From 4afbe061ef1dc5f5fea3971ad9fcf8f0c796b91c Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Fri, 11 Feb 2022 10:36:16 -0800 Subject: [PATCH] Switch from apt-key/trusted.gpg(.d) to signed-by --- 5.7/Dockerfile.debian | 8 ++++---- 8.0/Dockerfile.debian | 8 ++++---- template/Dockerfile.debian | 8 ++++---- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/5.7/Dockerfile.debian b/5.7/Dockerfile.debian index 170e10730..e206506dd 100644 --- a/5.7/Dockerfile.debian +++ b/5.7/Dockerfile.debian @@ -56,15 +56,15 @@ RUN set -ex; \ key='859BE8D7C586F538430B19C2467B942D3A79BD29'; \ export GNUPGHOME="$(mktemp -d)"; \ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ - gpg --batch --export "$key" > /etc/apt/trusted.gpg.d/mysql.gpg; \ + mkdir -p /etc/apt/keyrings; \ + gpg --batch --export "$key" > /etc/apt/keyrings/mysql.gpg; \ gpgconf --kill all; \ - rm -rf "$GNUPGHOME"; \ - apt-key list > /dev/null + rm -rf "$GNUPGHOME" ENV MYSQL_MAJOR 5.7 ENV MYSQL_VERSION 5.7.37-1debian10 -RUN echo 'deb http://repo.mysql.com/apt/debian/ buster mysql-5.7' > /etc/apt/sources.list.d/mysql.list +RUN echo 'deb [ signed-by=/etc/apt/keyrings/mysql.gpg ] http://repo.mysql.com/apt/debian/ buster mysql-5.7' > /etc/apt/sources.list.d/mysql.list # the "/var/lib/mysql" stuff here is because the mysql-server postinst doesn't have an explicit way to disable the mysql_install_db codepath besides having a database already "configured" (ie, stuff in /var/lib/mysql/mysql) # also, we set debconf keys to make APT a little quieter diff --git a/8.0/Dockerfile.debian b/8.0/Dockerfile.debian index 18912ef4e..a00985002 100644 --- a/8.0/Dockerfile.debian +++ b/8.0/Dockerfile.debian @@ -56,15 +56,15 @@ RUN set -ex; \ key='859BE8D7C586F538430B19C2467B942D3A79BD29'; \ export GNUPGHOME="$(mktemp -d)"; \ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ - gpg --batch --export "$key" > /etc/apt/trusted.gpg.d/mysql.gpg; \ + mkdir -p /etc/apt/keyrings; \ + gpg --batch --export "$key" > /etc/apt/keyrings/mysql.gpg; \ gpgconf --kill all; \ - rm -rf "$GNUPGHOME"; \ - apt-key list > /dev/null + rm -rf "$GNUPGHOME" ENV MYSQL_MAJOR 8.0 ENV MYSQL_VERSION 8.0.28-1debian10 -RUN echo 'deb http://repo.mysql.com/apt/debian/ buster mysql-8.0' > /etc/apt/sources.list.d/mysql.list +RUN echo 'deb [ signed-by=/etc/apt/keyrings/mysql.gpg ] http://repo.mysql.com/apt/debian/ buster mysql-8.0' > /etc/apt/sources.list.d/mysql.list # the "/var/lib/mysql" stuff here is because the mysql-server postinst doesn't have an explicit way to disable the mysql_install_db codepath besides having a database already "configured" (ie, stuff in /var/lib/mysql/mysql) # also, we set debconf keys to make APT a little quieter diff --git a/template/Dockerfile.debian b/template/Dockerfile.debian index a8602095b..c4d12156a 100644 --- a/template/Dockerfile.debian +++ b/template/Dockerfile.debian @@ -50,15 +50,15 @@ RUN set -ex; \ key='859BE8D7C586F538430B19C2467B942D3A79BD29'; \ export GNUPGHOME="$(mktemp -d)"; \ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ - gpg --batch --export "$key" > /etc/apt/trusted.gpg.d/mysql.gpg; \ + mkdir -p /etc/apt/keyrings; \ + gpg --batch --export "$key" > /etc/apt/keyrings/mysql.gpg; \ gpgconf --kill all; \ - rm -rf "$GNUPGHOME"; \ - apt-key list > /dev/null + rm -rf "$GNUPGHOME" ENV MYSQL_MAJOR {{ env.version }} ENV MYSQL_VERSION {{ .debian.version }} -RUN echo 'deb http://repo.mysql.com/apt/debian/ {{ .debian.suite }} mysql-{{ env.version }}' > /etc/apt/sources.list.d/mysql.list +RUN echo 'deb [ signed-by=/etc/apt/keyrings/mysql.gpg ] http://repo.mysql.com/apt/debian/ {{ .debian.suite }} mysql-{{ env.version }}' > /etc/apt/sources.list.d/mysql.list # the "/var/lib/mysql" stuff here is because the mysql-server postinst doesn't have an explicit way to disable the mysql_install_db codepath besides having a database already "configured" (ie, stuff in /var/lib/mysql/mysql) # also, we set debconf keys to make APT a little quieter