fix: Pass GPG key ids as separate arguments when exporting. #328
+3
−3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This makes sure all keys are exported to a keyring archive, as opposed to only the first key.
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR updates the GPG export step to pass each key ID as a separate argument, ensuring all specified keys are included in the archive.
- Removed quotes around
$NGINX_GPGKEYSin thegpg1 --exportcommand to allow shell splitting of multiple key IDs. - Applied the change consistently in stable, mainline, and templated Dockerfiles.
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| stable/debian/Dockerfile | Drop quotes around $NGINX_GPGKEYS so multiple keys are exported |
| mainline/debian/Dockerfile | Same change for the mainline Debian build |
| Dockerfile-debian.template | Same change in the shared template |
Comments suppressed due to low confidence (2)
stable/debian/Dockerfile:41
- Add a CI test or validation step to confirm that multiple GPG keys are correctly exported into the archive after this change.
gpg1 --export $NGINX_GPGKEYS > "$NGINX_GPGKEY_PATH" ; \
Dockerfile-debian.template:36
- [nitpick] This export block is duplicated across stable, mainline, and template files. Consider extracting it into a shared script or build snippet to reduce repetition and ease future updates.
gpg1 --export $NGINX_GPGKEYS > "$NGINX_GPGKEY_PATH" ; \
| test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \ | ||
| done; \ | ||
| gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \ | ||
| gpg1 --export $NGINX_GPGKEYS > "$NGINX_GPGKEY_PATH" ; \ |
There was a problem hiding this comment.
Unquoted variable expansions can trigger pathname expansion (globbing). Consider disabling globbing (e.g., set -o noglob) or iterating explicitly over each key to pass them safely.
Suggested change
| gpg1 --export $NGINX_GPGKEYS > "$NGINX_GPGKEY_PATH" ; \ | |
| gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \ |
alessfg
approved these changes
Jul 15, 2025
alessfg
changed the title
Member
|
Tests are failing due to the way the build pipeline works. As long as the first build succeeds the remainder builds will work once the pipeline is merged into main. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This makes sure all keys are exported to a keyring archive, as opposed to only the first key.
Same as in nginx/docker-nginx@0b49b8b