Update security of Dockerfile by jstuder-gh · Pull Request #18 · rakudo/docker

jstuder-gh · 2018-08-09T04:08:01Z

Use https to retrieve archive from Rakudo server
Retrieve PGP signature from Rakudo server (https)
Retrieve PGP public key over hkps and using full fingerprint
Verify archive using signature (explicitly using gpg2)

Makes for easy cleanup.

* Use https to retrieve archive from Rakudo server * Retrieve PGP signature from Rakudo server (https) * Retrieve PGP public key over hkps and using full fingerprint * Verify archive using signature (explicitly with gpg2)

tianon · 2018-08-09T04:28:30Z

Dockerfile

        make \
    ' \
+    url="https://rakudo.org/downloads/star/rakudo-star-${rakudo_version}.tar.gz" \
+    keyserver='hkps.pool.sks-keyservers.net' \


As written, this won't actually use hkps (it'll use hkp against the hkps pool, which will generally work), but I'd also argue that when using a full fingerprint, hkps doesn't provide additional benefit since gpg will verify the fingerprint of the key after fetching which is a stronger guarantee, and not using hkps allows us to intentionally mitm for increased reliability (see docker-library/php#666), which we do on all the official build servers for the official images.

Thanks for the insight! I'll update the branch to use the 'ha' pool as suggested on the official image readme.

Use the 'ha' keyserver pool as... * GPG already provides strong guaranty when using a full fingerprint * Using hkps reduces reliability enhancements Docker provides for official images Thanks to tianon++ for the review. See [here](https://github.com/perl6/docker/pull/18/files#r208803260) for more details.

jstuder-gh · 2018-08-09T12:26:10Z

@tianon, I noticed that the Travis build is failing with gpg2: not found, which surprises me as it builds just fine for me on my local machine (it should be using the same base image, right?)

Would it be best to use plain 'gpg' here? Given the base image, I believe gpg is an alias for gpg2, but if not and GPG v1.* were used would that greatly affect security in this instance? Thanks.

zakame · 2018-08-09T12:31:38Z

@jstuder-gh gpg on buildpack-deps should already be gpg2:

θ69° [zakame:~] % docker run --rm -it buildpack-deps:stretch /bin/sh
# which gpg2
# dpkg -s gnupg | grep Version
Version: 2.1.18-8~deb9u1
# which gpg
/usr/bin/gpg
# gpg --version
gpg (GnuPG) 2.1.18
libgcrypt 1.7.6-beta
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /root/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

So better use gpg in the Dockerfile RUNs.

Travis was failing due to being unable to find 'gpg2' and gpg is already an alias for gpg2 in the base image. Thanks to zakame++ for verification.

jstuder-gh · 2018-08-09T12:53:38Z

Thanks @zakame for confirming on your end. I've updated the branch accordingly.

hoelzro · 2018-08-09T15:29:10Z

If all looks good to @tianon, I can merge this!

tianon · 2018-08-09T15:39:30Z

Looks great to me! 👌

The gpg2 discrepancy was likely just an outdated base image; doing docker build --pull ... would probably help/fix that. 👍

hoelzro · 2018-08-09T18:44:40Z

Ok, thanks @jstuder-gh for the contribution, and thanks to @tianon and @zakame for reviewing!

jstuder-gh added 2 commits August 8, 2018 23:20

Store all intermediate files in temp dir

048e15a

Makes for easy cleanup.

Upgrade security of Dockerfile

33cba95

* Use https to retrieve archive from Rakudo server * Retrieve PGP signature from Rakudo server (https) * Retrieve PGP public key over hkps and using full fingerprint * Verify archive using signature (explicitly with gpg2)

tianon reviewed Aug 9, 2018

View reviewed changes

Use 'gpg' as opposed to explicit 'gpg2'

944167b

Travis was failing due to being unable to find 'gpg2' and gpg is already an alias for gpg2 in the base image. Thanks to zakame++ for verification.

hoelzro merged commit 8d988c4 into rakudo:master Aug 9, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update security of Dockerfile#18

Update security of Dockerfile#18
hoelzro merged 4 commits intorakudo:masterfrom
jstuder-gh:update_security

jstuder-gh commented Aug 9, 2018

Uh oh!

tianon Aug 9, 2018

Uh oh!

jstuder-gh Aug 9, 2018

Uh oh!

jstuder-gh commented Aug 9, 2018

Uh oh!

zakame commented Aug 9, 2018 •

edited

Loading

Uh oh!

jstuder-gh commented Aug 9, 2018

Uh oh!

hoelzro commented Aug 9, 2018

Uh oh!

tianon commented Aug 9, 2018

Uh oh!

hoelzro commented Aug 9, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

jstuder-gh commented Aug 9, 2018

Uh oh!

tianon Aug 9, 2018

Choose a reason for hiding this comment

Uh oh!

jstuder-gh Aug 9, 2018

Choose a reason for hiding this comment

Uh oh!

jstuder-gh commented Aug 9, 2018

Uh oh!

zakame commented Aug 9, 2018 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jstuder-gh commented Aug 9, 2018

Uh oh!

hoelzro commented Aug 9, 2018

Uh oh!

tianon commented Aug 9, 2018

Uh oh!

hoelzro commented Aug 9, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

zakame commented Aug 9, 2018 •

edited

Loading