[FIX] Odoo 10.0-12.0: use a more secure way to download keys

d-fence · d-fence · commit 87f0174dca7f · 2019-01-30T15:43:24.000+01:00
At build time, curl is used to download gnupg keys without any verification. This does not meet the Docker hub requirements: https://github.com/docker-library/official-images#security With this commit, gpg is used to download the keys with the best method specified in the requirements.
diff --git a/10.0/Dockerfile b/10.0/Dockerfile
@@ -7,6 +7,7 @@ RUN set -x; \
         && apt-get install -y --no-install-recommends \
             ca-certificates \
             curl \
+            dirmngr \
             node-less \
             python-gevent \
             python-ldap \
@@ -27,7 +28,10 @@ RUN set -x; \
 # install latest postgresql-client
 RUN set -x; \
         echo 'deb http://apt.postgresql.org/pub/repos/apt/ jessie-pgdg main' > etc/apt/sources.list.d/pgdg.list \
-        && curl -sSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \
+        && export GNUPGHOME="$(mktemp -d)" \
+        && gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ACCC4CF8 \
+        && gpg --armor --export ACCC4CF8 | apt-key add - \
+        && rm -rf "$GNUPGHOME" \
         && apt-get update  \
         && apt-get install -y postgresql-client
 
diff --git a/11.0/Dockerfile b/11.0/Dockerfile
@@ -10,6 +10,7 @@ RUN set -x; \
         && apt-get install -y --no-install-recommends \
             ca-certificates \
             curl \
+            dirmngr \
             fonts-noto-cjk \
             gnupg \
             libssl1.0-dev \
@@ -31,7 +32,11 @@ RUN set -x; \
 # install latest postgresql-client
 RUN set -x; \
         echo 'deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main' > etc/apt/sources.list.d/pgdg.list \
-        && curl -sSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \
+        && export GNUPGHOME="$(mktemp -d)" \
+        && gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ACCC4CF8 \
+        && gpg --armor --export ACCC4CF8 | apt-key add - \
+        && gpgconf --kill all \
+        && rm -rf "$GNUPGHOME" \
         && apt-get update  \
         && apt-get install -y postgresql-client
 
diff --git a/12.0/Dockerfile b/12.0/Dockerfile
@@ -10,6 +10,7 @@ RUN set -x; \
         && apt-get install -y --no-install-recommends \
             ca-certificates \
             curl \
+            dirmngr \
             fonts-noto-cjk \
             gnupg \
             libssl1.0-dev \
@@ -31,14 +32,22 @@ RUN set -x; \
 # install latest postgresql-client
 RUN set -x; \
         echo 'deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main' > etc/apt/sources.list.d/pgdg.list \
-        && curl -sSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \
+        && export GNUPGHOME="$(mktemp -d)" \
+        && gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ACCC4CF8 \
+        && gpg --armor --export ACCC4CF8 | apt-key add - \
+        && gpgconf --kill all \
+        && rm -rf "$GNUPGHOME" \
         && apt-get update  \
         && apt-get install -y postgresql-client
 
 # Install rtlcss (on Debian stretch)
 RUN set -x;\
-    curl -sSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | apt-key add - \
-    && echo "deb http://deb.nodesource.com/node_8.x stretch main" > /etc/apt/sources.list.d/nodesource.list \
+    echo "deb http://deb.nodesource.com/node_8.x stretch main" > /etc/apt/sources.list.d/nodesource.list \
+    && export GNUPGHOME="$(mktemp -d)" \
+    && gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 68576280 \
+    && gpg --armor --export 68576280 | apt-key add - \
+    && gpgconf --kill all \
+    && rm -rf "$GNUPGHOME" \
     && apt-get update \
     && apt-get install -y nodejs \
     && npm install -g rtlcss
