From: William Desportes Date: Wed, 21 Jul 2021 12:08:40 +0000 (+0200) Subject: Add some security layer on the GPG keyfetching X-Git-Url: http://git.99rst.org/?a=commitdiff_plain;h=b85710be9ca5f6e0807811123243b554ca90842e;p=roundcube-roundcubemail-docker.git Add some security layer on the GPG keyfetching --- diff --git a/apache/Dockerfile b/apache/Dockerfile index 0b2699a..fbf996a 100644 --- a/apache/Dockerfile +++ b/apache/Dockerfile @@ -63,6 +63,7 @@ ADD https://getcomposer.org/installer /tmp/composer-installer.php RUN php /tmp/composer-installer.php --install-dir=/usr/local/bin/; \ rm /tmp/composer-installer.php + RUN a2enmod rewrite # expose these volumes @@ -74,6 +75,9 @@ VOLUME /tmp/roundcube-temp # Define Roundcubemail version ENV ROUNDCUBEMAIL_VERSION 1.4.11 +# Define the GPG key used for the bundle verification process +ENV ROUNDCUBEMAIL_KEYID "F3E4 C04B B3DB 5D42 15C4 5F7F 5AB2 BAA1 41C4 F7D5" + # Download package and extract to web volume RUN set -ex; \ fetchDeps="gnupg dirmngr locales libc-l10n"; \ @@ -84,7 +88,11 @@ RUN set -ex; \ export GNUPGHOME="$(mktemp -d)"; \ # workaround for "Cannot assign requested address", see e.g. https://github.com/inversepath/usbarmory-debian-base_image/issues/9 echo "disable-ipv6" > "$GNUPGHOME/dirmngr.conf"; \ - curl -fSL https://roundcube.net/download/pubkey.asc | gpg --batch --import -; \ + curl -fSL https://roundcube.net/download/pubkey.asc -o /tmp/pubkey.asc; \ + LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o 'Key fingerprint') != 1 ]; then echo 'The key file should contain only one GPG key'; exit 1; fi; \ + LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o "${ROUNDCUBEMAIL_KEYID}") != 1 ]; then echo 'The key ID should be the roundcube one'; exit 1; fi; \ + gpg --batch --import /tmp/pubkey.asc; \ + rm /tmp/pubkey.asc; \ gpg --batch --verify roundcubemail.tar.gz.asc roundcubemail.tar.gz; \ gpgconf --kill all; \ mkdir /usr/src/roundcubemail; \ diff --git a/fpm-alpine/Dockerfile b/fpm-alpine/Dockerfile index e0c8150..bf0f33c 100644 --- a/fpm-alpine/Dockerfile +++ b/fpm-alpine/Dockerfile @@ -65,6 +65,9 @@ VOLUME /tmp/roundcube-temp # Define Roundcubemail version ENV ROUNDCUBEMAIL_VERSION 1.4.11 +# Define the GPG key used for the bundle verification process +ENV ROUNDCUBEMAIL_KEYID "F3E4 C04B B3DB 5D42 15C4 5F7F 5AB2 BAA1 41C4 F7D5" + # Download package and extract to web volume RUN set -ex; \ apk add --no-cache --virtual .fetch-deps \ @@ -76,7 +79,11 @@ RUN set -ex; \ export GNUPGHOME="$(mktemp -d)"; \ # workaround for "Cannot assign requested address", see e.g. https://github.com/inversepath/usbarmory-debian-base_image/issues/9 echo "disable-ipv6" > "$GNUPGHOME/dirmngr.conf"; \ - curl -fSL https://roundcube.net/download/pubkey.asc | gpg --batch --import -; \ + curl -fSL https://roundcube.net/download/pubkey.asc -o /tmp/pubkey.asc; \ + LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o 'Key fingerprint') != 1 ]; then echo 'The key file should contain only one GPG key'; exit 1; fi; \ + LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o "${ROUNDCUBEMAIL_KEYID}") != 1 ]; then echo 'The key ID should be the roundcube one'; exit 1; fi; \ + gpg --batch --import /tmp/pubkey.asc; \ + rm /tmp/pubkey.asc; \ gpg --batch --verify roundcubemail.tar.gz.asc roundcubemail.tar.gz; \ gpgconf --kill all; \ mkdir /usr/src/roundcubemail; \ diff --git a/fpm/Dockerfile b/fpm/Dockerfile index 3b993d9..df55482 100644 --- a/fpm/Dockerfile +++ b/fpm/Dockerfile @@ -73,6 +73,9 @@ VOLUME /tmp/roundcube-temp # Define Roundcubemail version ENV ROUNDCUBEMAIL_VERSION 1.4.11 +# Define the GPG key used for the bundle verification process +ENV ROUNDCUBEMAIL_KEYID "F3E4 C04B B3DB 5D42 15C4 5F7F 5AB2 BAA1 41C4 F7D5" + # Download package and extract to web volume RUN set -ex; \ fetchDeps="gnupg dirmngr locales libc-l10n"; \ @@ -83,7 +86,11 @@ RUN set -ex; \ export GNUPGHOME="$(mktemp -d)"; \ # workaround for "Cannot assign requested address", see e.g. https://github.com/inversepath/usbarmory-debian-base_image/issues/9 echo "disable-ipv6" > "$GNUPGHOME/dirmngr.conf"; \ - curl -fSL https://roundcube.net/download/pubkey.asc | gpg --batch --import -; \ + curl -fSL https://roundcube.net/download/pubkey.asc -o /tmp/pubkey.asc; \ + LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o 'Key fingerprint') != 1 ]; then echo 'The key file should contain only one GPG key'; exit 1; fi; \ + LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o "${ROUNDCUBEMAIL_KEYID}") != 1 ]; then echo 'The key ID should be the roundcube one'; exit 1; fi; \ + gpg --batch --import /tmp/pubkey.asc; \ + rm /tmp/pubkey.asc; \ gpg --batch --verify roundcubemail.tar.gz.asc roundcubemail.tar.gz; \ gpgconf --kill all; \ mkdir /usr/src/roundcubemail; \ diff --git a/templates/Dockerfile-alpine.templ b/templates/Dockerfile-alpine.templ index 35b9b64..d6da23e 100644 --- a/templates/Dockerfile-alpine.templ +++ b/templates/Dockerfile-alpine.templ @@ -65,6 +65,9 @@ VOLUME /tmp/roundcube-temp # Define Roundcubemail version ENV ROUNDCUBEMAIL_VERSION %%VERSION%% +# Define the GPG key used for the bundle verification process +ENV ROUNDCUBEMAIL_KEYID "F3E4 C04B B3DB 5D42 15C4 5F7F 5AB2 BAA1 41C4 F7D5" + # Download package and extract to web volume RUN set -ex; \ apk add --no-cache --virtual .fetch-deps \ @@ -76,7 +79,11 @@ RUN set -ex; \ export GNUPGHOME="$(mktemp -d)"; \ # workaround for "Cannot assign requested address", see e.g. https://github.com/inversepath/usbarmory-debian-base_image/issues/9 echo "disable-ipv6" > "$GNUPGHOME/dirmngr.conf"; \ - curl -fSL https://roundcube.net/download/pubkey.asc | gpg --batch --import -; \ + curl -fSL https://roundcube.net/download/pubkey.asc -o /tmp/pubkey.asc; \ + LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o 'Key fingerprint') != 1 ]; then echo 'The key file should contain only one GPG key'; exit 1; fi; \ + LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o "${ROUNDCUBEMAIL_KEYID}") != 1 ]; then echo 'The key ID should be the roundcube one'; exit 1; fi; \ + gpg --batch --import /tmp/pubkey.asc; \ + rm /tmp/pubkey.asc; \ gpg --batch --verify roundcubemail.tar.gz.asc roundcubemail.tar.gz; \ gpgconf --kill all; \ mkdir /usr/src/roundcubemail; \ diff --git a/templates/Dockerfile-debian.templ b/templates/Dockerfile-debian.templ index 5515171..035c328 100644 --- a/templates/Dockerfile-debian.templ +++ b/templates/Dockerfile-debian.templ @@ -73,6 +73,9 @@ VOLUME /tmp/roundcube-temp # Define Roundcubemail version ENV ROUNDCUBEMAIL_VERSION %%VERSION%% +# Define the GPG key used for the bundle verification process +ENV ROUNDCUBEMAIL_KEYID "F3E4 C04B B3DB 5D42 15C4 5F7F 5AB2 BAA1 41C4 F7D5" + # Download package and extract to web volume RUN set -ex; \ fetchDeps="gnupg dirmngr locales libc-l10n"; \ @@ -83,7 +86,11 @@ RUN set -ex; \ export GNUPGHOME="$(mktemp -d)"; \ # workaround for "Cannot assign requested address", see e.g. https://github.com/inversepath/usbarmory-debian-base_image/issues/9 echo "disable-ipv6" > "$GNUPGHOME/dirmngr.conf"; \ - curl -fSL https://roundcube.net/download/pubkey.asc | gpg --batch --import -; \ + curl -fSL https://roundcube.net/download/pubkey.asc -o /tmp/pubkey.asc; \ + LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o 'Key fingerprint') != 1 ]; then echo 'The key file should contain only one GPG key'; exit 1; fi; \ + LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o "${ROUNDCUBEMAIL_KEYID}") != 1 ]; then echo 'The key ID should be the roundcube one'; exit 1; fi; \ + gpg --batch --import /tmp/pubkey.asc; \ + rm /tmp/pubkey.asc; \ gpg --batch --verify roundcubemail.tar.gz.asc roundcubemail.tar.gz; \ gpgconf --kill all; \ mkdir /usr/src/roundcubemail; \