commit: f78974a15c5450b7aa866bdcd344add7f52f33c3
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Sat Jan 3 02:07:56 2026 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sat Jan 3 02:56:53 2026 +0000
URL: https://gitweb.gentoo.org/proj/docker-images.git/commit/?id=f78974a1
{portage,stage3}.Dockerfile: use gpg --status-fd
See
https://www.gnupg.org/documentation/manuals/gnupg/Automated-signature-checking.html
and gpg(1):
> Note that signature verification requires exact knowledge of what has been
> signed and by whom it has been signed. Using only the return code is thus
> not an appropriate way to verify a signature by a script. Either make proper
> use or the status codes or use the gpgv tool which has been designed to make
> signature verification easy for scripts.
Also, switch to hardcoding primary keys (so we can lsign them) and their
corresponding (longer) fingerprints.
Signed-off-by: Sam James <sam <AT> gentoo.org>
portage.Dockerfile | 19 ++++++++++++++++---
stage3.Dockerfile | 18 ++++++++++++++----
2 files changed, 30 insertions(+), 7 deletions(-)
diff --git a/portage.Dockerfile b/portage.Dockerfile
index 01aa307..1e35e04 100644
--- a/portage.Dockerfile
+++ b/portage.Dockerfile
@@ -7,13 +7,16 @@
# docker-17.05.0 or later. It fetches a daily snapshot from the official
# sources and verifies its checksum as well as its gpg signature.
-FROM --platform=$BUILDPLATFORM alpine:3.19 as builder
+FROM --platform=$BUILDPLATFORM alpine:3.23 as builder
WORKDIR /portage
ARG SNAPSHOT="portage-latest.tar.xz"
ARG DIST="https://ftp-osl.osuosl.org/pub/gentoo/snapshots";
-ARG SIGNING_KEY="0xEC590EEAC9189250"
+ARG SIGNING_KEY="0xDCD05B71EAB94199527F44ACDB6B8C1F96D8BF6D"
+
+RUN apk --no-cache add bash
+SHELL ["/bin/bash", "-c"]
RUN <<-EOF
set -e
@@ -31,12 +34,22 @@ RUN <<-EOF
GPG
gpg --keyserver hkps://keys.gentoo.org --recv-keys ${SIGNING_KEY} || \
gpg --auto-key-locate=clear,nodefault,wkd --locate-key
[email protected]
- gpg --verify "${SNAPSHOT}.gpgsig" "${SNAPSHOT}"
+ gpg --batch --passphrase '' --no-default-keyring --quick-generate-key
me@localhost
+ gpg --no-default-keyring --quick-lsign-key ${SIGNING_KEY}
+
+ gpg_temp=$(mktemp -d)
+ gpg --batch --status-fd 3 --verify "${SNAPSHOT}.gpgsig" "${SNAPSHOT}" 3>
${gpg_temp}/gpg.status
+ for token in GOODSIG VALIDSIG TRUST_FULLY; do
+ [[ $'\n'$(<${gpg_temp}/gpg.status) == *$'\n[GNUPG:] '"${token} "* ]]
|| exit 1
+ done
+
md5sum -c ${SNAPSHOT}.md5sum
mkdir -p var/db/repos var/cache/binpkgs var/cache/distfiles
tar xJpf ${SNAPSHOT} -C var/db/repos
mv var/db/repos/portage var/db/repos/gentoo
rm ${SNAPSHOT} ${SNAPSHOT}.gpgsig ${SNAPSHOT}.md5sum
+ rm ${gpg_temp}/gpg.status
+ rmdir ${gpg_temp}
EOF
FROM busybox:latest
diff --git a/stage3.Dockerfile b/stage3.Dockerfile
index 5ea217b..7b8620d 100644
--- a/stage3.Dockerfile
+++ b/stage3.Dockerfile
@@ -8,7 +8,7 @@
# sources and verifies its checksum as well as its gpg signature.
ARG BOOTSTRAP
-FROM --platform=$BUILDPLATFORM ${BOOTSTRAP:-alpine:3.19} as builder
+FROM --platform=$BUILDPLATFORM ${BOOTSTRAP:-alpine:3.23} as builder
WORKDIR /gentoo
@@ -16,7 +16,10 @@ ARG ARCH=amd64
ARG MICROARCH=amd64
ARG SUFFIX
ARG DIST="https://ftp-osl.osuosl.org/pub/gentoo/releases/${ARCH}/autobuilds";
-ARG SIGNING_KEY="0xBB572E0E2D182910"
+ARG SIGNING_KEY="0x13EBBDBEDE7A12775DFDB1BABB572E0E2D182910"
+
+RUN apk --no-cache add bash
+SHELL ["/bin/bash", "-c"]
RUN <<-EOF
set -e
@@ -35,6 +38,8 @@ RUN <<-EOF
GPG
gpg --keyserver hkps://keys.gentoo.org --recv-keys ${SIGNING_KEY} || \
gpg --auto-key-locate=clear,nodefault,wkd --locate-key [email protected]
+ gpg --batch --passphrase '' --no-default-keyring --quick-generate-key
me@localhost
+ gpg --no-default-keyring --quick-lsign-key ${SIGNING_KEY}
# obtain and extract stage3
wget -q "${DIST}/latest-stage3-${MICROARCH}${SUFFIX}.txt"
@@ -43,7 +48,11 @@ RUN <<-EOF
echo "STAGE3PATH:" ${STAGE3PATH}
STAGE3="$(basename ${STAGE3PATH})"
wget -q "${DIST}/${STAGE3PATH}" "${DIST}/${STAGE3PATH}.asc"
- gpg --verify "${STAGE3}.asc" "${STAGE3}"
+ gpg_temp=$(mktemp -d)
+ gpg --batch --status-fd 3 --verify "${STAGE3}.asc" "${STAGE3}" 3>
${gpg_temp}/gpg.status
+ for token in GOODSIG VALIDSIG TRUST_FULLY; do
+ [[ $'\n'$(<${gpg_temp}/gpg.status) == *$'\n[GNUPG:] '"${token} "* ]]
|| exit 1
+ done
tar xpf "${STAGE3}" --xattrs-include='*.*' --numeric-owner
# modify stage3
@@ -51,7 +60,8 @@ RUN <<-EOF
echo 'UTC' > etc/timezone
# cleanup
- rm ${STAGE3}.asc ${STAGE3}
+ rm "${STAGE3}".asc "${STAGE3}" "${gpg_temp}"/gpg.status
+ rmdir "${gpg_temp}"
EOF
FROM scratch
