Make the base URL used for downloads configurable and restore signature verification (we now default to auto-signing key #2, which is also now configurable). Slightly rearranges the way the shell command is handled in the process.

gwynne · gwynne · commit 86dc3fb52853 · 2019-08-25T14:45:04.000-05:00
diff --git a/5.1/ubuntu/18.04/Dockerfile b/5.1/ubuntu/18.04/Dockerfile
@@ -29,27 +29,24 @@ ARG SWIFT_SIGNING_KEY=8513444E2DA36B7C1659AF4D7638F1FB2B2B08C4
 ARG SWIFT_PLATFORM=ubuntu18.04
 ARG SWIFT_BRANCH=swift-5.1-branch
 ARG SWIFT_VERSION=swift-5.1-DEVELOPMENT-SNAPSHOT-2019-08-24-a
+ARG SWIFT_WEBROOT=https://swift.org/builds/
 
 ENV SWIFT_SIGNING_KEY=$SWIFT_SIGNING_KEY \
     SWIFT_PLATFORM=$SWIFT_PLATFORM \
     SWIFT_BRANCH=$SWIFT_BRANCH \
-    SWIFT_VERSION=$SWIFT_VERSION
+    SWIFT_VERSION=$SWIFT_VERSION \
+    SWIFT_WEBROOT=$SWIFT_WEBROOT
 
-# Download GPG keys, signature and Swift package, then unpack, cleanup and execute permissions for foundation libs
-RUN SWIFT_URL=https://swift.org/builds/$SWIFT_BRANCH/$(echo "$SWIFT_PLATFORM" | tr -d .)/$SWIFT_VERSION/$SWIFT_VERSION-$SWIFT_PLATFORM.tar.gz \
-    && curl -fSsL $SWIFT_URL -o swift.tar.gz \
-#    && curl -fSsL $SWIFT_URL.sig -o swift.tar.gz.sig \
-#    && export GNUPGHOME="$(mktemp -d)" \
-#    && set -e; \
-#        for key in \
-#      # pub   4096R/ED3D1561 2019-03-22 [expires: 2021-03-21]
-#      #       Key fingerprint = A62A E125 BBBF BB96 A6E0  42EC 925C C1CC ED3D 1561
-#      # uid                  Swift 5.x Release Signing Key <swift-infrastructure@swift.org          
-#          A62AE125BBBFBB96A6E042EC925CC1CCED3D1561 \
-#        ; do \
-#          gpg --quiet --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
-#        done \
-#    && gpg --batch --verify --quiet swift.tar.gz.sig swift.tar.gz \
+RUN set -e; \
+    SWIFT_WEBDIR="$SWIFT_WEBROOT/$SWIFT_BRANCH/$(echo $SWIFT_PLATFORM | tr -d .)/" \
+    && SWIFT_BIN_URL="$SWIFT_WEBDIR/$SWIFT_VERSION/$SWIFT_VERSION-$SWIFT_PLATFORM.tar.gz" \
+    && SWIFT_SIG_URL="$SWIFT_BIN_URL.sig" \
+    # - Download the GPG keys, Swift toolchain, and toolchain signature, and verify.
+    && export GNUPGHOME="$(mktemp -d)" \
+    && curl -fsSL "$SWIFT_BIN_URL" -o swift.tar.gz "$SWIFT_SIG_URL" -o swift.tar.gz.sig \
+    && gpg --batch --quiet --keyserver ha.pool.sks-keyservers.net --recv-keys "$SWIFT_SIGNING_KEY" \
+    && gpg --batch --quiet --verify swift.tar.gz.sig swift.tar.gz \
+    # - Unpack the toolchain, set libs permissions, and clean up.
     && tar -xzf swift.tar.gz --directory / --strip-components=1 \
     && chmod -R o+r /usr/lib/swift \
     && rm -rf "$GNUPGHOME" swift.tar.gz.sig swift.tar.gz \
