca-certificates \
            curl \
+            dirmngr \
            fonts-noto-cjk \
            gnupg \
            libssl1.0-dev \
@ -31,7 +32,11 @@ RUN set -x; \
 # install latest postgresql-client
 RUN set -x; \
        echo 'deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main' > etc/apt/sources.list.d/pgdg.list \
-        && curl -sSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \
+        && export GNUPGHOME="$(mktemp -d)" \
+        && gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ACCC4CF8 \
+        && gpg --armor --export ACCC4CF8 | apt-key add - \
+        && gpgconf --kill all \
+        && rm -rf "$GNUPGHOME" \
        && apt-get update  \
        && apt-get install -y postgresql-client

--- a/12.0/Dockerfile
+++ b/12.0/Dockerfile
@ -10,6 +10,7 @@ RUN set -x; \
        && apt-get install -y --no-install-recommends \
            ca-certificates \
            curl \
+            dirmngr \
            fonts-noto-cjk \
            gnupg \
            libssl1.0-dev \
@ -31,14 +32,22 @@ RUN set -x; \
 # install latest postgresql-client
 RUN set -x; \
        echo 'deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main' > etc/apt/sources.list.d/pgdg.list \
-        && curl -sSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \
+        && export GNUPGHOME="$(mktemp -d)" \
+        && gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ACCC4CF8 \
+        && gpg --armor --export ACCC4CF8 | apt-key add - \
+        && gpgconf --kill all \
+        && rm -rf "$GNUPGHOME" \
        && apt-get update  \
        && apt-get install -y postgresql-client

 # Install rtlcss (on Debian stretch)
 RUN set -x;\
-    curl -sSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add - \
-    && echo "deb http://deb.nodesource.com/node_8.x stretch main" > /etc/apt/sources.list.d/nodesource.list \
+    echo "deb http://deb.nodesource.com/node_8.x stretch main" > /etc/apt/sources.list.d/nodesource.list \
+    && export GNUPGHOME="$(mktemp -d)" \
+    && gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 68576280 \
+    && gpg --armor --export 68576280 | apt-key add - \
+    && gpgconf --kill all \
+    && rm -rf "$GNUPGHOME" \
    && apt-get update \
    && apt-get install -y nodejs \
    && npm install -g rtlcss