|
1 | 1 | FROM --platform=linux/loong64 loongarch64/alpine:3.21 |
2 | 2 |
|
3 | | -ENV NGINX_VERSION=1.29.5 |
| 3 | +ENV NGINX_VERSION=1.29.8 |
4 | 4 | ENV LIBRESSL_VERSION=4.2.1 |
5 | 5 |
|
6 | 6 | # ----------------------------------------------------------------------------- |
@@ -108,33 +108,27 @@ RUN set -eux \ |
108 | 108 | && GPG_KEYS="43387825DDB1BB97EC36BA5D007C8D7C15D87369 A1EB079B8D3EB92B4EBD3139663AF51BD5E4D8D5" \ |
109 | 109 | && GNUPGHOME="$(mktemp -d)" \ |
110 | 110 | && export GNUPGHOME \ |
111 | | - && found="" \ |
112 | 111 | && for server in \ |
113 | 112 | hkps://keys.openpgp.org \ |
114 | 113 | hkps://keyserver.ubuntu.com \ |
115 | 114 | hkp://ha.pool.sks-keyservers.net:80 \ |
116 | 115 | hkp://pgp.mit.edu:80 \ |
117 | 116 | ; do \ |
118 | 117 | echo "Fetching nginx GPG keys from ${server}"; \ |
119 | | - for key in ${GPG_KEYS}; do \ |
120 | | - gpg --keyserver "${server}" \ |
121 | | - --keyserver-options timeout=10 \ |
122 | | - --recv-keys "${key}" 2>/dev/null \ |
123 | | - && found=yes \ |
124 | | - || true; \ |
125 | | - done; \ |
126 | | - test "${found}" = yes && break || true; \ |
| 118 | + gpg --keyserver "${server}" \ |
| 119 | + --keyserver-options timeout=10 \ |
| 120 | + --recv-keys ${GPG_KEYS} 2>/dev/null \ |
| 121 | + && break || true; \ |
| 122 | + done \ |
| 123 | + \ |
| 124 | + # -- GPG: per-key fallback — always import NGINX key directly ------------- |
| 125 | + && curl -fsSL https://nginx.org/keys/nginx_signing.key | gpg --import \ |
| 126 | + \ |
| 127 | + # -- GPG: verify every required key is present in the keyring ------------- |
| 128 | + && for key in ${GPG_KEYS}; do \ |
| 129 | + gpg --list-keys "${key}" > /dev/null 2>&1 \ |
| 130 | + || { echo >&2 "ERROR: GPG key ${key} could not be fetched"; exit 1; }; \ |
127 | 131 | done \ |
128 | | - && if [ -z "${found}" ]; then \ |
129 | | - echo "Falling back to nginx.org key download"; \ |
130 | | - curl -fsSL https://nginx.org/keys/nginx_signing.key -o nginx_signing.key \ |
131 | | - && gpg --import nginx_signing.key \ |
132 | | - && found=yes \ |
133 | | - || true; \ |
134 | | - rm -f nginx_signing.key; \ |
135 | | - fi \ |
136 | | - && test "${found}" = yes \ |
137 | | - || { echo >&2 "ERROR: failed to fetch nginx GPG keys"; exit 1; } \ |
138 | 132 | \ |
139 | 133 | # -- Verify signatures ----------------------------------------------------- |
140 | 134 | && { gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \ |
|
0 commit comments