caiok commented on issue #419: Dockerfile: automatic the signature verification URL: https://github.com/apache/bookkeeper/issues/419#issuecomment-321017309 @jiazhai Are you sure that the public key used to sign the release packages vary from one version to another? I think that usually should not. Anyway, I'm not sure that there is a simpler way to achieve this. When you create the image with that key you are saying that you and developers who approved that image trust that key and even if an attacker succeed in providing you a fake package at build time this package won't pass the validation. If you for instance download that key somewhere (maybe at the same location that the packets) you substantially invalidate that precaution. Have you already had an implementation idea for this proposal? ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
With regards, Apache Git Services
