Skip to content

Commit

Permalink
Merge pull request #1 from AkihiroSuda/dev
Browse files Browse the repository at this point in the history
Dockerfile.archlinux: reword warning
  • Loading branch information
AkihiroSuda authored Sep 16, 2023
2 parents fbc5a94 + 8b0a209 commit 43377aa
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 10 deletions.
14 changes: 9 additions & 5 deletions Dockerfile.archlinux
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ ADD --chmod=0755 <<-"EOT" /usr/local/bin/verify-var-cache-pacman-pkg.sh
#!/bin/bash
set -eux -o pipefail
for pkg in /var/cache/pacman/pkg/*.tar.zst; do
# Under the hood, `pacman-key` calls the following command:
# gpg --homedir /etc/pacman.d/gnupg/ --no-permission-warning --status-fd 1 --verify ${pkg}.sig ${pkg}
pacman-key --verify "${pkg}.sig"
done
EOT
Expand All @@ -35,12 +37,14 @@ RUN \
--network=none \
verify-var-cache-pacman-pkg.sh && \
pacman -S --noconfirm ${PACKAGES}
# WARNING: the repository signatures (`/var/cache/pacman/pkg/*.sig`)
# are only verified on running downloading packages.
# The signatures are just ignored on installing the packages from the cache.
# WARNING: while pacman verifies the package signatures using `/var/lib/pacman/sync/*.db`,
# the signature files in `/var/cache/pacman/pkg/*.sig` are apparently ignored
# at the time of writing this (Sep 2023).
#
# As a workaround, the signatures are verified with the `verify-var-cache-pacman-pkg.sh`
# script above, however, this script might not be as robust as `pacman -Sy`.
# This does not seem to cause a critical problem currently, though,
# `/var/cache/pacman/pkg/*.sig` are verified with the `verify-var-cache-pacman-pkg.sh` script
# above to avoid potential security issues with a future version of pacman.
# However, this script might not be robust.
#
# For ArchLinux, consider using https://github.com/reproducible-containers/repro-sources-list.sh
# instead.
10 changes: 5 additions & 5 deletions Dockerfile.debian
Original file line number Diff line number Diff line change
Expand Up @@ -36,11 +36,11 @@ for ir in /var/lib/apt/lists/*InRelease; do
verified=1
break
fi
done
if [ "${verified}" != "1" ]; then
echo >&2 "Failed to verify ${ir}"
exit 1
fi
done
if [ "${verified}" != "1" ]; then
echo >&2 "Failed to verify ${ir}"
exit 1
fi
echo "Verified: gpgv --keyring ${keyring} ${ir}"
done
EOT
Expand Down

0 comments on commit 43377aa

Please sign in to comment.