Skip to content

Commit 14fc2b5

Browse files
committed
1 parent 7912446 commit 14fc2b5

6 files changed

Lines changed: 84 additions & 120 deletions

File tree

mainline/Dockerfile

Lines changed: 14 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
FROM alpine:latest
22

3-
ENV NGINX_VERSION=1.29.5
3+
ENV NGINX_VERSION=1.29.8
44
ENV LIBRESSL_VERSION=4.2.1
55

66
# -----------------------------------------------------------------------------
@@ -108,33 +108,27 @@ RUN set -eux \
108108
&& GPG_KEYS="43387825DDB1BB97EC36BA5D007C8D7C15D87369 A1EB079B8D3EB92B4EBD3139663AF51BD5E4D8D5" \
109109
&& GNUPGHOME="$(mktemp -d)" \
110110
&& export GNUPGHOME \
111-
&& found="" \
112111
&& for server in \
113112
hkps://keys.openpgp.org \
114113
hkps://keyserver.ubuntu.com \
115114
hkp://ha.pool.sks-keyservers.net:80 \
116115
hkp://pgp.mit.edu:80 \
117116
; do \
118117
echo "Fetching nginx GPG keys from ${server}"; \
119-
for key in ${GPG_KEYS}; do \
120-
gpg --keyserver "${server}" \
121-
--keyserver-options timeout=10 \
122-
--recv-keys "${key}" 2>/dev/null \
123-
&& found=yes \
124-
|| true; \
125-
done; \
126-
test "${found}" = yes && break || true; \
118+
gpg --keyserver "${server}" \
119+
--keyserver-options timeout=10 \
120+
--recv-keys ${GPG_KEYS} 2>/dev/null \
121+
&& break || true; \
122+
done \
123+
\
124+
# -- GPG: per-key fallback — always import NGINX key directly -------------
125+
&& curl -fsSL https://nginx.org/keys/nginx_signing.key | gpg --import \
126+
\
127+
# -- GPG: verify every required key is present in the keyring -------------
128+
&& for key in ${GPG_KEYS}; do \
129+
gpg --list-keys "${key}" > /dev/null 2>&1 \
130+
|| { echo >&2 "ERROR: GPG key ${key} could not be fetched"; exit 1; }; \
127131
done \
128-
&& if [ -z "${found}" ]; then \
129-
echo "Falling back to nginx.org key download"; \
130-
curl -fsSL https://nginx.org/keys/nginx_signing.key -o nginx_signing.key \
131-
&& gpg --import nginx_signing.key \
132-
&& found=yes \
133-
|| true; \
134-
rm -f nginx_signing.key; \
135-
fi \
136-
&& test "${found}" = yes \
137-
|| { echo >&2 "ERROR: failed to fetch nginx GPG keys"; exit 1; } \
138132
\
139133
# -- Verify signatures -----------------------------------------------------
140134
&& { gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \

mainline/Dockerfile.loongarch64

Lines changed: 14 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
FROM --platform=linux/loong64 loongarch64/alpine:3.21
22

3-
ENV NGINX_VERSION=1.29.5
3+
ENV NGINX_VERSION=1.29.8
44
ENV LIBRESSL_VERSION=4.2.1
55

66
# -----------------------------------------------------------------------------
@@ -108,33 +108,27 @@ RUN set -eux \
108108
&& GPG_KEYS="43387825DDB1BB97EC36BA5D007C8D7C15D87369 A1EB079B8D3EB92B4EBD3139663AF51BD5E4D8D5" \
109109
&& GNUPGHOME="$(mktemp -d)" \
110110
&& export GNUPGHOME \
111-
&& found="" \
112111
&& for server in \
113112
hkps://keys.openpgp.org \
114113
hkps://keyserver.ubuntu.com \
115114
hkp://ha.pool.sks-keyservers.net:80 \
116115
hkp://pgp.mit.edu:80 \
117116
; do \
118117
echo "Fetching nginx GPG keys from ${server}"; \
119-
for key in ${GPG_KEYS}; do \
120-
gpg --keyserver "${server}" \
121-
--keyserver-options timeout=10 \
122-
--recv-keys "${key}" 2>/dev/null \
123-
&& found=yes \
124-
|| true; \
125-
done; \
126-
test "${found}" = yes && break || true; \
118+
gpg --keyserver "${server}" \
119+
--keyserver-options timeout=10 \
120+
--recv-keys ${GPG_KEYS} 2>/dev/null \
121+
&& break || true; \
122+
done \
123+
\
124+
# -- GPG: per-key fallback — always import NGINX key directly -------------
125+
&& curl -fsSL https://nginx.org/keys/nginx_signing.key | gpg --import \
126+
\
127+
# -- GPG: verify every required key is present in the keyring -------------
128+
&& for key in ${GPG_KEYS}; do \
129+
gpg --list-keys "${key}" > /dev/null 2>&1 \
130+
|| { echo >&2 "ERROR: GPG key ${key} could not be fetched"; exit 1; }; \
127131
done \
128-
&& if [ -z "${found}" ]; then \
129-
echo "Falling back to nginx.org key download"; \
130-
curl -fsSL https://nginx.org/keys/nginx_signing.key -o nginx_signing.key \
131-
&& gpg --import nginx_signing.key \
132-
&& found=yes \
133-
|| true; \
134-
rm -f nginx_signing.key; \
135-
fi \
136-
&& test "${found}" = yes \
137-
|| { echo >&2 "ERROR: failed to fetch nginx GPG keys"; exit 1; } \
138132
\
139133
# -- Verify signatures -----------------------------------------------------
140134
&& { gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \

mainline/Dockerfile.mips64le

Lines changed: 14 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
FROM --platform=linux/mips64le alpine:3.14
22

3-
ENV NGINX_VERSION=1.29.5
3+
ENV NGINX_VERSION=1.29.8
44
ENV LIBRESSL_VERSION=4.2.1
55

66
# -----------------------------------------------------------------------------
@@ -108,33 +108,27 @@ RUN set -eux \
108108
&& GPG_KEYS="43387825DDB1BB97EC36BA5D007C8D7C15D87369 A1EB079B8D3EB92B4EBD3139663AF51BD5E4D8D5" \
109109
&& GNUPGHOME="$(mktemp -d)" \
110110
&& export GNUPGHOME \
111-
&& found="" \
112111
&& for server in \
113112
hkps://keys.openpgp.org \
114113
hkps://keyserver.ubuntu.com \
115114
hkp://ha.pool.sks-keyservers.net:80 \
116115
hkp://pgp.mit.edu:80 \
117116
; do \
118117
echo "Fetching nginx GPG keys from ${server}"; \
119-
for key in ${GPG_KEYS}; do \
120-
gpg --keyserver "${server}" \
121-
--keyserver-options timeout=10 \
122-
--recv-keys "${key}" 2>/dev/null \
123-
&& found=yes \
124-
|| true; \
125-
done; \
126-
test "${found}" = yes && break || true; \
118+
gpg --keyserver "${server}" \
119+
--keyserver-options timeout=10 \
120+
--recv-keys ${GPG_KEYS} 2>/dev/null \
121+
&& break || true; \
122+
done \
123+
\
124+
# -- GPG: per-key fallback — always import NGINX key directly -------------
125+
&& curl -fsSL https://nginx.org/keys/nginx_signing.key | gpg --import \
126+
\
127+
# -- GPG: verify every required key is present in the keyring -------------
128+
&& for key in ${GPG_KEYS}; do \
129+
gpg --list-keys "${key}" > /dev/null 2>&1 \
130+
|| { echo >&2 "ERROR: GPG key ${key} could not be fetched"; exit 1; }; \
127131
done \
128-
&& if [ -z "${found}" ]; then \
129-
echo "Falling back to nginx.org key download"; \
130-
curl -fsSL https://nginx.org/keys/nginx_signing.key -o nginx_signing.key \
131-
&& gpg --import nginx_signing.key \
132-
&& found=yes \
133-
|| true; \
134-
rm -f nginx_signing.key; \
135-
fi \
136-
&& test "${found}" = yes \
137-
|| { echo >&2 "ERROR: failed to fetch nginx GPG keys"; exit 1; } \
138132
\
139133
# -- Verify signatures -----------------------------------------------------
140134
&& { gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \

stable/Dockerfile

Lines changed: 14 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
FROM alpine:latest
22

3-
ENV NGINX_VERSION=1.28.2
3+
ENV NGINX_VERSION=1.28.3
44
ENV LIBRESSL_VERSION=4.2.1
55

66
# -----------------------------------------------------------------------------
@@ -108,33 +108,27 @@ RUN set -eux \
108108
&& GPG_KEYS="43387825DDB1BB97EC36BA5D007C8D7C15D87369 A1EB079B8D3EB92B4EBD3139663AF51BD5E4D8D5" \
109109
&& GNUPGHOME="$(mktemp -d)" \
110110
&& export GNUPGHOME \
111-
&& found="" \
112111
&& for server in \
113112
hkps://keys.openpgp.org \
114113
hkps://keyserver.ubuntu.com \
115114
hkp://ha.pool.sks-keyservers.net:80 \
116115
hkp://pgp.mit.edu:80 \
117116
; do \
118117
echo "Fetching nginx GPG keys from ${server}"; \
119-
for key in ${GPG_KEYS}; do \
120-
gpg --keyserver "${server}" \
121-
--keyserver-options timeout=10 \
122-
--recv-keys "${key}" 2>/dev/null \
123-
&& found=yes \
124-
|| true; \
125-
done; \
126-
test "${found}" = yes && break || true; \
118+
gpg --keyserver "${server}" \
119+
--keyserver-options timeout=10 \
120+
--recv-keys ${GPG_KEYS} 2>/dev/null \
121+
&& break || true; \
122+
done \
123+
\
124+
# -- GPG: per-key fallback — always import NGINX key directly -------------
125+
&& curl -fsSL https://nginx.org/keys/nginx_signing.key | gpg --import \
126+
\
127+
# -- GPG: verify every required key is present in the keyring -------------
128+
&& for key in ${GPG_KEYS}; do \
129+
gpg --list-keys "${key}" > /dev/null 2>&1 \
130+
|| { echo >&2 "ERROR: GPG key ${key} could not be fetched"; exit 1; }; \
127131
done \
128-
&& if [ -z "${found}" ]; then \
129-
echo "Falling back to nginx.org key download"; \
130-
curl -fsSL https://nginx.org/keys/nginx_signing.key -o nginx_signing.key \
131-
&& gpg --import nginx_signing.key \
132-
&& found=yes \
133-
|| true; \
134-
rm -f nginx_signing.key; \
135-
fi \
136-
&& test "${found}" = yes \
137-
|| { echo >&2 "ERROR: failed to fetch nginx GPG keys"; exit 1; } \
138132
\
139133
# -- Verify signatures -----------------------------------------------------
140134
&& { gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \

stable/Dockerfile.loongarch64

Lines changed: 14 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
FROM --platform=linux/loong64 loongarch64/alpine:3.21
22

3-
ENV NGINX_VERSION=1.28.2
3+
ENV NGINX_VERSION=1.28.3
44
ENV LIBRESSL_VERSION=4.2.1
55

66
# -----------------------------------------------------------------------------
@@ -108,33 +108,27 @@ RUN set -eux \
108108
&& GPG_KEYS="43387825DDB1BB97EC36BA5D007C8D7C15D87369 A1EB079B8D3EB92B4EBD3139663AF51BD5E4D8D5" \
109109
&& GNUPGHOME="$(mktemp -d)" \
110110
&& export GNUPGHOME \
111-
&& found="" \
112111
&& for server in \
113112
hkps://keys.openpgp.org \
114113
hkps://keyserver.ubuntu.com \
115114
hkp://ha.pool.sks-keyservers.net:80 \
116115
hkp://pgp.mit.edu:80 \
117116
; do \
118117
echo "Fetching nginx GPG keys from ${server}"; \
119-
for key in ${GPG_KEYS}; do \
120-
gpg --keyserver "${server}" \
121-
--keyserver-options timeout=10 \
122-
--recv-keys "${key}" 2>/dev/null \
123-
&& found=yes \
124-
|| true; \
125-
done; \
126-
test "${found}" = yes && break || true; \
118+
gpg --keyserver "${server}" \
119+
--keyserver-options timeout=10 \
120+
--recv-keys ${GPG_KEYS} 2>/dev/null \
121+
&& break || true; \
122+
done \
123+
\
124+
# -- GPG: per-key fallback — always import NGINX key directly -------------
125+
&& curl -fsSL https://nginx.org/keys/nginx_signing.key | gpg --import \
126+
\
127+
# -- GPG: verify every required key is present in the keyring -------------
128+
&& for key in ${GPG_KEYS}; do \
129+
gpg --list-keys "${key}" > /dev/null 2>&1 \
130+
|| { echo >&2 "ERROR: GPG key ${key} could not be fetched"; exit 1; }; \
127131
done \
128-
&& if [ -z "${found}" ]; then \
129-
echo "Falling back to nginx.org key download"; \
130-
curl -fsSL https://nginx.org/keys/nginx_signing.key -o nginx_signing.key \
131-
&& gpg --import nginx_signing.key \
132-
&& found=yes \
133-
|| true; \
134-
rm -f nginx_signing.key; \
135-
fi \
136-
&& test "${found}" = yes \
137-
|| { echo >&2 "ERROR: failed to fetch nginx GPG keys"; exit 1; } \
138132
\
139133
# -- Verify signatures -----------------------------------------------------
140134
&& { gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \

stable/Dockerfile.mips64le

Lines changed: 14 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
FROM --platform=linux/mips64le alpine:3.14
22

3-
ENV NGINX_VERSION=1.28.2
3+
ENV NGINX_VERSION=1.28.3
44
ENV LIBRESSL_VERSION=4.2.1
55

66
# -----------------------------------------------------------------------------
@@ -108,33 +108,27 @@ RUN set -eux \
108108
&& GPG_KEYS="43387825DDB1BB97EC36BA5D007C8D7C15D87369 A1EB079B8D3EB92B4EBD3139663AF51BD5E4D8D5" \
109109
&& GNUPGHOME="$(mktemp -d)" \
110110
&& export GNUPGHOME \
111-
&& found="" \
112111
&& for server in \
113112
hkps://keys.openpgp.org \
114113
hkps://keyserver.ubuntu.com \
115114
hkp://ha.pool.sks-keyservers.net:80 \
116115
hkp://pgp.mit.edu:80 \
117116
; do \
118117
echo "Fetching nginx GPG keys from ${server}"; \
119-
for key in ${GPG_KEYS}; do \
120-
gpg --keyserver "${server}" \
121-
--keyserver-options timeout=10 \
122-
--recv-keys "${key}" 2>/dev/null \
123-
&& found=yes \
124-
|| true; \
125-
done; \
126-
test "${found}" = yes && break || true; \
118+
gpg --keyserver "${server}" \
119+
--keyserver-options timeout=10 \
120+
--recv-keys ${GPG_KEYS} 2>/dev/null \
121+
&& break || true; \
122+
done \
123+
\
124+
# -- GPG: per-key fallback — always import NGINX key directly -------------
125+
&& curl -fsSL https://nginx.org/keys/nginx_signing.key | gpg --import \
126+
\
127+
# -- GPG: verify every required key is present in the keyring -------------
128+
&& for key in ${GPG_KEYS}; do \
129+
gpg --list-keys "${key}" > /dev/null 2>&1 \
130+
|| { echo >&2 "ERROR: GPG key ${key} could not be fetched"; exit 1; }; \
127131
done \
128-
&& if [ -z "${found}" ]; then \
129-
echo "Falling back to nginx.org key download"; \
130-
curl -fsSL https://nginx.org/keys/nginx_signing.key -o nginx_signing.key \
131-
&& gpg --import nginx_signing.key \
132-
&& found=yes \
133-
|| true; \
134-
rm -f nginx_signing.key; \
135-
fi \
136-
&& test "${found}" = yes \
137-
|| { echo >&2 "ERROR: failed to fetch nginx GPG keys"; exit 1; } \
138132
\
139133
# -- Verify signatures -----------------------------------------------------
140134
&& { gpg --batch --verify nginx.tar.gz.asc nginx.tar.gz \

0 commit comments

Comments
 (0)