Use bitcoin-core verify.py script

See: https://github.com/bitcoin/bitcoin/tree/master/contrib/verify-binaries

Currently, we due to the way the bitcoin core verify script parses the
version we must download multiple linux builds, then only use the the
target arch. Hopefully the verify script can be updated to handle single
platform (architecture:os) downloads, and if so in the future this can
be updated.

Switch to a two-stage build (like alpine), as we now download python
which bloats the image size.

Author: willcl-ark

22/Dockerfile

@@ -1,67 +1,60 @@
-FROM debian:bullseye-slim
-
-ARG UID=101
-ARG GID=101
+FROM debian:bullseye-slim as builder
 
 LABEL maintainer.0="João Fonseca (@joaopaulofonseca)" \
   maintainer.1="Pedro Branco (@pedrobranco)" \
   maintainer.2="Rui Marinho (@ruimarinho)"
 
-RUN groupadd --gid ${GID} bitcoin \
-  && useradd --create-home --no-log-init -u ${UID} -g ${GID} bitcoin \
-  && apt-get update -y \
-  && apt-get install -y curl gnupg gosu \
+RUN apt-get update -y \
+  && apt-get install -y ca-certificates curl git gnupg gosu python3 wget --no-install-recommends \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 ARG TARGETPLATFORM
 ENV BITCOIN_VERSION=22.1
-ENV BITCOIN_DATA=/home/bitcoin/.bitcoin
-ENV PATH=/opt/bitcoin-${BITCOIN_VERSION}/bin:$PATH
+ENV SIGS_REPO_URL="https://github.com/bitcoin-core/guix.sigs.git"
+ENV SIGS_CLONE_DIR="guix.sigs"
+ENV VERIFY_SCRIPT_URL="https://raw.githubusercontent.com/bitcoin/bitcoin/master/contrib/verify-binaries/verify.py"
+ENV TMPDIR="/tmp/bitcoin_verify_binaries"
 
 RUN set -ex \
   && if [ "${TARGETPLATFORM}" = "linux/amd64" ]; then export TARGETPLATFORM=x86_64-linux-gnu; fi \
   && if [ "${TARGETPLATFORM}" = "linux/arm64" ]; then export TARGETPLATFORM=aarch64-linux-gnu; fi \
   && if [ "${TARGETPLATFORM}" = "linux/arm/v7" ]; then export TARGETPLATFORM=arm-linux-gnueabihf; fi \
-  && for key in \
-    0CCBAAFD76A2ECE2CCD3141DE2FFD5B1D88CA97D \
-    152812300785C96444D3334D17565732E08E5E41 \
-    0AD83877C1F0CD1EE9BD660AD7CC770B81FD22A8 \
-    590B7292695AFFA5B672CBB2E13FC145CD3F4304 \
-    28F5900B1BB5D1A4B6B6D1A9ED357015286A333D \
-    637DB1E23370F84AFF88CCE03152347D07DA627C \
-    CFB16E21C950F67FA95E558F2EEB9F5CC09526C1 \
-    6E01EEC9656903B0542B8F1003DB6322267C373B \
-    D1DBF2C4B96F2DEBF4C16654410108112E7EA81F \
-    82921A4B88FD454B7EB8CE3C796C4109063D4EAF \
-    9DEAE0DC7063249FB05474681E4AED62986CD25D \
-    9D3CC86A72F8494342EA5FD10A41BDC3F4FAFF1C \
-    74E2DEF5D77260B98BC19438099BAD163C70FBFA \
-  ; do \
-      gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" || \
-      gpg --batch --keyserver keys.openpgp.org --recv-keys "$key" || \
-      gpg --batch --keyserver pgp.mit.edu --recv-keys "$key" || \
-      gpg --batch --keyserver keyserver.pgp.com --recv-keys "$key" || \
-      gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key" || \
-      gpg --batch --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys "$key" ; \
-    done \
-  && curl -SLO https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/bitcoin-${BITCOIN_VERSION}-${TARGETPLATFORM}.tar.gz \
-  && curl -SLO https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/SHA256SUMS \
-  && curl -SLO https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/SHA256SUMS.asc \
-  && gpg --verify SHA256SUMS.asc SHA256SUMS \
-  && grep " bitcoin-${BITCOIN_VERSION}-${TARGETPLATFORM}.tar.gz" SHA256SUMS | sha256sum -c - \
-  && tar -xzf *.tar.gz -C /opt \
-  && rm *.tar.gz *.asc \
+  && git clone ${SIGS_REPO_URL} ${SIGS_CLONE_DIR} \
+  && gpg --import "${SIGS_CLONE_DIR}"/builder-keys/* \
+  && curl -o verify.py ${VERIFY_SCRIPT_URL} \
+  && chmod +x verify.py \
+  && ./verify.py \
+    --min-good-sigs 6 pub "${BITCOIN_VERSION}-linux" \
+  && tar -xzf "${TMPDIR}.${BITCOIN_VERSION}-linux/bitcoin-${BITCOIN_VERSION}-${TARGETPLATFORM}.tar.gz" -C /opt \
+  && rm -rf ${SIGS_CLONE_DIR} \
+  && rm -rf ${TMPDIR} \
   && rm -rf /opt/bitcoin-${BITCOIN_VERSION}/bin/bitcoin-qt
 
+# Second stage
+FROM debian:bullseye-slim
+
+ARG UID=101
+ARG GID=101
+
+ENV BITCOIN_DATA=/home/bitcoin/.bitcoin
+ENV BITCOIN_VERSION=22.1
+ENV PATH=/opt/bitcoin-${BITCOIN_VERSION}/bin:$PATH
+
+RUN groupadd --gid ${GID} bitcoin \
+  && useradd --create-home --no-log-init -u ${UID} -g ${GID} bitcoin \
+  && apt-get update -y \
+  && apt-get install -y gosu --no-install-recommends \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+COPY --from=builder /opt/bitcoin-${BITCOIN_VERSION} /opt/bitcoin-${BITCOIN_VERSION}
+
 COPY docker-entrypoint.sh /entrypoint.sh
 
 VOLUME ["/home/bitcoin/.bitcoin"]
-
 EXPOSE 8332 8333 18332 18333 18443 18444 38333 38332
 
 ENTRYPOINT ["/entrypoint.sh"]
-
 RUN bitcoind -version | grep "Bitcoin Core version v${BITCOIN_VERSION}"
-
 CMD ["bitcoind"]

22/alpine/Dockerfile

@@ -17,7 +17,7 @@ RUN mkdir -p ${BERKELEYDB_PREFIX}
 
 WORKDIR /${BERKELEYDB_VERSION}/build_unix
 
-RUN ../dist/configure --enable-cxx --disable-shared --with-pic --prefix=${BERKELEYDB_PREFIX}
+RUN ../dist/configure --enable-cxx --disable-shared --with-pic --prefix=${BERKELEYDB_PREFIX} --build=aarch64-unknown-linux-gnu
 RUN make -j4
 RUN make install
 RUN rm -rf ${BERKELEYDB_PREFIX}/docs
@@ -35,62 +35,53 @@ RUN apk --no-cache add build-base
 RUN apk --no-cache add chrpath
 RUN apk --no-cache add file
 RUN apk --no-cache add gnupg
+RUN apk --no-cache add git
 RUN apk --no-cache add libevent-dev
 RUN apk --no-cache add libressl
 RUN apk --no-cache add libtool
 RUN apk --no-cache add linux-headers
 RUN apk --no-cache add sqlite-dev
 RUN apk --no-cache add zeromq-dev
-RUN set -ex \
-  && for key in \
-    0CCBAAFD76A2ECE2CCD3141DE2FFD5B1D88CA97D \
-    152812300785C96444D3334D17565732E08E5E41 \
-    0AD83877C1F0CD1EE9BD660AD7CC770B81FD22A8 \
-    590B7292695AFFA5B672CBB2E13FC145CD3F4304 \
-    28F5900B1BB5D1A4B6B6D1A9ED357015286A333D \
-    637DB1E23370F84AFF88CCE03152347D07DA627C \
-    CFB16E21C950F67FA95E558F2EEB9F5CC09526C1 \
-    6E01EEC9656903B0542B8F1003DB6322267C373B \
-    D1DBF2C4B96F2DEBF4C16654410108112E7EA81F \
-    82921A4B88FD454B7EB8CE3C796C4109063D4EAF \
-    9DEAE0DC7063249FB05474681E4AED62986CD25D \
-    9D3CC86A72F8494342EA5FD10A41BDC3F4FAFF1C \
-    74E2DEF5D77260B98BC19438099BAD163C70FBFA \
-  ; do \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" || \
-    gpg --batch --keyserver keys.openpgp.org --recv-keys "$key" || \
-    gpg --batch --keyserver keyserver.pgp.com --recv-keys "$key" || \
-    gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key" || \
-    gpg --batch --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys "$key" ; \
-  done
 
 ENV BITCOIN_VERSION=22.1
 ENV BITCOIN_PREFIX=/opt/bitcoin-${BITCOIN_VERSION}
+ENV BITCOIN_SOURCE_DIR=/bitcoin/src
+ENV SIGS_REPO_URL="https://github.com/bitcoin-core/guix.sigs.git"
+ENV SIGS_CLONE_DIR="guix.sigs"
+ENV VERIFY_SCRIPT_URL="https://github.com/bitcoin/bitcoin/raw/master/contrib/verify-binaries/verify.py"
 
-RUN wget https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/SHA256SUMS
-RUN wget https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/SHA256SUMS.asc
-RUN wget https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/bitcoin-${BITCOIN_VERSION}.tar.gz
-RUN gpg --verify SHA256SUMS.asc SHA256SUMS
-RUN grep " bitcoin-${BITCOIN_VERSION}.tar.gz\$" SHA256SUMS | sha256sum -c -
-RUN tar -xzf *.tar.gz
-
-WORKDIR /bitcoin-${BITCOIN_VERSION}
+WORKDIR /bitcoin
+RUN set -ex \
+  && wget https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/bitcoin-${BITCOIN_VERSION}.tar.gz \
+  && wget https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/SHA256SUMS \
+  && wget https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/SHA256SUMS.asc \
+  && git clone ${SIGS_REPO_URL} ${SIGS_CLONE_DIR} \
+  && gpg --import "${SIGS_CLONE_DIR}"/builder-keys/* \
+  && wget -O verify.py ${VERIFY_SCRIPT_URL} \
+  && chmod +x verify.py \
+  && ./verify.py bin SHA256SUMS \
+    "bitcoin-${BITCOIN_VERSION}.tar.gz" \
+  && mkdir -p ${BITCOIN_SOURCE_DIR} \
+  && tar -xzf "bitcoin-${BITCOIN_VERSION}.tar.gz" -C ${BITCOIN_SOURCE_DIR} \
+  && rm -rf ${SIGS_CLONE_DIR}
+
+WORKDIR "${BITCOIN_SOURCE_DIR}/bitcoin-${BITCOIN_VERSION}"
 
 RUN sed -i '/AC_PREREQ/a\AR_FLAGS=cr' src/univalue/configure.ac
 RUN sed -i '/AX_PROG_CC_FOR_BUILD/a\AR_FLAGS=cr' src/secp256k1/configure.ac
 RUN sed -i s:sys/fcntl.h:fcntl.h: src/compat.h
 RUN ./autogen.sh
 RUN ./configure LDFLAGS=-L`ls -d /opt/db*`/lib/ CPPFLAGS=-I`ls -d /opt/db*`/include/ \
-    --prefix=${BITCOIN_PREFIX} \
-    --mandir=/usr/share/man \
-    --disable-tests \
-    --disable-bench \
-    --disable-ccache \
-    --with-gui=no \
-    --with-utils \
-    --with-libs \
-    --with-sqlite=yes \
-    --with-daemon
+  --prefix=${BITCOIN_PREFIX} \
+  --mandir=/usr/share/man \
+  --disable-tests \
+  --disable-bench \
+  --disable-ccache \
+  --with-gui=no \
+  --with-utils \
+  --with-libs \
+  --with-sqlite=yes \
+  --with-daemon
 RUN make -j4
 RUN make install
 RUN strip ${BITCOIN_PREFIX}/bin/bitcoin-cli
@@ -99,6 +90,7 @@ RUN strip ${BITCOIN_PREFIX}/bin/bitcoind
 RUN strip ${BITCOIN_PREFIX}/lib/libbitcoinconsensus.a
 RUN strip ${BITCOIN_PREFIX}/lib/libbitcoinconsensus.so.0.0.0
 
+# Build stage for compiled artifacts
 FROM alpine
 
 ARG UID=100

23/Dockerfile

@@ -1,71 +1,60 @@
-FROM debian:bullseye-slim
-
-ARG UID=101
-ARG GID=101
+FROM debian:bullseye-slim as builder
 
 LABEL maintainer.0="João Fonseca (@joaopaulofonseca)" \
   maintainer.1="Pedro Branco (@pedrobranco)" \
   maintainer.2="Rui Marinho (@ruimarinho)"
 
-RUN groupadd --gid ${GID} bitcoin \
-  && useradd --create-home --no-log-init -u ${UID} -g ${GID} bitcoin \
-  && apt-get update -y \
-  && apt-get install -y curl gnupg gosu \
+RUN apt-get update -y \
+  && apt-get install -y ca-certificates curl git gnupg gosu python3 wget --no-install-recommends \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 ARG TARGETPLATFORM
-ENV BITCOIN_VERSION=23.0
-ENV BITCOIN_DATA=/home/bitcoin/.bitcoin
-ENV PATH=/opt/bitcoin-${BITCOIN_VERSION}/bin:$PATH
+ENV BITCOIN_VERSION=23.2
+ENV SIGS_REPO_URL="https://github.com/bitcoin-core/guix.sigs.git"
+ENV SIGS_CLONE_DIR="guix.sigs"
+ENV VERIFY_SCRIPT_URL="https://raw.githubusercontent.com/bitcoin/bitcoin/master/contrib/verify-binaries/verify.py"
+ENV TMPDIR="/tmp/bitcoin_verify_binaries"
 
 RUN set -ex \
   && if [ "${TARGETPLATFORM}" = "linux/amd64" ]; then export TARGETPLATFORM=x86_64-linux-gnu; fi \
   && if [ "${TARGETPLATFORM}" = "linux/arm64" ]; then export TARGETPLATFORM=aarch64-linux-gnu; fi \
   && if [ "${TARGETPLATFORM}" = "linux/arm/v7" ]; then export TARGETPLATFORM=arm-linux-gnueabihf; fi \
-  && for key in \
-    152812300785C96444D3334D17565732E08E5E41 \
-    0AD83877C1F0CD1EE9BD660AD7CC770B81FD22A8 \
-    590B7292695AFFA5B672CBB2E13FC145CD3F4304 \
-    28F5900B1BB5D1A4B6B6D1A9ED357015286A333D \
-    637DB1E23370F84AFF88CCE03152347D07DA627C \
-    CFB16E21C950F67FA95E558F2EEB9F5CC09526C1 \
-    F4FC70F07310028424EFC20A8E4256593F177720 \
-    D1DBF2C4B96F2DEBF4C16654410108112E7EA81F \
-    287AE4CA1187C68C08B49CB2D11BD4F33F1DB499 \
-    F9A8737BF4FF5C89C903DF31DD78544CF91B1514 \
-    9DEAE0DC7063249FB05474681E4AED62986CD25D \
-    E463A93F5F3117EEDE6C7316BD02942421F4889F \
-    9D3CC86A72F8494342EA5FD10A41BDC3F4FAFF1C \
-    4DAF18FE948E7A965B30F9457E296D555E7F63A7 \
-    28E72909F1717FE9607754F8A7BEB2621678D37D \
-    74E2DEF5D77260B98BC19438099BAD163C70FBFA \
-  ; do \
-      gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" || \
-      gpg --batch --keyserver keys.openpgp.org --recv-keys "$key" || \
-      gpg --batch --keyserver pgp.mit.edu --recv-keys "$key" || \
-      gpg --batch --keyserver keyserver.pgp.com --recv-keys "$key" || \
-      gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key" || \
-      gpg --batch --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys "$key" ; \
-    done \
-  && curl -SL https://raw.githubusercontent.com/Kvaciral/kvaciral/main/kvaciral.asc | gpg --import \
-  && curl -SLO https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/bitcoin-${BITCOIN_VERSION}-${TARGETPLATFORM}.tar.gz \
-  && curl -SLO https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/SHA256SUMS \
-  && curl -SLO https://bitcoincore.org/bin/bitcoin-core-${BITCOIN_VERSION}/SHA256SUMS.asc \
-  && gpg --verify SHA256SUMS.asc SHA256SUMS \
-  && grep " bitcoin-${BITCOIN_VERSION}-${TARGETPLATFORM}.tar.gz" SHA256SUMS | sha256sum -c - \
-  && tar -xzf *.tar.gz -C /opt \
-  && rm *.tar.gz *.asc \
+  && git clone ${SIGS_REPO_URL} ${SIGS_CLONE_DIR} \
+  && gpg --import "${SIGS_CLONE_DIR}"/builder-keys/* \
+  && curl -o verify.py ${VERIFY_SCRIPT_URL} \
+  && chmod +x verify.py \
+  && ./verify.py \
+    --min-good-sigs 6 pub "${BITCOIN_VERSION}-linux" \
+  && tar -xzf "${TMPDIR}.${BITCOIN_VERSION}-linux/bitcoin-${BITCOIN_VERSION}-${TARGETPLATFORM}.tar.gz" -C /opt \
+  && rm -rf ${SIGS_CLONE_DIR} \
+  && rm -rf ${TMPDIR} \
   && rm -rf /opt/bitcoin-${BITCOIN_VERSION}/bin/bitcoin-qt
 
+# Second stage
+FROM debian:bullseye-slim
+
+ARG UID=101
+ARG GID=101
+
+ENV BITCOIN_DATA=/home/bitcoin/.bitcoin
+ENV BITCOIN_VERSION=23.2
+ENV PATH=/opt/bitcoin-${BITCOIN_VERSION}/bin:$PATH
+
+RUN groupadd --gid ${GID} bitcoin \
+  && useradd --create-home --no-log-init -u ${UID} -g ${GID} bitcoin \
+  && apt-get update -y \
+  && apt-get install -y gosu --no-install-recommends \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+COPY --from=builder /opt/bitcoin-${BITCOIN_VERSION} /opt/bitcoin-${BITCOIN_VERSION}
+
 COPY docker-entrypoint.sh /entrypoint.sh
 
 VOLUME ["/home/bitcoin/.bitcoin"]
-
 EXPOSE 8332 8333 18332 18333 18443 18444 38333 38332
 
 ENTRYPOINT ["/entrypoint.sh"]
-
 RUN bitcoind -version | grep "Bitcoin Core version v${BITCOIN_VERSION}"
-
 CMD ["bitcoind"]