Refactor PGP key handling to use MongoDB files #673
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
(Updated with less cleverness in |
|
(fixed the RC-handling logic to account for #622 correctly) |
It seems that keyserver.ubuntu.com is currently having a sad day -- it's not actually critical to our usage here, so this finally swaps us to use the keys provided by MongoDB, but with explicit full fingerprint validation / filtering.
tianon
commented
Feb 7, 2024
Comment on lines
+55
to
+56
| wget -O KEYS {{ [ .pgp[].url ] | map(@sh) | join(" ") }}; \ | ||
| gpg --batch --import KEYS; \ |
There was a problem hiding this comment.
Just to show that this will work correctly (since none of the versions we have now actually have more than one URL here):
$ docker run -it --rm buildpack-deps:curl
root@57d75f357e33:/# wget -O KEYS https://pgp.mongodb.com/server-dev.asc https://pgp.mongodb.com/server-8.0.asc https://pgp.mongodb.com/server-7.0.asc
--2024-02-07 00:01:00-- https://pgp.mongodb.com/server-dev.asc
Resolving pgp.mongodb.com (pgp.mongodb.com)... 18.154.206.8, 18.154.206.105, 18.154.206.41, ...
Connecting to pgp.mongodb.com (pgp.mongodb.com)|18.154.206.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1696 (1.7K) [binary/octet-stream]
Saving to: 'KEYS'
KEYS 100%[===================>] 1.66K --.-KB/s in 0s
2024-02-07 00:01:01 (52.9 MB/s) - 'KEYS' saved [1696/1696]
--2024-02-07 00:01:01-- https://pgp.mongodb.com/server-8.0.asc
Reusing existing connection to pgp.mongodb.com:443.
HTTP request sent, awaiting response... 200 OK
Length: 1676 (1.6K) [binary/octet-stream]
Saving to: 'KEYS'
KEYS 100%[===================>] 1.64K --.-KB/s in 0s
2024-02-07 00:01:02 (101 MB/s) - 'KEYS' saved [1676/1676]
--2024-02-07 00:01:02-- https://pgp.mongodb.com/server-7.0.asc
Reusing existing connection to pgp.mongodb.com:443.
HTTP request sent, awaiting response... 200 OK
Length: 1674 (1.6K) [binary/octet-stream]
Saving to: 'KEYS'
KEYS 100%[===================>] 1.63K --.-KB/s in 0s
2024-02-07 00:01:02 (96.3 MB/s) - 'KEYS' saved [1674/1674]
FINISHED --2024-02-07 00:01:02--
Total wall clock time: 1.7s
Downloaded: 3 files, 4.9K in 0s (76.3 MB/s)
root@57d75f357e33:/# gpg --batch --import KEYS
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 81B0EBBBADCEA95C: public key "MongoDB Development Release Signing Key <[email protected]>" imported
gpg: key 41DE058A4E7DCA05: public key "MongoDB 8.0 Release Signing Key <[email protected]>" imported
gpg: key 160D26BB1785BA38: public key "MongoDB 7.0 Release Signing Key <[email protected]>" imported
gpg: Total number processed: 3
gpg: imported: 3
root@57d75f357e33:/# gpg --fingerprint
/root/.gnupg/pubring.kbx
------------------------
pub rsa4096 2023-08-02 [SC] [expires: 2028-07-31]
28DE 23AF 0804 0FB2 4C33 F363 81B0 EBBB ADCE A95C
uid [ unknown] MongoDB Development Release Signing Key <[email protected]>
pub rsa4096 2024-01-11 [SC]
4B07 52C1 BCA2 38C0 B4EE 14DC 41DE 058A 4E7D CA05
uid [ unknown] MongoDB 8.0 Release Signing Key <[email protected]>
pub rsa4096 2023-01-18 [SC] [expires: 2028-01-17]
E588 3020 1F7D D82C D808 AA84 160D 26BB 1785 BA38
uid [ unknown] MongoDB 7.0 Release Signing Key <[email protected]>
yosifkit
approved these changes
Feb 7, 2024
docker-library-bot
added a commit
to docker-library-bot/official-images
that referenced
this pull request
Feb 7, 2024
Changes: - docker-library/mongo@12fc21f: Merge pull request docker-library/mongo#673 from infosiftr/pgp - docker-library/mongo@62518cb: Refactor PGP key handling to use MongoDB files - docker-library/mongo@ee2e768: Merge pull request docker-library/mongo#672 from BlacCello/gosu-1.17 - docker-library/mongo@b7c4e73: update gosu to v1.17
martin-g
pushed a commit
to martin-g/docker-official-images
that referenced
this pull request
Apr 3, 2024
Changes: - docker-library/mongo@12fc21f: Merge pull request docker-library/mongo#673 from infosiftr/pgp - docker-library/mongo@62518cb: Refactor PGP key handling to use MongoDB files - docker-library/mongo@ee2e768: Merge pull request docker-library/mongo#672 from BlacCello/gosu-1.17 - docker-library/mongo@b7c4e73: update gosu to v1.17
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
It seems that keyserver.ubuntu.com is currently having a sad day -- it's not actually critical to our usage here, so this finally swaps us to use the keys provided by MongoDB, but with explicit full fingerprint validation / filtering.
See also #672 (comment) and #320 (comment)