reverse: verify tarballs using gpg

2025-04-20 04:19:18 +00:00 · 2016-05-08 19:54:52 +02:00 · 2016-05-08 19:54:52 +02:00 · 8cbc597628
commit 8cbc597628
parent 0a05ebdd05
1 changed files with 43 additions and 18 deletions
--- a/reverse/Dockerfile
+++ b/reverse/Dockerfile
@ -1,15 +1,18 @@
 FROM alpine:3.3
 MAINTAINER Wonderfall <wonderfall@mondedie.fr>
-ARG NGINX_VER=1.10.0
+ARG NGINX_VERSION=1.10.0
-ARG LIBRESSL_VER=2.3.4
+ARG LIBRESSL_VERSION=2.3.4
 ARG SIGNATURE=secret
 ARG BUILD_CORES
 ARG GPG_brent="A1EB 079B 8D3E B92B 4EBD  3139 663A F51B D5E4 D8D5"
 ARG GPG_mdounin="B0F4 2533 73F8 F6F5 10D4  2178 520A 9993 A1C0 52F8"
 ENV UID=991 GID=991
 RUN echo "@commuedge http://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \
- && NB_CORES=${BUILD_CORES-`getconf _NPROCESSORS_CONF`} \
+ && NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \
 && BUILD_DEPS=" \
    build-base \
    linux-headers \
@ -21,9 +24,10 @@ RUN echo "@commuedge http://nl.alpinelinux.org/alpine/edge/community" >> /etc/ap
    libtool \
    pcre-dev \
    zlib-dev \
-    binutils" \
+    binutils
    gnupg" \
 && apk -U add \
-    $BUILD_DEPS \
+    ${BUILD_DEPS} \
    pcre \
    zlib \
    libgcc \
@ -32,22 +36,43 @@ RUN echo "@commuedge http://nl.alpinelinux.org/alpine/edge/community" >> /etc/ap
    openssl \
    tini@commuedge \
 && cd /tmp && git clone https://github.com/bagder/libbrotli && cd libbrotli \
- && ./autogen.sh && ./configure && make -j $NB_CORES && make install \
+ && ./autogen.sh && ./configure && make -j ${NB_CORES} && make install \
 && mkdir /tmp/ngx_brotli && cd /tmp/ngx_brotli \
 && wget -qO- https://github.com/google/ngx_brotli/archive/master.tar.gz | tar xz --strip 1 \
- && mkdir /tmp/libressl && cd /tmp/libressl \
+ && cd /tmp \
- && wget -qO- http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-$LIBRESSL_VER.tar.gz | tar xz --strip 1 \
+ && LIBRESSL_TARBALL="libressl-${LIBRESSL_VERSION}.tar.gz" \
 && wget -q http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/${LIBRESSL_TARBALL} \
 && echo "Verifying ${LIBRESSL_TARBALL} using GPG..." \
 && wget -q http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/${LIBRESSL_TARBALL}.asc \
 && wget -q http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl.asc \
 && gpg --import libressl.asc \
 && FINGERPRINT="$(LANG=C gpg --verify ${LIBRESSL_TARBALL}.asc ${LIBRESSL_TARBALL} 2>&1 \
  | sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \
 && if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \
 && if [ "${FINGERPRINT}" != "${GPG_brent}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
 && echo "All seems good, now unpacking ${LIBRESSL_TARBALL}..." \
 && tar xzf ${LIBRESSL_TARBALL} && cd libressl-${LIBRESSL_VERSION} \
 && ./configure \
    LDFLAGS=-lrt \
    CFLAGS=-fstack-protector-strong \
    --prefix=/tmp/libressl/.openssl/ \
    --enable-shared=no \
- && make install-strip -j $NB_CORES \
+ && make install-strip -j ${NB_CORES} \
- && mkdir /tmp/nginx && cd /tmp/nginx \
+ && cd /tmp \
- && wget -qO- http://nginx.org/download/nginx-$NGINX_VER.tar.gz | tar zxf - \
+ && NGINX_TARBALL="nginx-${NGINX_VERSION}.tar.gz" \
- && cd nginx-$NGINX_VER \
+ && wget -q http://nginx.org/download/${NGINX_TARBALL} \
- && sed -i -e "s/\"Server: nginx\" CRLF/\"Server: $SIGNATURE\" CRLF/g" \
+ && echo "Verifying ${NGINX_TARBALL} using GPG..." \
-    -e "s/\"Server: \" NGINX_VER CRLF/\"Server: $SIGNATURE\" NGINX_VER CRLF/g" \
+ && wget -q http://nginx.org/download/${NGINX_TARBALL}.asc \
 && wget -q http://nginx.org/keys/mdounin.key \
 && gpg --import mdounin.key \
 && FINGERPRINT="$(LANG=C gpg --verify ${NGINX_TARBALL}.asc ${NGINX_TARBALL} 2>&1 \
  | sed -n "s#Primary key fingerprint: \(.*\)#\1#p")" \
 && if [ -z "${FINGERPRINT}" ]; then echo "Warning! Invalid GPG signature!" && exit 1; fi \
 && if [ "${FINGERPRINT}" != "${GPG_mdounin}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \
 && echo "All seems good, now unpacking ${NGINX_TARBALL}..." \
 && tar xzf ${NGINX_TARBALL} && cd nginx-${NGINX_VERSION} \
 && sed -i -e "s/\"Server: nginx\" CRLF/\"Server: ${SIGNATURE}\" CRLF/g" \
    -e "s/\"Server: \" NGINX_VER CRLF/\"Server: ${SIGNATURE}\" NGINX_VER CRLF/g" \
    src/http/ngx_http_header_filter_module.c \
 && ./configure \
    --with-http_ssl_module \
@ -75,10 +100,10 @@ RUN echo "@commuedge http://nl.alpinelinux.org/alpine/edge/community" >> /etc/ap
    --error-log-path=/var/log/nginx/error.log \
    --sbin-path=/usr/local/sbin/nginx \
    --add-module=/tmp/ngx_brotli \
- && make -j $NB_CORES && make install \
+ && make -j ${NB_CORES} && make install \
 && make clean \
 && strip -s /usr/local/sbin/nginx \
- && apk del $BUILD_DEPS \
+ && apk del ${BUILD_DEPS} \
 && rm -rf /tmp/* /var/cache/apk/*
 COPY nginx.conf /etc/nginx/conf/nginx.conf
@ -91,7 +116,7 @@ EXPOSE 8000 4430
 VOLUME /sites-enabled /conf.d /passwds /certs /var/log/nginx
 LABEL description="Secure reverse proxy using nginx" \
-      libressl="LibreSSL v$LIBRESSL_VER" \
+      libressl="LibreSSL v${LIBRESSL_VERSION}" \
-      nginx="nginx v$NGINX_VER"
+      nginx="nginx v${NGINX_VERSION}"
 CMD ["tini","--","run.sh"]