diff --git a/20/alpine3.22/Dockerfile b/20/alpine3.22/Dockerfile index ce2f9515a5..5f243eaa0c 100644 --- a/20/alpine3.22/Dockerfile +++ b/20/alpine3.22/Dockerfile @@ -31,32 +31,17 @@ RUN addgroup -g 1000 node \ binutils-gold \ g++ \ gcc \ - gnupg \ + gpgv \ libgcc \ linux-headers \ make \ python3 \ py-setuptools \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xf "node-v$NODE_VERSION.tar.xz" \ @@ -67,7 +52,7 @@ RUN addgroup -g 1000 node \ && apk del .build-deps-full \ && cd .. \ && rm -Rf "node-v$NODE_VERSION" \ - && rm "node-v$NODE_VERSION.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt; \ + && rm "node-v$NODE_VERSION.tar.xz"; \ fi \ && rm -f "node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 diff --git a/20/alpine3.23/Dockerfile b/20/alpine3.23/Dockerfile index 4591342dba..7ef9d75a7e 100644 --- a/20/alpine3.23/Dockerfile +++ b/20/alpine3.23/Dockerfile @@ -31,32 +31,17 @@ RUN addgroup -g 1000 node \ binutils-gold \ g++ \ gcc \ - gnupg \ + gpgv \ libgcc \ linux-headers \ make \ python3 \ py-setuptools \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xf "node-v$NODE_VERSION.tar.xz" \ @@ -67,7 +52,7 @@ RUN addgroup -g 1000 node \ && apk del .build-deps-full \ && cd .. \ && rm -Rf "node-v$NODE_VERSION" \ - && rm "node-v$NODE_VERSION.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt; \ + && rm "node-v$NODE_VERSION.tar.xz"; \ fi \ && rm -f "node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 diff --git a/20/bookworm-slim/Dockerfile b/20/bookworm-slim/Dockerfile index 4796485e86..ebea91709b 100644 --- a/20/bookworm-slim/Dockerfile +++ b/20/bookworm-slim/Dockerfile @@ -17,32 +17,17 @@ RUN ARCH= OPENSSL_ARCH= && dpkgArch="$(dpkg --print-architecture)" \ esac \ && set -ex \ # libatomic1 for arm - && apt-get update && apt-get install -y ca-certificates curl wget gnupg dirmngr xz-utils libatomic1 --no-install-recommends \ + && apt-get update && apt-get install -y ca-certificates curl wget gpgv dirmngr xz-utils libatomic1 --no-install-recommends \ && rm -rf /var/lib/apt/lists/* \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 && find /usr/local/include/node/openssl/archs -mindepth 1 -maxdepth 1 ! -name "$OPENSSL_ARCH" -exec rm -rf {} \; \ && apt-mark auto '.*' > /dev/null \ diff --git a/20/bookworm/Dockerfile b/20/bookworm/Dockerfile index 14b106c513..eae9f4ff51 100644 --- a/20/bookworm/Dockerfile +++ b/20/bookworm/Dockerfile @@ -15,31 +15,17 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \ i386) ARCH='x86';; \ *) echo "unsupported architecture"; exit 1 ;; \ esac \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys && set -ex \ - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && command -v gpgv >/dev/null || (apt-get update && apt-get install gpgv) \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && ln -s /usr/local/bin/node /usr/local/bin/nodejs \ # smoke tests && node --version \ diff --git a/20/bullseye-slim/Dockerfile b/20/bullseye-slim/Dockerfile index 5fb961d790..fecaff3947 100644 --- a/20/bullseye-slim/Dockerfile +++ b/20/bullseye-slim/Dockerfile @@ -17,32 +17,17 @@ RUN ARCH= OPENSSL_ARCH= && dpkgArch="$(dpkg --print-architecture)" \ esac \ && set -ex \ # libatomic1 for arm - && apt-get update && apt-get install -y ca-certificates curl wget gnupg dirmngr xz-utils libatomic1 --no-install-recommends \ + && apt-get update && apt-get install -y ca-certificates curl wget gpgv dirmngr xz-utils libatomic1 --no-install-recommends \ && rm -rf /var/lib/apt/lists/* \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 && find /usr/local/include/node/openssl/archs -mindepth 1 -maxdepth 1 ! -name "$OPENSSL_ARCH" -exec rm -rf {} \; \ && apt-mark auto '.*' > /dev/null \ diff --git a/20/bullseye/Dockerfile b/20/bullseye/Dockerfile index ec4dc79ef0..e7f6806697 100644 --- a/20/bullseye/Dockerfile +++ b/20/bullseye/Dockerfile @@ -15,31 +15,17 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \ i386) ARCH='x86';; \ *) echo "unsupported architecture"; exit 1 ;; \ esac \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys && set -ex \ - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && command -v gpgv >/dev/null || (apt-get update && apt-get install gpgv) \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && ln -s /usr/local/bin/node /usr/local/bin/nodejs \ # smoke tests && node --version \ diff --git a/20/trixie-slim/Dockerfile b/20/trixie-slim/Dockerfile index 3991f1bf48..3896974ebd 100644 --- a/20/trixie-slim/Dockerfile +++ b/20/trixie-slim/Dockerfile @@ -17,32 +17,17 @@ RUN ARCH= OPENSSL_ARCH= && dpkgArch="$(dpkg --print-architecture)" \ esac \ && set -ex \ # libatomic1 for arm - && apt-get update && apt-get install -y ca-certificates curl wget gnupg dirmngr xz-utils libatomic1 --no-install-recommends \ + && apt-get update && apt-get install -y ca-certificates curl wget gpgv dirmngr xz-utils libatomic1 --no-install-recommends \ && rm -rf /var/lib/apt/lists/* \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 && find /usr/local/include/node/openssl/archs -mindepth 1 -maxdepth 1 ! -name "$OPENSSL_ARCH" -exec rm -rf {} \; \ && apt-mark auto '.*' > /dev/null \ diff --git a/20/trixie/Dockerfile b/20/trixie/Dockerfile index dd5e4d4d22..094f6f2ee4 100644 --- a/20/trixie/Dockerfile +++ b/20/trixie/Dockerfile @@ -15,31 +15,17 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \ i386) ARCH='x86';; \ *) echo "unsupported architecture"; exit 1 ;; \ esac \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys && set -ex \ - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && command -v gpgv >/dev/null || (apt-get update && apt-get install gpgv) \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && ln -s /usr/local/bin/node /usr/local/bin/nodejs \ # smoke tests && node --version \ diff --git a/22/alpine3.22/Dockerfile b/22/alpine3.22/Dockerfile index f9c5846d99..4c8d0330a8 100644 --- a/22/alpine3.22/Dockerfile +++ b/22/alpine3.22/Dockerfile @@ -31,32 +31,17 @@ RUN addgroup -g 1000 node \ binutils-gold \ g++ \ gcc \ - gnupg \ + gpgv \ libgcc \ linux-headers \ make \ python3 \ py-setuptools \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xf "node-v$NODE_VERSION.tar.xz" \ @@ -67,7 +52,7 @@ RUN addgroup -g 1000 node \ && apk del .build-deps-full \ && cd .. \ && rm -Rf "node-v$NODE_VERSION" \ - && rm "node-v$NODE_VERSION.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt; \ + && rm "node-v$NODE_VERSION.tar.xz"; \ fi \ && rm -f "node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 diff --git a/22/alpine3.23/Dockerfile b/22/alpine3.23/Dockerfile index 293d8c7c30..8b38f43bbd 100644 --- a/22/alpine3.23/Dockerfile +++ b/22/alpine3.23/Dockerfile @@ -31,32 +31,17 @@ RUN addgroup -g 1000 node \ binutils-gold \ g++ \ gcc \ - gnupg \ + gpgv \ libgcc \ linux-headers \ make \ python3 \ py-setuptools \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xf "node-v$NODE_VERSION.tar.xz" \ @@ -67,7 +52,7 @@ RUN addgroup -g 1000 node \ && apk del .build-deps-full \ && cd .. \ && rm -Rf "node-v$NODE_VERSION" \ - && rm "node-v$NODE_VERSION.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt; \ + && rm "node-v$NODE_VERSION.tar.xz"; \ fi \ && rm -f "node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 diff --git a/22/bookworm-slim/Dockerfile b/22/bookworm-slim/Dockerfile index d8c4a53d81..b4378e7ae7 100644 --- a/22/bookworm-slim/Dockerfile +++ b/22/bookworm-slim/Dockerfile @@ -17,32 +17,17 @@ RUN ARCH= OPENSSL_ARCH= && dpkgArch="$(dpkg --print-architecture)" \ esac \ && set -ex \ # libatomic1 for arm - && apt-get update && apt-get install -y ca-certificates curl wget gnupg dirmngr xz-utils libatomic1 --no-install-recommends \ + && apt-get update && apt-get install -y ca-certificates curl wget gpgv dirmngr xz-utils libatomic1 --no-install-recommends \ && rm -rf /var/lib/apt/lists/* \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 && find /usr/local/include/node/openssl/archs -mindepth 1 -maxdepth 1 ! -name "$OPENSSL_ARCH" -exec rm -rf {} \; \ && apt-mark auto '.*' > /dev/null \ diff --git a/22/bookworm/Dockerfile b/22/bookworm/Dockerfile index d6cb74abca..9bb1efbacb 100644 --- a/22/bookworm/Dockerfile +++ b/22/bookworm/Dockerfile @@ -15,31 +15,17 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \ i386) ARCH='x86';; \ *) echo "unsupported architecture"; exit 1 ;; \ esac \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys && set -ex \ - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && command -v gpgv >/dev/null || (apt-get update && apt-get install gpgv) \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && ln -s /usr/local/bin/node /usr/local/bin/nodejs \ # smoke tests && node --version \ diff --git a/22/bullseye-slim/Dockerfile b/22/bullseye-slim/Dockerfile index d7b688cf5c..d50eab766c 100644 --- a/22/bullseye-slim/Dockerfile +++ b/22/bullseye-slim/Dockerfile @@ -17,32 +17,17 @@ RUN ARCH= OPENSSL_ARCH= && dpkgArch="$(dpkg --print-architecture)" \ esac \ && set -ex \ # libatomic1 for arm - && apt-get update && apt-get install -y ca-certificates curl wget gnupg dirmngr xz-utils libatomic1 --no-install-recommends \ + && apt-get update && apt-get install -y ca-certificates curl wget gpgv dirmngr xz-utils libatomic1 --no-install-recommends \ && rm -rf /var/lib/apt/lists/* \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 && find /usr/local/include/node/openssl/archs -mindepth 1 -maxdepth 1 ! -name "$OPENSSL_ARCH" -exec rm -rf {} \; \ && apt-mark auto '.*' > /dev/null \ diff --git a/22/bullseye/Dockerfile b/22/bullseye/Dockerfile index 35ff71100c..ffe7c7c1ae 100644 --- a/22/bullseye/Dockerfile +++ b/22/bullseye/Dockerfile @@ -15,31 +15,17 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \ i386) ARCH='x86';; \ *) echo "unsupported architecture"; exit 1 ;; \ esac \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys && set -ex \ - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && command -v gpgv >/dev/null || (apt-get update && apt-get install gpgv) \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && ln -s /usr/local/bin/node /usr/local/bin/nodejs \ # smoke tests && node --version \ diff --git a/22/trixie-slim/Dockerfile b/22/trixie-slim/Dockerfile index 53d01a7693..dedc4b2640 100644 --- a/22/trixie-slim/Dockerfile +++ b/22/trixie-slim/Dockerfile @@ -17,32 +17,17 @@ RUN ARCH= OPENSSL_ARCH= && dpkgArch="$(dpkg --print-architecture)" \ esac \ && set -ex \ # libatomic1 for arm - && apt-get update && apt-get install -y ca-certificates curl wget gnupg dirmngr xz-utils libatomic1 --no-install-recommends \ + && apt-get update && apt-get install -y ca-certificates curl wget gpgv dirmngr xz-utils libatomic1 --no-install-recommends \ && rm -rf /var/lib/apt/lists/* \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 && find /usr/local/include/node/openssl/archs -mindepth 1 -maxdepth 1 ! -name "$OPENSSL_ARCH" -exec rm -rf {} \; \ && apt-mark auto '.*' > /dev/null \ diff --git a/22/trixie/Dockerfile b/22/trixie/Dockerfile index 00da38d119..5705c5ede3 100644 --- a/22/trixie/Dockerfile +++ b/22/trixie/Dockerfile @@ -15,31 +15,17 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \ i386) ARCH='x86';; \ *) echo "unsupported architecture"; exit 1 ;; \ esac \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys && set -ex \ - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && command -v gpgv >/dev/null || (apt-get update && apt-get install gpgv) \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && ln -s /usr/local/bin/node /usr/local/bin/nodejs \ # smoke tests && node --version \ diff --git a/24/alpine3.22/Dockerfile b/24/alpine3.22/Dockerfile index 85604ff238..c3b8ea4f6a 100644 --- a/24/alpine3.22/Dockerfile +++ b/24/alpine3.22/Dockerfile @@ -31,32 +31,17 @@ RUN addgroup -g 1000 node \ binutils-gold \ g++ \ gcc \ - gnupg \ + gpgv \ libgcc \ linux-headers \ make \ python3 \ py-setuptools \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xf "node-v$NODE_VERSION.tar.xz" \ @@ -67,7 +52,7 @@ RUN addgroup -g 1000 node \ && apk del .build-deps-full \ && cd .. \ && rm -Rf "node-v$NODE_VERSION" \ - && rm "node-v$NODE_VERSION.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt; \ + && rm "node-v$NODE_VERSION.tar.xz"; \ fi \ && rm -f "node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 diff --git a/24/alpine3.23/Dockerfile b/24/alpine3.23/Dockerfile index 0416a5e2c3..af95d0b96e 100644 --- a/24/alpine3.23/Dockerfile +++ b/24/alpine3.23/Dockerfile @@ -31,32 +31,17 @@ RUN addgroup -g 1000 node \ binutils-gold \ g++ \ gcc \ - gnupg \ + gpgv \ libgcc \ linux-headers \ make \ python3 \ py-setuptools \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xf "node-v$NODE_VERSION.tar.xz" \ @@ -67,7 +52,7 @@ RUN addgroup -g 1000 node \ && apk del .build-deps-full \ && cd .. \ && rm -Rf "node-v$NODE_VERSION" \ - && rm "node-v$NODE_VERSION.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt; \ + && rm "node-v$NODE_VERSION.tar.xz"; \ fi \ && rm -f "node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 diff --git a/24/bookworm-slim/Dockerfile b/24/bookworm-slim/Dockerfile index 52861d03ba..c3a137dd88 100644 --- a/24/bookworm-slim/Dockerfile +++ b/24/bookworm-slim/Dockerfile @@ -17,32 +17,17 @@ RUN ARCH= OPENSSL_ARCH= && dpkgArch="$(dpkg --print-architecture)" \ esac \ && set -ex \ # libatomic1 for arm - && apt-get update && apt-get install -y ca-certificates curl wget gnupg dirmngr xz-utils libatomic1 --no-install-recommends \ + && apt-get update && apt-get install -y ca-certificates curl wget gpgv dirmngr xz-utils libatomic1 --no-install-recommends \ && rm -rf /var/lib/apt/lists/* \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 && find /usr/local/include/node/openssl/archs -mindepth 1 -maxdepth 1 ! -name "$OPENSSL_ARCH" -exec rm -rf {} \; \ && apt-mark auto '.*' > /dev/null \ diff --git a/24/bookworm/Dockerfile b/24/bookworm/Dockerfile index 858134c23b..7ba2ec4a13 100644 --- a/24/bookworm/Dockerfile +++ b/24/bookworm/Dockerfile @@ -15,31 +15,17 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \ i386) ARCH='x86';; \ *) echo "unsupported architecture"; exit 1 ;; \ esac \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys && set -ex \ - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && command -v gpgv >/dev/null || (apt-get update && apt-get install gpgv) \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && ln -s /usr/local/bin/node /usr/local/bin/nodejs \ # smoke tests && node --version \ diff --git a/24/bullseye-slim/Dockerfile b/24/bullseye-slim/Dockerfile index b3c55a3148..acc2298af0 100644 --- a/24/bullseye-slim/Dockerfile +++ b/24/bullseye-slim/Dockerfile @@ -17,32 +17,17 @@ RUN ARCH= OPENSSL_ARCH= && dpkgArch="$(dpkg --print-architecture)" \ esac \ && set -ex \ # libatomic1 for arm - && apt-get update && apt-get install -y ca-certificates curl wget gnupg dirmngr xz-utils libatomic1 --no-install-recommends \ + && apt-get update && apt-get install -y ca-certificates curl wget gpgv dirmngr xz-utils libatomic1 --no-install-recommends \ && rm -rf /var/lib/apt/lists/* \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 && find /usr/local/include/node/openssl/archs -mindepth 1 -maxdepth 1 ! -name "$OPENSSL_ARCH" -exec rm -rf {} \; \ && apt-mark auto '.*' > /dev/null \ diff --git a/24/bullseye/Dockerfile b/24/bullseye/Dockerfile index 2388641433..eb7ce7cdf6 100644 --- a/24/bullseye/Dockerfile +++ b/24/bullseye/Dockerfile @@ -15,31 +15,17 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \ i386) ARCH='x86';; \ *) echo "unsupported architecture"; exit 1 ;; \ esac \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys && set -ex \ - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && command -v gpgv >/dev/null || (apt-get update && apt-get install gpgv) \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && ln -s /usr/local/bin/node /usr/local/bin/nodejs \ # smoke tests && node --version \ diff --git a/24/trixie-slim/Dockerfile b/24/trixie-slim/Dockerfile index 073f9e3493..5e97d5059b 100644 --- a/24/trixie-slim/Dockerfile +++ b/24/trixie-slim/Dockerfile @@ -17,32 +17,17 @@ RUN ARCH= OPENSSL_ARCH= && dpkgArch="$(dpkg --print-architecture)" \ esac \ && set -ex \ # libatomic1 for arm - && apt-get update && apt-get install -y ca-certificates curl wget gnupg dirmngr xz-utils libatomic1 --no-install-recommends \ + && apt-get update && apt-get install -y ca-certificates curl wget gpgv dirmngr xz-utils libatomic1 --no-install-recommends \ && rm -rf /var/lib/apt/lists/* \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 && find /usr/local/include/node/openssl/archs -mindepth 1 -maxdepth 1 ! -name "$OPENSSL_ARCH" -exec rm -rf {} \; \ && apt-mark auto '.*' > /dev/null \ diff --git a/24/trixie/Dockerfile b/24/trixie/Dockerfile index 6f5a1e3406..c55b0e765f 100644 --- a/24/trixie/Dockerfile +++ b/24/trixie/Dockerfile @@ -15,31 +15,17 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \ i386) ARCH='x86';; \ *) echo "unsupported architecture"; exit 1 ;; \ esac \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys && set -ex \ - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && command -v gpgv >/dev/null || (apt-get update && apt-get install gpgv) \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && ln -s /usr/local/bin/node /usr/local/bin/nodejs \ # smoke tests && node --version \ diff --git a/25/alpine3.22/Dockerfile b/25/alpine3.22/Dockerfile index b6cf89c1d4..9c5ec1253f 100644 --- a/25/alpine3.22/Dockerfile +++ b/25/alpine3.22/Dockerfile @@ -31,32 +31,17 @@ RUN addgroup -g 1000 node \ binutils-gold \ g++ \ gcc \ - gnupg \ + gpgv \ libgcc \ linux-headers \ make \ python3 \ py-setuptools \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xf "node-v$NODE_VERSION.tar.xz" \ @@ -67,7 +52,7 @@ RUN addgroup -g 1000 node \ && apk del .build-deps-full \ && cd .. \ && rm -Rf "node-v$NODE_VERSION" \ - && rm "node-v$NODE_VERSION.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt; \ + && rm "node-v$NODE_VERSION.tar.xz"; \ fi \ && rm -f "node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 diff --git a/25/alpine3.23/Dockerfile b/25/alpine3.23/Dockerfile index 46fa17bab5..b63b4e6492 100644 --- a/25/alpine3.23/Dockerfile +++ b/25/alpine3.23/Dockerfile @@ -31,32 +31,17 @@ RUN addgroup -g 1000 node \ binutils-gold \ g++ \ gcc \ - gnupg \ + gpgv \ libgcc \ linux-headers \ make \ python3 \ py-setuptools \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xf "node-v$NODE_VERSION.tar.xz" \ @@ -67,7 +52,7 @@ RUN addgroup -g 1000 node \ && apk del .build-deps-full \ && cd .. \ && rm -Rf "node-v$NODE_VERSION" \ - && rm "node-v$NODE_VERSION.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt; \ + && rm "node-v$NODE_VERSION.tar.xz"; \ fi \ && rm -f "node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 diff --git a/25/bookworm-slim/Dockerfile b/25/bookworm-slim/Dockerfile index 10b2d35942..3ff5a9c849 100644 --- a/25/bookworm-slim/Dockerfile +++ b/25/bookworm-slim/Dockerfile @@ -17,32 +17,17 @@ RUN ARCH= OPENSSL_ARCH= && dpkgArch="$(dpkg --print-architecture)" \ esac \ && set -ex \ # libatomic1 for arm - && apt-get update && apt-get install -y ca-certificates curl wget gnupg dirmngr xz-utils libatomic1 --no-install-recommends \ + && apt-get update && apt-get install -y ca-certificates curl wget gpgv dirmngr xz-utils libatomic1 --no-install-recommends \ && rm -rf /var/lib/apt/lists/* \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 && find /usr/local/include/node/openssl/archs -mindepth 1 -maxdepth 1 ! -name "$OPENSSL_ARCH" -exec rm -rf {} \; \ && apt-mark auto '.*' > /dev/null \ diff --git a/25/bookworm/Dockerfile b/25/bookworm/Dockerfile index 7b64a83591..4fbcf7be14 100644 --- a/25/bookworm/Dockerfile +++ b/25/bookworm/Dockerfile @@ -15,31 +15,17 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \ i386) ARCH='x86';; \ *) echo "unsupported architecture"; exit 1 ;; \ esac \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys && set -ex \ - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && command -v gpgv >/dev/null || (apt-get update && apt-get install gpgv) \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && ln -s /usr/local/bin/node /usr/local/bin/nodejs \ # smoke tests && node --version \ diff --git a/25/bullseye-slim/Dockerfile b/25/bullseye-slim/Dockerfile index 06d415868a..e0d9d0cb93 100644 --- a/25/bullseye-slim/Dockerfile +++ b/25/bullseye-slim/Dockerfile @@ -17,32 +17,17 @@ RUN ARCH= OPENSSL_ARCH= && dpkgArch="$(dpkg --print-architecture)" \ esac \ && set -ex \ # libatomic1 for arm - && apt-get update && apt-get install -y ca-certificates curl wget gnupg dirmngr xz-utils libatomic1 --no-install-recommends \ + && apt-get update && apt-get install -y ca-certificates curl wget gpgv dirmngr xz-utils libatomic1 --no-install-recommends \ && rm -rf /var/lib/apt/lists/* \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 && find /usr/local/include/node/openssl/archs -mindepth 1 -maxdepth 1 ! -name "$OPENSSL_ARCH" -exec rm -rf {} \; \ && apt-mark auto '.*' > /dev/null \ diff --git a/25/bullseye/Dockerfile b/25/bullseye/Dockerfile index 48d2a213dc..66a75e9b9d 100644 --- a/25/bullseye/Dockerfile +++ b/25/bullseye/Dockerfile @@ -15,31 +15,17 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \ i386) ARCH='x86';; \ *) echo "unsupported architecture"; exit 1 ;; \ esac \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys && set -ex \ - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && command -v gpgv >/dev/null || (apt-get update && apt-get install gpgv) \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && ln -s /usr/local/bin/node /usr/local/bin/nodejs \ # smoke tests && node --version \ diff --git a/25/trixie-slim/Dockerfile b/25/trixie-slim/Dockerfile index 40c27db689..3c27d161c6 100644 --- a/25/trixie-slim/Dockerfile +++ b/25/trixie-slim/Dockerfile @@ -17,32 +17,17 @@ RUN ARCH= OPENSSL_ARCH= && dpkgArch="$(dpkg --print-architecture)" \ esac \ && set -ex \ # libatomic1 for arm - && apt-get update && apt-get install -y ca-certificates curl wget gnupg dirmngr xz-utils libatomic1 --no-install-recommends \ + && apt-get update && apt-get install -y ca-certificates curl wget gpgv dirmngr xz-utils libatomic1 --no-install-recommends \ && rm -rf /var/lib/apt/lists/* \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 && find /usr/local/include/node/openssl/archs -mindepth 1 -maxdepth 1 ! -name "$OPENSSL_ARCH" -exec rm -rf {} \; \ && apt-mark auto '.*' > /dev/null \ diff --git a/25/trixie/Dockerfile b/25/trixie/Dockerfile index 5ee88b6973..43f2f7d18e 100644 --- a/25/trixie/Dockerfile +++ b/25/trixie/Dockerfile @@ -15,31 +15,17 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \ i386) ARCH='x86';; \ *) echo "unsupported architecture"; exit 1 ;; \ esac \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys && set -ex \ - && for key in \ - 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 \ - DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \ - CC68F5A3106FF448322E48ED27F5E38D5B0A215F \ - 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \ - 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \ - C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \ - 108F52B48DB57BB0CC439B2997B01419BD92F80A \ - A363A499291CBBC940DD62E41F10027AF002F8B0 \ - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && command -v gpgv >/dev/null || (apt-get update && apt-get install gpgv) \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx" && echo "70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && ln -s /usr/local/bin/node /usr/local/bin/nodejs \ # smoke tests && node --version \ diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index 6aef5bcf81..999b4032ba 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -31,25 +31,17 @@ RUN addgroup -g 1000 node \ binutils-gold \ g++ \ gcc \ - gnupg \ + gpgv \ libgcc \ linux-headers \ make \ python3 \ py-setuptools \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - "${NODE_KEYS[@]}" - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "${NODEJS_KEYRING_URL}" && echo "${NODEJS_KEYRING_HASH}" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xf "node-v$NODE_VERSION.tar.xz" \ @@ -60,7 +52,7 @@ RUN addgroup -g 1000 node \ && apk del .build-deps-full \ && cd .. \ && rm -Rf "node-v$NODE_VERSION" \ - && rm "node-v$NODE_VERSION.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt; \ + && rm "node-v$NODE_VERSION.tar.xz"; \ fi \ && rm -f "node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template index 411f949961..b9fb20d863 100644 --- a/Dockerfile-debian.template +++ b/Dockerfile-debian.template @@ -15,24 +15,17 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \ i386) ARCH='x86';; \ *) echo "unsupported architecture"; exit 1 ;; \ esac \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys && set -ex \ - && for key in \ - "${NODE_KEYS[@]}" - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && command -v gpgv >/dev/null || (apt-get update && apt-get install gpgv) \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "${NODEJS_KEYRING_URL}" && echo "${NODEJS_KEYRING_HASH}" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && ln -s /usr/local/bin/node /usr/local/bin/nodejs \ # smoke tests && node --version \ diff --git a/Dockerfile-slim.template b/Dockerfile-slim.template index 2abec536cd..646c79b304 100644 --- a/Dockerfile-slim.template +++ b/Dockerfile-slim.template @@ -17,25 +17,17 @@ RUN ARCH= OPENSSL_ARCH= && dpkgArch="$(dpkg --print-architecture)" \ esac \ && set -ex \ # libatomic1 for arm - && apt-get update && apt-get install -y ca-certificates curl wget gnupg dirmngr xz-utils libatomic1 --no-install-recommends \ + && apt-get update && apt-get install -y ca-certificates curl wget gpgv dirmngr xz-utils libatomic1 --no-install-recommends \ && rm -rf /var/lib/apt/lists/* \ - # use pre-existing gpg directory, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150 && export GNUPGHOME="$(mktemp -d)" \ - # gpg keys listed at https://github.com/nodejs/node#release-keys - && for key in \ - "${NODE_KEYS[@]}" - ; do \ - { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \ - { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ - done \ + && (cd "$GNUPGHOME" && curl -fsSLO --compressed "${NODEJS_KEYRING_URL}" && echo "${NODEJS_KEYRING_HASH}" | sha256sum -c) \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \ - && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \ - && gpgconf --kill all \ + && gpgv --keyring="$GNUPGHOME/pubring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \ && rm -rf "$GNUPGHOME" \ && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \ && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \ - && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \ + && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \ # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451 && find /usr/local/include/node/openssl/archs -mindepth 1 -maxdepth 1 ! -name "$OPENSSL_ARCH" -exec rm -rf {} \; \ && apt-mark auto '.*' > /dev/null \ diff --git a/keys/node.keys b/keys/node.keys deleted file mode 100644 index c2406457ff..0000000000 --- a/keys/node.keys +++ /dev/null @@ -1,8 +0,0 @@ -5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 -DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 -CC68F5A3106FF448322E48ED27F5E38D5B0A215F -8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 -890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 -C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C -108F52B48DB57BB0CC439B2997B01419BD92F80A -A363A499291CBBC940DD62E41F10027AF002F8B0 diff --git a/keys/nodejs.shasum b/keys/nodejs.shasum new file mode 100644 index 0000000000..2c4f7a283c --- /dev/null +++ b/keys/nodejs.shasum @@ -0,0 +1 @@ +70da4cac9d0487c1776c66403d5f6fe79991f1ba34fae96416037de1950197e1 pubring.kbx diff --git a/keys/nodejs.url b/keys/nodejs.url new file mode 100644 index 0000000000..1d79bacfc3 --- /dev/null +++ b/keys/nodejs.url @@ -0,0 +1 @@ +https://raw.githubusercontent.com/nodejs/release-keys/7b6eb2d6ab524bb30487f31612cdbeb35ae37533/gpg-only-active-keys/pubring.kbx diff --git a/update-keys.sh b/update-keys.sh index b6fec15418..10af0f1677 100755 --- a/update-keys.sh +++ b/update-keys.sh @@ -1,3 +1,7 @@ #!/bin/sh -ex -curl -fsSLo- --compressed https://github.com/nodejs/node/raw/main/README.md | awk '/--recv-keys.*#/{ gsub(/^.*--recv-keys\s+/,"");gsub(/\s+#.*$/,""); print }' > keys/node.keys +KEYRING_URL=$(curl -fsIo /dev/null -w '%header{Location}' https://github.com/nodejs/release-keys/raw/HEAD/gpg-only-active-keys/pubring.kbx) +TMP_DIR=$(mktemp -d) +(cd "$TMP_DIR" && curl -fsSO "$KEYRING_URL" && sha256sum pubring.kbx) > keys/nodejs.shasum +echo "$KEYRING_URL" > keys/nodejs.url +rm -r "$TMP_DIR" diff --git a/update.sh b/update.sh index c30b6b3088..90591c3814 100755 --- a/update.sh +++ b/update.sh @@ -139,13 +139,15 @@ function update_node_version() { ' # Add GPG keys - for key_type in "node" "yarn"; do - while read -r line; do - pattern='"\$\{'$(echo "${key_type}" | tr '[:lower:]' '[:upper:]')'_KEYS\[@\]\}"' - sed -Ei -e "s/([ \\t]*)(${pattern})/\\1${line}${new_line}\\1\\2/" "${dockerfile}-tmp" - done < "keys/${key_type}.keys" - sed -Ei -e "/${pattern}/d" "${dockerfile}-tmp" - done + key_type="yarn" + while read -r line; do + pattern='"\$\{'$(echo "${key_type}" | tr '[:lower:]' '[:upper:]')'_KEYS\[@\]\}"' + sed -Ei -e "s/([ \\t]*)(${pattern})/\\1${line}${new_line}\\1\\2/" "${dockerfile}-tmp" + done < "keys/${key_type}.keys" + sed -Ei -e "/${pattern}/d" "${dockerfile}-tmp" + + # Add Node.js keyring URL and hash + sed -i -e "s#\${NODEJS_KEYRING_URL}#$(< keys/nodejs.url)#" -e "s/\${NODEJS_KEYRING_HASH}/$(< keys/nodejs.shasum)/" "${dockerfile}-tmp" if is_alpine "${variant}"; then alpine_version="${variant#*alpine}"