commit: 69b54f245882605ddc46e03fb066f885352deb07 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Sat Jan 3 03:09:09 2026 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Sat Jan 3 03:10:09 2026 +0000 URL: https://gitweb.gentoo.org/proj/docker-images.git/commit/?id=69b54f24
stage3.Dockerfile: use `--output` with cleartext signatures The latest*.txt files use cleartext signatures, so use `gpg --output ...` and operate on that instead. This means we're definitely operating on the verified content and nothing else. See https://gnupg.org/blog/20251226-cleartext-signatures.html. Signed-off-by: Sam James <sam <AT> gentoo.org> stage3.Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/stage3.Dockerfile b/stage3.Dockerfile index cfa491b..19eab3e 100644 --- a/stage3.Dockerfile +++ b/stage3.Dockerfile @@ -43,8 +43,8 @@ RUN <<-EOF # obtain and extract stage3 wget -q -- "${DIST}/latest-stage3-${MICROARCH}${SUFFIX}.txt" - gpg --batch --verify -- "latest-stage3-${MICROARCH}${SUFFIX}.txt" - STAGE3PATH="$(sed -n '6p' "latest-stage3-${MICROARCH}${SUFFIX}.txt" | cut -f 1 -d ' ')" + gpg --batch --output latest.txt --verify -- "latest-stage3-${MICROARCH}${SUFFIX}.txt" + STAGE3PATH="$(sed -n '6p' "latest.txt" | cut -f 1 -d ' ')" echo "STAGE3PATH:" ${STAGE3PATH} STAGE3="$(basename ${STAGE3PATH})" wget -q "${DIST}/${STAGE3PATH}" "${DIST}/${STAGE3PATH}.asc"
