madrob commented on code in PR #4: URL: https://github.com/apache/solr-docker/pull/4#discussion_r872725869
########## 9.0/Dockerfile: ########## @@ -39,24 +38,30 @@ ARG SOLR_ARCHIVE_URL="https://archive.apache.org/dist/solr/solr/$SOLR_VERSION/so RUN set -ex; \ apt-get update; \ - apt-get -y install wget gpg; \ + apt-get -y install wget gpg dirmngr; \ rm -rf /var/lib/apt/lists/*; \ export GNUPGHOME="/tmp/gnupg_home"; \ mkdir -p "$GNUPGHOME"; \ chmod 700 "$GNUPGHOME"; \ echo "disable-ipv6" >> "$GNUPGHOME/dirmngr.conf"; \ - for key in $SOLR_KEYS; do \ - found=''; \ - for server in \ - pgp.mit.edu \ - keyserver.ubuntu.com \ - hkp://keyserver.ubuntu.com:80 \ - ; do \ - echo " trying $server for $key"; \ - gpg --batch --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$key" && found=yes && break; \ - gpg --batch --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$key" && found=yes && break; \ - done; \ - test -z "$found" && echo >&2 "error: failed to fetch $key from several disparate servers -- network issues?" && exit 1; \ + if [ -n "$SOLR_KEYS" ]; then \ + # Install all Solr GPG Keys + wget -nv "https://downloads.apache.org/solr/KEYS"; -O "SOLR_KEYS"; \ + gpg \ + --key-origin 'url,https://downloads.apache.org/solr/KEYS' \ + --import SOLR_KEYS; \ + rm SOLR_KEYS; \ + # Export the keys explicitly mentioned in the Dockerfile + gpg --export ${SOLR_KEYS} > SAVED_KEYS; \ + # Start from scratch + gpg --list-keys --with-colons \ + | awk -F: '$1 == "pub" && ($2 == "e" || $2 == "r") { print $5 }' \ + | xargs gpg --batch --yes --delete-keys; \ + # Re-import the keys that we saved \ + gpg --import SAVED_KEYS; \ + rm SAVED_KEYS; \ Review Comment: We could do `--import-filter keep-uid="uid =~ Jan"` and then validate that the key with the expected fingerprint exists afterward. That lets us skip the import/export dance, but we'd need to change it each time for each release. Still trying to figure out if we can filter on the key itself. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
