From f92b3525db29825c365efaf76ae21b8133ad75b4 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Mon, 6 Jan 2025 15:11:14 -0800 Subject: [PATCH] Source PGP keys from upstream KEYS With explicit filtering so we don't accidentally trust a key we didn't pre-verify. --- 10.1/jdk11/temurin-jammy/Dockerfile | 23 +++++--- 10.1/jdk11/temurin-noble/Dockerfile | 23 +++++--- 10.1/jdk17/temurin-jammy/Dockerfile | 23 +++++--- 10.1/jdk17/temurin-noble/Dockerfile | 23 +++++--- 10.1/jdk21/temurin-jammy/Dockerfile | 23 +++++--- 10.1/jdk21/temurin-noble/Dockerfile | 23 +++++--- 10.1/jre11/temurin-jammy/Dockerfile | 4 -- 10.1/jre11/temurin-noble/Dockerfile | 4 -- 10.1/jre17/temurin-jammy/Dockerfile | 4 -- 10.1/jre17/temurin-noble/Dockerfile | 4 -- 10.1/jre21/temurin-jammy/Dockerfile | 4 -- 10.1/jre21/temurin-noble/Dockerfile | 4 -- 11.0/jdk21/temurin-jammy/Dockerfile | 23 +++++--- 11.0/jdk21/temurin-noble/Dockerfile | 23 +++++--- 11.0/jre21/temurin-jammy/Dockerfile | 4 -- 11.0/jre21/temurin-noble/Dockerfile | 4 -- 9.0/jdk11/corretto-al2/Dockerfile | 23 +++++--- 9.0/jdk11/temurin-jammy/Dockerfile | 24 +++++--- 9.0/jdk11/temurin-noble/Dockerfile | 24 +++++--- 9.0/jdk17/corretto-al2/Dockerfile | 23 +++++--- 9.0/jdk17/temurin-jammy/Dockerfile | 24 +++++--- 9.0/jdk17/temurin-noble/Dockerfile | 24 +++++--- 9.0/jdk21/corretto-al2/Dockerfile | 23 +++++--- 9.0/jdk21/temurin-jammy/Dockerfile | 24 +++++--- 9.0/jdk21/temurin-noble/Dockerfile | 24 +++++--- 9.0/jdk8/corretto-al2/Dockerfile | 23 +++++--- 9.0/jdk8/temurin-jammy/Dockerfile | 24 +++++--- 9.0/jdk8/temurin-noble/Dockerfile | 24 +++++--- 9.0/jre11/temurin-jammy/Dockerfile | 4 -- 9.0/jre11/temurin-noble/Dockerfile | 4 -- 9.0/jre17/temurin-jammy/Dockerfile | 4 -- 9.0/jre17/temurin-noble/Dockerfile | 4 -- 9.0/jre21/temurin-jammy/Dockerfile | 4 -- 9.0/jre21/temurin-noble/Dockerfile | 4 -- 9.0/jre8/temurin-jammy/Dockerfile | 4 -- 9.0/jre8/temurin-noble/Dockerfile | 4 -- Dockerfile.template | 89 ++++++++++++++++------------- 37 files changed, 378 insertions(+), 243 deletions(-) diff --git a/10.1/jdk11/temurin-jammy/Dockerfile b/10.1/jdk11/temurin-jammy/Dockerfile index 57f0ca2f4..8280e13f2 100644 --- a/10.1/jdk11/temurin-jammy/Dockerfile +++ b/10.1/jdk11/temurin-jammy/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-10/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 5C3C5F3E314C866292F359A8F3AD5C94A67F707E A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 - ENV TOMCAT_MAJOR 10 ENV TOMCAT_VERSION 10.1.34 ENV TOMCAT_SHA512 e29c4d0e26295d64dfeee399e7719b5baac2682ac0e7b53702f26d630fea761f93ddf60674dfe87c41ddd9b79d4938a6a533a280bb3d7fb83c2a1b7cd5da6b09 @@ -58,10 +54,23 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS 'https://www.apache.org/dist/tomcat/tomcat-10/KEYS'; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-10/KEYS + for key in \ + 'A9C5DF4D22E99998D9875A5110C01C5A2F6059E7' \ + '5C3C5F3E314C866292F359A8F3AD5C94A67F707E' \ + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \ diff --git a/10.1/jdk11/temurin-noble/Dockerfile b/10.1/jdk11/temurin-noble/Dockerfile index 66786d9cb..ffee4bbb9 100644 --- a/10.1/jdk11/temurin-noble/Dockerfile +++ b/10.1/jdk11/temurin-noble/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-10/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 5C3C5F3E314C866292F359A8F3AD5C94A67F707E A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 - ENV TOMCAT_MAJOR 10 ENV TOMCAT_VERSION 10.1.34 ENV TOMCAT_SHA512 e29c4d0e26295d64dfeee399e7719b5baac2682ac0e7b53702f26d630fea761f93ddf60674dfe87c41ddd9b79d4938a6a533a280bb3d7fb83c2a1b7cd5da6b09 @@ -58,10 +54,23 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS 'https://www.apache.org/dist/tomcat/tomcat-10/KEYS'; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-10/KEYS + for key in \ + 'A9C5DF4D22E99998D9875A5110C01C5A2F6059E7' \ + '5C3C5F3E314C866292F359A8F3AD5C94A67F707E' \ + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \ diff --git a/10.1/jdk17/temurin-jammy/Dockerfile b/10.1/jdk17/temurin-jammy/Dockerfile index 6755246d4..f76dbeaff 100644 --- a/10.1/jdk17/temurin-jammy/Dockerfile +++ b/10.1/jdk17/temurin-jammy/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-10/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 5C3C5F3E314C866292F359A8F3AD5C94A67F707E A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 - ENV TOMCAT_MAJOR 10 ENV TOMCAT_VERSION 10.1.34 ENV TOMCAT_SHA512 e29c4d0e26295d64dfeee399e7719b5baac2682ac0e7b53702f26d630fea761f93ddf60674dfe87c41ddd9b79d4938a6a533a280bb3d7fb83c2a1b7cd5da6b09 @@ -58,10 +54,23 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS 'https://www.apache.org/dist/tomcat/tomcat-10/KEYS'; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-10/KEYS + for key in \ + 'A9C5DF4D22E99998D9875A5110C01C5A2F6059E7' \ + '5C3C5F3E314C866292F359A8F3AD5C94A67F707E' \ + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \ diff --git a/10.1/jdk17/temurin-noble/Dockerfile b/10.1/jdk17/temurin-noble/Dockerfile index dfcdd5e64..ec4777dff 100644 --- a/10.1/jdk17/temurin-noble/Dockerfile +++ b/10.1/jdk17/temurin-noble/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-10/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 5C3C5F3E314C866292F359A8F3AD5C94A67F707E A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 - ENV TOMCAT_MAJOR 10 ENV TOMCAT_VERSION 10.1.34 ENV TOMCAT_SHA512 e29c4d0e26295d64dfeee399e7719b5baac2682ac0e7b53702f26d630fea761f93ddf60674dfe87c41ddd9b79d4938a6a533a280bb3d7fb83c2a1b7cd5da6b09 @@ -58,10 +54,23 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS 'https://www.apache.org/dist/tomcat/tomcat-10/KEYS'; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-10/KEYS + for key in \ + 'A9C5DF4D22E99998D9875A5110C01C5A2F6059E7' \ + '5C3C5F3E314C866292F359A8F3AD5C94A67F707E' \ + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \ diff --git a/10.1/jdk21/temurin-jammy/Dockerfile b/10.1/jdk21/temurin-jammy/Dockerfile index 6fa1a926b..bf8b1f15f 100644 --- a/10.1/jdk21/temurin-jammy/Dockerfile +++ b/10.1/jdk21/temurin-jammy/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-10/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 5C3C5F3E314C866292F359A8F3AD5C94A67F707E A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 - ENV TOMCAT_MAJOR 10 ENV TOMCAT_VERSION 10.1.34 ENV TOMCAT_SHA512 e29c4d0e26295d64dfeee399e7719b5baac2682ac0e7b53702f26d630fea761f93ddf60674dfe87c41ddd9b79d4938a6a533a280bb3d7fb83c2a1b7cd5da6b09 @@ -58,10 +54,23 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS 'https://www.apache.org/dist/tomcat/tomcat-10/KEYS'; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-10/KEYS + for key in \ + 'A9C5DF4D22E99998D9875A5110C01C5A2F6059E7' \ + '5C3C5F3E314C866292F359A8F3AD5C94A67F707E' \ + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \ diff --git a/10.1/jdk21/temurin-noble/Dockerfile b/10.1/jdk21/temurin-noble/Dockerfile index 79e2cf0cf..e82dc5e4d 100644 --- a/10.1/jdk21/temurin-noble/Dockerfile +++ b/10.1/jdk21/temurin-noble/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-10/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 5C3C5F3E314C866292F359A8F3AD5C94A67F707E A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 - ENV TOMCAT_MAJOR 10 ENV TOMCAT_VERSION 10.1.34 ENV TOMCAT_SHA512 e29c4d0e26295d64dfeee399e7719b5baac2682ac0e7b53702f26d630fea761f93ddf60674dfe87c41ddd9b79d4938a6a533a280bb3d7fb83c2a1b7cd5da6b09 @@ -58,10 +54,23 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS 'https://www.apache.org/dist/tomcat/tomcat-10/KEYS'; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-10/KEYS + for key in \ + 'A9C5DF4D22E99998D9875A5110C01C5A2F6059E7' \ + '5C3C5F3E314C866292F359A8F3AD5C94A67F707E' \ + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \ diff --git a/10.1/jre11/temurin-jammy/Dockerfile b/10.1/jre11/temurin-jammy/Dockerfile index 89841614b..fccec4235 100644 --- a/10.1/jre11/temurin-jammy/Dockerfile +++ b/10.1/jre11/temurin-jammy/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-10/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 5C3C5F3E314C866292F359A8F3AD5C94A67F707E A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 - ENV TOMCAT_MAJOR 10 ENV TOMCAT_VERSION 10.1.34 ENV TOMCAT_SHA512 e29c4d0e26295d64dfeee399e7719b5baac2682ac0e7b53702f26d630fea761f93ddf60674dfe87c41ddd9b79d4938a6a533a280bb3d7fb83c2a1b7cd5da6b09 diff --git a/10.1/jre11/temurin-noble/Dockerfile b/10.1/jre11/temurin-noble/Dockerfile index 4345de898..e395955bc 100644 --- a/10.1/jre11/temurin-noble/Dockerfile +++ b/10.1/jre11/temurin-noble/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-10/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 5C3C5F3E314C866292F359A8F3AD5C94A67F707E A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 - ENV TOMCAT_MAJOR 10 ENV TOMCAT_VERSION 10.1.34 ENV TOMCAT_SHA512 e29c4d0e26295d64dfeee399e7719b5baac2682ac0e7b53702f26d630fea761f93ddf60674dfe87c41ddd9b79d4938a6a533a280bb3d7fb83c2a1b7cd5da6b09 diff --git a/10.1/jre17/temurin-jammy/Dockerfile b/10.1/jre17/temurin-jammy/Dockerfile index d64acf309..7fe893427 100644 --- a/10.1/jre17/temurin-jammy/Dockerfile +++ b/10.1/jre17/temurin-jammy/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-10/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 5C3C5F3E314C866292F359A8F3AD5C94A67F707E A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 - ENV TOMCAT_MAJOR 10 ENV TOMCAT_VERSION 10.1.34 ENV TOMCAT_SHA512 e29c4d0e26295d64dfeee399e7719b5baac2682ac0e7b53702f26d630fea761f93ddf60674dfe87c41ddd9b79d4938a6a533a280bb3d7fb83c2a1b7cd5da6b09 diff --git a/10.1/jre17/temurin-noble/Dockerfile b/10.1/jre17/temurin-noble/Dockerfile index 05cfa9a4a..9c9eb7175 100644 --- a/10.1/jre17/temurin-noble/Dockerfile +++ b/10.1/jre17/temurin-noble/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-10/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 5C3C5F3E314C866292F359A8F3AD5C94A67F707E A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 - ENV TOMCAT_MAJOR 10 ENV TOMCAT_VERSION 10.1.34 ENV TOMCAT_SHA512 e29c4d0e26295d64dfeee399e7719b5baac2682ac0e7b53702f26d630fea761f93ddf60674dfe87c41ddd9b79d4938a6a533a280bb3d7fb83c2a1b7cd5da6b09 diff --git a/10.1/jre21/temurin-jammy/Dockerfile b/10.1/jre21/temurin-jammy/Dockerfile index 4ebe3a29a..ea92571f7 100644 --- a/10.1/jre21/temurin-jammy/Dockerfile +++ b/10.1/jre21/temurin-jammy/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-10/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 5C3C5F3E314C866292F359A8F3AD5C94A67F707E A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 - ENV TOMCAT_MAJOR 10 ENV TOMCAT_VERSION 10.1.34 ENV TOMCAT_SHA512 e29c4d0e26295d64dfeee399e7719b5baac2682ac0e7b53702f26d630fea761f93ddf60674dfe87c41ddd9b79d4938a6a533a280bb3d7fb83c2a1b7cd5da6b09 diff --git a/10.1/jre21/temurin-noble/Dockerfile b/10.1/jre21/temurin-noble/Dockerfile index de57ff676..bf4efbe7e 100644 --- a/10.1/jre21/temurin-noble/Dockerfile +++ b/10.1/jre21/temurin-noble/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-10/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 5C3C5F3E314C866292F359A8F3AD5C94A67F707E A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 - ENV TOMCAT_MAJOR 10 ENV TOMCAT_VERSION 10.1.34 ENV TOMCAT_SHA512 e29c4d0e26295d64dfeee399e7719b5baac2682ac0e7b53702f26d630fea761f93ddf60674dfe87c41ddd9b79d4938a6a533a280bb3d7fb83c2a1b7cd5da6b09 diff --git a/11.0/jdk21/temurin-jammy/Dockerfile b/11.0/jdk21/temurin-jammy/Dockerfile index a31911e5a..8de0192b5 100644 --- a/11.0/jdk21/temurin-jammy/Dockerfile +++ b/11.0/jdk21/temurin-jammy/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-11/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 - ENV TOMCAT_MAJOR 11 ENV TOMCAT_VERSION 11.0.2 ENV TOMCAT_SHA512 635d0b704d47a97050e3de995d372ef361ddb7589efbc53003afd6ac692d8db4a4125ae5dcc01af9e7371e8e598c98982e2a25617179b6ba0a04406299cca544 @@ -58,10 +54,23 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS 'https://www.apache.org/dist/tomcat/tomcat-11/KEYS'; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-11/KEYS + for key in \ + 'A9C5DF4D22E99998D9875A5110C01C5A2F6059E7' \ + '48F8E69F6390C9F25CFEDCD268248959359E722B' \ + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \ diff --git a/11.0/jdk21/temurin-noble/Dockerfile b/11.0/jdk21/temurin-noble/Dockerfile index e057fa678..f3ad80726 100644 --- a/11.0/jdk21/temurin-noble/Dockerfile +++ b/11.0/jdk21/temurin-noble/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-11/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 - ENV TOMCAT_MAJOR 11 ENV TOMCAT_VERSION 11.0.2 ENV TOMCAT_SHA512 635d0b704d47a97050e3de995d372ef361ddb7589efbc53003afd6ac692d8db4a4125ae5dcc01af9e7371e8e598c98982e2a25617179b6ba0a04406299cca544 @@ -58,10 +54,23 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS 'https://www.apache.org/dist/tomcat/tomcat-11/KEYS'; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-11/KEYS + for key in \ + 'A9C5DF4D22E99998D9875A5110C01C5A2F6059E7' \ + '48F8E69F6390C9F25CFEDCD268248959359E722B' \ + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \ diff --git a/11.0/jre21/temurin-jammy/Dockerfile b/11.0/jre21/temurin-jammy/Dockerfile index 1c0adc648..63cbfa953 100644 --- a/11.0/jre21/temurin-jammy/Dockerfile +++ b/11.0/jre21/temurin-jammy/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-11/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 - ENV TOMCAT_MAJOR 11 ENV TOMCAT_VERSION 11.0.2 ENV TOMCAT_SHA512 635d0b704d47a97050e3de995d372ef361ddb7589efbc53003afd6ac692d8db4a4125ae5dcc01af9e7371e8e598c98982e2a25617179b6ba0a04406299cca544 diff --git a/11.0/jre21/temurin-noble/Dockerfile b/11.0/jre21/temurin-noble/Dockerfile index aeba7f205..8600d81f5 100644 --- a/11.0/jre21/temurin-noble/Dockerfile +++ b/11.0/jre21/temurin-noble/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-11/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 - ENV TOMCAT_MAJOR 11 ENV TOMCAT_VERSION 11.0.2 ENV TOMCAT_SHA512 635d0b704d47a97050e3de995d372ef361ddb7589efbc53003afd6ac692d8db4a4125ae5dcc01af9e7371e8e598c98982e2a25617179b6ba0a04406299cca544 diff --git a/9.0/jdk11/corretto-al2/Dockerfile b/9.0/jdk11/corretto-al2/Dockerfile index 17c80772d..7cd103c7d 100644 --- a/9.0/jdk11/corretto-al2/Dockerfile +++ b/9.0/jdk11/corretto-al2/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 - ENV TOMCAT_MAJOR 9 ENV TOMCAT_VERSION 9.0.98 ENV TOMCAT_SHA512 07d87286e8ee84bb291069c596cf36233e56a14e3ecb6d65eea0fa7c7042ce5e75f5db31f210b96b6b25b80b34e626dd26c5a6ed5c052384a8587d62658b5e16 @@ -71,10 +67,23 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS 'https://www.apache.org/dist/tomcat/tomcat-9/KEYS'; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS + for key in \ + 'DCFD35E0BF8CA7344752DE8B6FB21E8933C60243' \ + 'A9C5DF4D22E99998D9875A5110C01C5A2F6059E7' \ + '48F8E69F6390C9F25CFEDCD268248959359E722B' \ + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \ diff --git a/9.0/jdk11/temurin-jammy/Dockerfile b/9.0/jdk11/temurin-jammy/Dockerfile index b7183f0fa..0de862337 100644 --- a/9.0/jdk11/temurin-jammy/Dockerfile +++ b/9.0/jdk11/temurin-jammy/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 - ENV TOMCAT_MAJOR 9 ENV TOMCAT_VERSION 9.0.98 ENV TOMCAT_SHA512 07d87286e8ee84bb291069c596cf36233e56a14e3ecb6d65eea0fa7c7042ce5e75f5db31f210b96b6b25b80b34e626dd26c5a6ed5c052384a8587d62658b5e16 @@ -58,10 +54,24 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS 'https://www.apache.org/dist/tomcat/tomcat-9/KEYS'; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS + for key in \ + 'DCFD35E0BF8CA7344752DE8B6FB21E8933C60243' \ + 'A9C5DF4D22E99998D9875A5110C01C5A2F6059E7' \ + '48F8E69F6390C9F25CFEDCD268248959359E722B' \ + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \ diff --git a/9.0/jdk11/temurin-noble/Dockerfile b/9.0/jdk11/temurin-noble/Dockerfile index 3d58dc54d..c288f860d 100644 --- a/9.0/jdk11/temurin-noble/Dockerfile +++ b/9.0/jdk11/temurin-noble/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 - ENV TOMCAT_MAJOR 9 ENV TOMCAT_VERSION 9.0.98 ENV TOMCAT_SHA512 07d87286e8ee84bb291069c596cf36233e56a14e3ecb6d65eea0fa7c7042ce5e75f5db31f210b96b6b25b80b34e626dd26c5a6ed5c052384a8587d62658b5e16 @@ -58,10 +54,24 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS 'https://www.apache.org/dist/tomcat/tomcat-9/KEYS'; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS + for key in \ + 'DCFD35E0BF8CA7344752DE8B6FB21E8933C60243' \ + 'A9C5DF4D22E99998D9875A5110C01C5A2F6059E7' \ + '48F8E69F6390C9F25CFEDCD268248959359E722B' \ + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \ diff --git a/9.0/jdk17/corretto-al2/Dockerfile b/9.0/jdk17/corretto-al2/Dockerfile index 2719ccfab..54dbc6e14 100644 --- a/9.0/jdk17/corretto-al2/Dockerfile +++ b/9.0/jdk17/corretto-al2/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 - ENV TOMCAT_MAJOR 9 ENV TOMCAT_VERSION 9.0.98 ENV TOMCAT_SHA512 07d87286e8ee84bb291069c596cf36233e56a14e3ecb6d65eea0fa7c7042ce5e75f5db31f210b96b6b25b80b34e626dd26c5a6ed5c052384a8587d62658b5e16 @@ -71,10 +67,23 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS 'https://www.apache.org/dist/tomcat/tomcat-9/KEYS'; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS + for key in \ + 'DCFD35E0BF8CA7344752DE8B6FB21E8933C60243' \ + 'A9C5DF4D22E99998D9875A5110C01C5A2F6059E7' \ + '48F8E69F6390C9F25CFEDCD268248959359E722B' \ + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \ diff --git a/9.0/jdk17/temurin-jammy/Dockerfile b/9.0/jdk17/temurin-jammy/Dockerfile index 58ae6c9c2..04ec0bc3b 100644 --- a/9.0/jdk17/temurin-jammy/Dockerfile +++ b/9.0/jdk17/temurin-jammy/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 - ENV TOMCAT_MAJOR 9 ENV TOMCAT_VERSION 9.0.98 ENV TOMCAT_SHA512 07d87286e8ee84bb291069c596cf36233e56a14e3ecb6d65eea0fa7c7042ce5e75f5db31f210b96b6b25b80b34e626dd26c5a6ed5c052384a8587d62658b5e16 @@ -58,10 +54,24 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS 'https://www.apache.org/dist/tomcat/tomcat-9/KEYS'; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS + for key in \ + 'DCFD35E0BF8CA7344752DE8B6FB21E8933C60243' \ + 'A9C5DF4D22E99998D9875A5110C01C5A2F6059E7' \ + '48F8E69F6390C9F25CFEDCD268248959359E722B' \ + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \ diff --git a/9.0/jdk17/temurin-noble/Dockerfile b/9.0/jdk17/temurin-noble/Dockerfile index 81c72fdb9..9ee0765a1 100644 --- a/9.0/jdk17/temurin-noble/Dockerfile +++ b/9.0/jdk17/temurin-noble/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 - ENV TOMCAT_MAJOR 9 ENV TOMCAT_VERSION 9.0.98 ENV TOMCAT_SHA512 07d87286e8ee84bb291069c596cf36233e56a14e3ecb6d65eea0fa7c7042ce5e75f5db31f210b96b6b25b80b34e626dd26c5a6ed5c052384a8587d62658b5e16 @@ -58,10 +54,24 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS 'https://www.apache.org/dist/tomcat/tomcat-9/KEYS'; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS + for key in \ + 'DCFD35E0BF8CA7344752DE8B6FB21E8933C60243' \ + 'A9C5DF4D22E99998D9875A5110C01C5A2F6059E7' \ + '48F8E69F6390C9F25CFEDCD268248959359E722B' \ + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \ diff --git a/9.0/jdk21/corretto-al2/Dockerfile b/9.0/jdk21/corretto-al2/Dockerfile index 6b3f07f09..b81e04169 100644 --- a/9.0/jdk21/corretto-al2/Dockerfile +++ b/9.0/jdk21/corretto-al2/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 - ENV TOMCAT_MAJOR 9 ENV TOMCAT_VERSION 9.0.98 ENV TOMCAT_SHA512 07d87286e8ee84bb291069c596cf36233e56a14e3ecb6d65eea0fa7c7042ce5e75f5db31f210b96b6b25b80b34e626dd26c5a6ed5c052384a8587d62658b5e16 @@ -71,10 +67,23 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS 'https://www.apache.org/dist/tomcat/tomcat-9/KEYS'; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS + for key in \ + 'DCFD35E0BF8CA7344752DE8B6FB21E8933C60243' \ + 'A9C5DF4D22E99998D9875A5110C01C5A2F6059E7' \ + '48F8E69F6390C9F25CFEDCD268248959359E722B' \ + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \ diff --git a/9.0/jdk21/temurin-jammy/Dockerfile b/9.0/jdk21/temurin-jammy/Dockerfile index 2fac2c592..7e81654f6 100644 --- a/9.0/jdk21/temurin-jammy/Dockerfile +++ b/9.0/jdk21/temurin-jammy/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 - ENV TOMCAT_MAJOR 9 ENV TOMCAT_VERSION 9.0.98 ENV TOMCAT_SHA512 07d87286e8ee84bb291069c596cf36233e56a14e3ecb6d65eea0fa7c7042ce5e75f5db31f210b96b6b25b80b34e626dd26c5a6ed5c052384a8587d62658b5e16 @@ -58,10 +54,24 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS 'https://www.apache.org/dist/tomcat/tomcat-9/KEYS'; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS + for key in \ + 'DCFD35E0BF8CA7344752DE8B6FB21E8933C60243' \ + 'A9C5DF4D22E99998D9875A5110C01C5A2F6059E7' \ + '48F8E69F6390C9F25CFEDCD268248959359E722B' \ + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \ diff --git a/9.0/jdk21/temurin-noble/Dockerfile b/9.0/jdk21/temurin-noble/Dockerfile index 03f59ab3d..7e8a43ca0 100644 --- a/9.0/jdk21/temurin-noble/Dockerfile +++ b/9.0/jdk21/temurin-noble/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 - ENV TOMCAT_MAJOR 9 ENV TOMCAT_VERSION 9.0.98 ENV TOMCAT_SHA512 07d87286e8ee84bb291069c596cf36233e56a14e3ecb6d65eea0fa7c7042ce5e75f5db31f210b96b6b25b80b34e626dd26c5a6ed5c052384a8587d62658b5e16 @@ -58,10 +54,24 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS 'https://www.apache.org/dist/tomcat/tomcat-9/KEYS'; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS + for key in \ + 'DCFD35E0BF8CA7344752DE8B6FB21E8933C60243' \ + 'A9C5DF4D22E99998D9875A5110C01C5A2F6059E7' \ + '48F8E69F6390C9F25CFEDCD268248959359E722B' \ + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \ diff --git a/9.0/jdk8/corretto-al2/Dockerfile b/9.0/jdk8/corretto-al2/Dockerfile index 4db61299c..bb5b91c3e 100644 --- a/9.0/jdk8/corretto-al2/Dockerfile +++ b/9.0/jdk8/corretto-al2/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 - ENV TOMCAT_MAJOR 9 ENV TOMCAT_VERSION 9.0.98 ENV TOMCAT_SHA512 07d87286e8ee84bb291069c596cf36233e56a14e3ecb6d65eea0fa7c7042ce5e75f5db31f210b96b6b25b80b34e626dd26c5a6ed5c052384a8587d62658b5e16 @@ -71,10 +67,23 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS 'https://www.apache.org/dist/tomcat/tomcat-9/KEYS'; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS + for key in \ + 'DCFD35E0BF8CA7344752DE8B6FB21E8933C60243' \ + 'A9C5DF4D22E99998D9875A5110C01C5A2F6059E7' \ + '48F8E69F6390C9F25CFEDCD268248959359E722B' \ + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \ diff --git a/9.0/jdk8/temurin-jammy/Dockerfile b/9.0/jdk8/temurin-jammy/Dockerfile index 75540d33d..00e7929e3 100644 --- a/9.0/jdk8/temurin-jammy/Dockerfile +++ b/9.0/jdk8/temurin-jammy/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 - ENV TOMCAT_MAJOR 9 ENV TOMCAT_VERSION 9.0.98 ENV TOMCAT_SHA512 07d87286e8ee84bb291069c596cf36233e56a14e3ecb6d65eea0fa7c7042ce5e75f5db31f210b96b6b25b80b34e626dd26c5a6ed5c052384a8587d62658b5e16 @@ -58,10 +54,24 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS 'https://www.apache.org/dist/tomcat/tomcat-9/KEYS'; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS + for key in \ + 'DCFD35E0BF8CA7344752DE8B6FB21E8933C60243' \ + 'A9C5DF4D22E99998D9875A5110C01C5A2F6059E7' \ + '48F8E69F6390C9F25CFEDCD268248959359E722B' \ + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \ diff --git a/9.0/jdk8/temurin-noble/Dockerfile b/9.0/jdk8/temurin-noble/Dockerfile index 3cc5a7316..7c5ce40cc 100644 --- a/9.0/jdk8/temurin-noble/Dockerfile +++ b/9.0/jdk8/temurin-noble/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 - ENV TOMCAT_MAJOR 9 ENV TOMCAT_VERSION 9.0.98 ENV TOMCAT_SHA512 07d87286e8ee84bb291069c596cf36233e56a14e3ecb6d65eea0fa7c7042ce5e75f5db31f210b96b6b25b80b34e626dd26c5a6ed5c052384a8587d62658b5e16 @@ -58,10 +54,24 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS 'https://www.apache.org/dist/tomcat/tomcat-9/KEYS'; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS + for key in \ + 'DCFD35E0BF8CA7344752DE8B6FB21E8933C60243' \ + 'A9C5DF4D22E99998D9875A5110C01C5A2F6059E7' \ + '48F8E69F6390C9F25CFEDCD268248959359E722B' \ + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \ diff --git a/9.0/jre11/temurin-jammy/Dockerfile b/9.0/jre11/temurin-jammy/Dockerfile index 93347972b..3c8f6e9a5 100644 --- a/9.0/jre11/temurin-jammy/Dockerfile +++ b/9.0/jre11/temurin-jammy/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 - ENV TOMCAT_MAJOR 9 ENV TOMCAT_VERSION 9.0.98 ENV TOMCAT_SHA512 07d87286e8ee84bb291069c596cf36233e56a14e3ecb6d65eea0fa7c7042ce5e75f5db31f210b96b6b25b80b34e626dd26c5a6ed5c052384a8587d62658b5e16 diff --git a/9.0/jre11/temurin-noble/Dockerfile b/9.0/jre11/temurin-noble/Dockerfile index c66d8d899..66f72f166 100644 --- a/9.0/jre11/temurin-noble/Dockerfile +++ b/9.0/jre11/temurin-noble/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 - ENV TOMCAT_MAJOR 9 ENV TOMCAT_VERSION 9.0.98 ENV TOMCAT_SHA512 07d87286e8ee84bb291069c596cf36233e56a14e3ecb6d65eea0fa7c7042ce5e75f5db31f210b96b6b25b80b34e626dd26c5a6ed5c052384a8587d62658b5e16 diff --git a/9.0/jre17/temurin-jammy/Dockerfile b/9.0/jre17/temurin-jammy/Dockerfile index 7eeb8438c..80b3d4d65 100644 --- a/9.0/jre17/temurin-jammy/Dockerfile +++ b/9.0/jre17/temurin-jammy/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 - ENV TOMCAT_MAJOR 9 ENV TOMCAT_VERSION 9.0.98 ENV TOMCAT_SHA512 07d87286e8ee84bb291069c596cf36233e56a14e3ecb6d65eea0fa7c7042ce5e75f5db31f210b96b6b25b80b34e626dd26c5a6ed5c052384a8587d62658b5e16 diff --git a/9.0/jre17/temurin-noble/Dockerfile b/9.0/jre17/temurin-noble/Dockerfile index 5b11ae4d6..bfd65e714 100644 --- a/9.0/jre17/temurin-noble/Dockerfile +++ b/9.0/jre17/temurin-noble/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 - ENV TOMCAT_MAJOR 9 ENV TOMCAT_VERSION 9.0.98 ENV TOMCAT_SHA512 07d87286e8ee84bb291069c596cf36233e56a14e3ecb6d65eea0fa7c7042ce5e75f5db31f210b96b6b25b80b34e626dd26c5a6ed5c052384a8587d62658b5e16 diff --git a/9.0/jre21/temurin-jammy/Dockerfile b/9.0/jre21/temurin-jammy/Dockerfile index 13dd56459..857a002b0 100644 --- a/9.0/jre21/temurin-jammy/Dockerfile +++ b/9.0/jre21/temurin-jammy/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 - ENV TOMCAT_MAJOR 9 ENV TOMCAT_VERSION 9.0.98 ENV TOMCAT_SHA512 07d87286e8ee84bb291069c596cf36233e56a14e3ecb6d65eea0fa7c7042ce5e75f5db31f210b96b6b25b80b34e626dd26c5a6ed5c052384a8587d62658b5e16 diff --git a/9.0/jre21/temurin-noble/Dockerfile b/9.0/jre21/temurin-noble/Dockerfile index 457a7a05b..0e91fc98a 100644 --- a/9.0/jre21/temurin-noble/Dockerfile +++ b/9.0/jre21/temurin-noble/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 - ENV TOMCAT_MAJOR 9 ENV TOMCAT_VERSION 9.0.98 ENV TOMCAT_SHA512 07d87286e8ee84bb291069c596cf36233e56a14e3ecb6d65eea0fa7c7042ce5e75f5db31f210b96b6b25b80b34e626dd26c5a6ed5c052384a8587d62658b5e16 diff --git a/9.0/jre8/temurin-jammy/Dockerfile b/9.0/jre8/temurin-jammy/Dockerfile index 3a905efd9..33068aa5e 100644 --- a/9.0/jre8/temurin-jammy/Dockerfile +++ b/9.0/jre8/temurin-jammy/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 - ENV TOMCAT_MAJOR 9 ENV TOMCAT_VERSION 9.0.98 ENV TOMCAT_SHA512 07d87286e8ee84bb291069c596cf36233e56a14e3ecb6d65eea0fa7c7042ce5e75f5db31f210b96b6b25b80b34e626dd26c5a6ed5c052384a8587d62658b5e16 diff --git a/9.0/jre8/temurin-noble/Dockerfile b/9.0/jre8/temurin-noble/Dockerfile index bf9245dc6..95ae424a0 100644 --- a/9.0/jre8/temurin-noble/Dockerfile +++ b/9.0/jre8/temurin-noble/Dockerfile @@ -15,10 +15,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-9/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS 48F8E69F6390C9F25CFEDCD268248959359E722B A9C5DF4D22E99998D9875A5110C01C5A2F6059E7 DCFD35E0BF8CA7344752DE8B6FB21E8933C60243 - ENV TOMCAT_MAJOR 9 ENV TOMCAT_VERSION 9.0.98 ENV TOMCAT_SHA512 07d87286e8ee84bb291069c596cf36233e56a14e3ecb6d65eea0fa7c7042ce5e75f5db31f210b96b6b25b80b34e626dd26c5a6ed5c052384a8587d62658b5e16 diff --git a/Dockerfile.template b/Dockerfile.template index bb6868ab3..e94d41905 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -14,42 +14,6 @@ WORKDIR $CATALINA_HOME ENV TOMCAT_NATIVE_LIBDIR $CATALINA_HOME/native-jni-lib ENV LD_LIBRARY_PATH ${LD_LIBRARY_PATH:+$LD_LIBRARY_PATH:}$TOMCAT_NATIVE_LIBDIR -# see https://www.apache.org/dist/tomcat/tomcat-{{ major }}/KEYS -# see also "versions.sh" (https://github.com/docker-library/tomcat/blob/master/versions.sh) -ENV GPG_KEYS {{ - # docker run --rm buildpack-deps:bookworm-curl bash -c 'wget -qO- https://www.apache.org/dist/tomcat/tomcat-10/KEYS | gpg --batch --import &> /dev/null && gpg --batch --list-keys --with-fingerprint --with-colons' | awk -F: '$1 == "pub" && $2 == "-" { pub = 1 } pub && $1 == "fpr" { fpr = $10 } $1 == "sub" { pub = 0 } pub && fpr && $1 == "uid" && $2 == "-" { print "\t\t\t#", $10; print "\t\t\t\"" fpr "\","; pub = 0 } END { print "\t\t\t# trailing comma 👀\n\t\t\tempty" }' - { - "11": [ - # Mark E D Thomas - "A9C5DF4D22E99998D9875A5110C01C5A2F6059E7", - # Remy Maucherat - "48F8E69F6390C9F25CFEDCD268248959359E722B", - # trailing comma 👀 - empty - ], - "10": [ - # Mark E D Thomas - "A9C5DF4D22E99998D9875A5110C01C5A2F6059E7", - # Christopher Schultz - "5C3C5F3E314C866292F359A8F3AD5C94A67F707E", - # trailing comma 👀 - empty - ], - "9": [ - # Mark E D Thomas - "DCFD35E0BF8CA7344752DE8B6FB21E8933C60243", - # Mark E D Thomas - "A9C5DF4D22E99998D9875A5110C01C5A2F6059E7", - # Remy Maucherat - "48F8E69F6390C9F25CFEDCD268248959359E722B", - # trailing comma 👀 - empty - ], - } | .[major] // error("missing GPG keys") - | sort - | join(" ") -}} - ENV TOMCAT_MAJOR {{ major }} ENV TOMCAT_VERSION {{ .version }} ENV TOMCAT_SHA512 {{ .sha512 }} @@ -113,10 +77,57 @@ RUN set -eux; \ ddist 'tomcat.tar.gz' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz"; \ echo "$TOMCAT_SHA512 *tomcat.tar.gz" | sha512sum --strict --check -; \ ddist 'tomcat.tar.gz.asc' "tomcat/tomcat-$TOMCAT_MAJOR/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc" "$TOMCAT_VERSION/tomcat-$TOMCAT_VERSION.tar.gz.asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for key in $GPG_KEYS; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + curl -fL -o upstream-KEYS {{ "https://www.apache.org/dist/tomcat/tomcat-\(major)/KEYS" | @sh }}; \ + gpg --batch --import upstream-KEYS; \ +# filter upstream KEYS file to *just* known/precomputed fingerprints + printf '' > filtered-KEYS; \ +# see https://www.apache.org/dist/tomcat/tomcat-{{ major }}/KEYS + for key in \ +{{ + # docker run --rm buildpack-deps:bookworm-curl bash -c 'wget -qO- https://www.apache.org/dist/tomcat/tomcat-11/KEYS | gpg --batch --import &> /dev/null && gpg --batch --list-keys --with-fingerprint --with-colons' | awk -F: '$1 == "pub" && $2 == "-" { pub = 1 } pub && $1 == "fpr" { fpr = $10 } $1 == "sub" { pub = 0 } pub && fpr && $1 == "uid" && $2 == "-" { print "\t\t\t#", $10; print "\t\t\t\"" fpr "\","; pub = 0 } END { print "\t\t\t# trailing comma 👀\n\t\t\tempty" }' + { + "11": [ + # Mark E D Thomas + "A9C5DF4D22E99998D9875A5110C01C5A2F6059E7", + # Remy Maucherat + "48F8E69F6390C9F25CFEDCD268248959359E722B", + # trailing comma 👀 + empty + ], + "10": [ + # Mark E D Thomas + "A9C5DF4D22E99998D9875A5110C01C5A2F6059E7", + # Christopher Schultz + "5C3C5F3E314C866292F359A8F3AD5C94A67F707E", + # trailing comma 👀 + empty + ], + "9": [ + # Mark E D Thomas + "DCFD35E0BF8CA7344752DE8B6FB21E8933C60243", + # Mark E D Thomas + "A9C5DF4D22E99998D9875A5110C01C5A2F6059E7", + # Remy Maucherat + "48F8E69F6390C9F25CFEDCD268248959359E722B", + # trailing comma 👀 + empty + ], + } | .[major] // error("missing GPG keys") + | map( +-}} + {{ @sh }} \ +{{ ) | add -}} + ; do \ + gpg --batch --fingerprint "$key"; \ + gpg --batch --export --armor "$key" >> filtered-KEYS; \ done; \ +{{ if vendor_variant | contains("al2") then "" else ( -}} + gpgconf --kill all; \ +{{ ) end -}} + rm -rf "$GNUPGHOME"; \ + GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ + gpg --batch --import filtered-KEYS; \ gpg --batch --verify tomcat.tar.gz.asc tomcat.tar.gz; \ tar -xf tomcat.tar.gz --strip-components=1; \ rm bin/*.bat; \