mirrors/roundcubemail-docker
1
0
Fork 0
mirror of https://github.com/roundcube/roundcubemail-docker.git synced 2026-05-05 02:46:14 +02:00
Code Issues Projects Releases Wiki Activity

Add some security layer on the GPG keyfetching

Browse Source
This commit is contained in:
William Desportes 2021-07-21 14:08:40 +02:00 committed by Thomas Bruederli
parent ad46293cad
commit b85710be9c
5 changed files with 41 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
apache/Dockerfile
View File

@ -63,6 +63,7 @@ ADD https://getcomposer.org/installer /tmp/composer-installer.php
RUN php /tmp/composer-installer.php --install-dir=/usr/local/bin/; \
rm /tmp/composer-installer.php
RUN a2enmod rewrite
# expose these volumes
@ -74,6 +75,9 @@ VOLUME /tmp/roundcube-temp
# Define Roundcubemail version
ENV ROUNDCUBEMAIL_VERSION 1.4.11
# Define the GPG key used for the bundle verification process
ENV ROUNDCUBEMAIL_KEYID "F3E4 C04B B3DB 5D42 15C4 5F7F 5AB2 BAA1 41C4 F7D5"
# Download package and extract to web volume
RUN set -ex; \
fetchDeps="gnupg dirmngr locales libc-l10n"; \
@ -84,7 +88,11 @@ RUN set -ex; \
export GNUPGHOME="$(mktemp -d)"; \
# workaround for "Cannot assign requested address", see e.g. https://github.com/inversepath/usbarmory-debian-base_image/issues/9
echo "disable-ipv6" > "$GNUPGHOME/dirmngr.conf"; \
curl -fSL https://roundcube.net/download/pubkey.asc | gpg --batch --import -; \
curl -fSL https://roundcube.net/download/pubkey.asc -o /tmp/pubkey.asc; \
LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o 'Key fingerprint') != 1 ]; then echo 'The key file should contain only one GPG key'; exit 1; fi; \
LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o "${ROUNDCUBEMAIL_KEYID}") != 1 ]; then echo 'The key ID should be the roundcube one'; exit 1; fi; \
gpg --batch --import /tmp/pubkey.asc; \
rm /tmp/pubkey.asc; \
gpg --batch --verify roundcubemail.tar.gz.asc roundcubemail.tar.gz; \
gpgconf --kill all; \
mkdir /usr/src/roundcubemail; \

9
fpm-alpine/Dockerfile
View File

@ -65,6 +65,9 @@ VOLUME /tmp/roundcube-temp
# Define Roundcubemail version
ENV ROUNDCUBEMAIL_VERSION 1.4.11
# Define the GPG key used for the bundle verification process
ENV ROUNDCUBEMAIL_KEYID "F3E4 C04B B3DB 5D42 15C4 5F7F 5AB2 BAA1 41C4 F7D5"
# Download package and extract to web volume
RUN set -ex; \
apk add --no-cache --virtual .fetch-deps \
@ -76,7 +79,11 @@ RUN set -ex; \
export GNUPGHOME="$(mktemp -d)"; \
# workaround for "Cannot assign requested address", see e.g. https://github.com/inversepath/usbarmory-debian-base_image/issues/9
echo "disable-ipv6" > "$GNUPGHOME/dirmngr.conf"; \
curl -fSL https://roundcube.net/download/pubkey.asc | gpg --batch --import -; \
curl -fSL https://roundcube.net/download/pubkey.asc -o /tmp/pubkey.asc; \
LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o 'Key fingerprint') != 1 ]; then echo 'The key file should contain only one GPG key'; exit 1; fi; \
LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o "${ROUNDCUBEMAIL_KEYID}") != 1 ]; then echo 'The key ID should be the roundcube one'; exit 1; fi; \
gpg --batch --import /tmp/pubkey.asc; \
rm /tmp/pubkey.asc; \
gpg --batch --verify roundcubemail.tar.gz.asc roundcubemail.tar.gz; \
gpgconf --kill all; \
mkdir /usr/src/roundcubemail; \

9
fpm/Dockerfile
View File

@ -73,6 +73,9 @@ VOLUME /tmp/roundcube-temp
# Define Roundcubemail version
ENV ROUNDCUBEMAIL_VERSION 1.4.11
# Define the GPG key used for the bundle verification process
ENV ROUNDCUBEMAIL_KEYID "F3E4 C04B B3DB 5D42 15C4 5F7F 5AB2 BAA1 41C4 F7D5"
# Download package and extract to web volume
RUN set -ex; \
fetchDeps="gnupg dirmngr locales libc-l10n"; \
@ -83,7 +86,11 @@ RUN set -ex; \
export GNUPGHOME="$(mktemp -d)"; \
# workaround for "Cannot assign requested address", see e.g. https://github.com/inversepath/usbarmory-debian-base_image/issues/9
echo "disable-ipv6" > "$GNUPGHOME/dirmngr.conf"; \
curl -fSL https://roundcube.net/download/pubkey.asc | gpg --batch --import -; \
curl -fSL https://roundcube.net/download/pubkey.asc -o /tmp/pubkey.asc; \
LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o 'Key fingerprint') != 1 ]; then echo 'The key file should contain only one GPG key'; exit 1; fi; \
LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o "${ROUNDCUBEMAIL_KEYID}") != 1 ]; then echo 'The key ID should be the roundcube one'; exit 1; fi; \
gpg --batch --import /tmp/pubkey.asc; \
rm /tmp/pubkey.asc; \
gpg --batch --verify roundcubemail.tar.gz.asc roundcubemail.tar.gz; \
gpgconf --kill all; \
mkdir /usr/src/roundcubemail; \

9
templates/Dockerfile-alpine.templ
View File

@ -65,6 +65,9 @@ VOLUME /tmp/roundcube-temp
# Define Roundcubemail version
ENV ROUNDCUBEMAIL_VERSION %%VERSION%%
# Define the GPG key used for the bundle verification process
ENV ROUNDCUBEMAIL_KEYID "F3E4 C04B B3DB 5D42 15C4 5F7F 5AB2 BAA1 41C4 F7D5"
# Download package and extract to web volume
RUN set -ex; \
apk add --no-cache --virtual .fetch-deps \
@ -76,7 +79,11 @@ RUN set -ex; \
export GNUPGHOME="$(mktemp -d)"; \
# workaround for "Cannot assign requested address", see e.g. https://github.com/inversepath/usbarmory-debian-base_image/issues/9
echo "disable-ipv6" > "$GNUPGHOME/dirmngr.conf"; \
curl -fSL https://roundcube.net/download/pubkey.asc | gpg --batch --import -; \
curl -fSL https://roundcube.net/download/pubkey.asc -o /tmp/pubkey.asc; \
LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o 'Key fingerprint') != 1 ]; then echo 'The key file should contain only one GPG key'; exit 1; fi; \
LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o "${ROUNDCUBEMAIL_KEYID}") != 1 ]; then echo 'The key ID should be the roundcube one'; exit 1; fi; \
gpg --batch --import /tmp/pubkey.asc; \
rm /tmp/pubkey.asc; \
gpg --batch --verify roundcubemail.tar.gz.asc roundcubemail.tar.gz; \
gpgconf --kill all; \
mkdir /usr/src/roundcubemail; \

9
templates/Dockerfile-debian.templ
View File

@ -73,6 +73,9 @@ VOLUME /tmp/roundcube-temp
# Define Roundcubemail version
ENV ROUNDCUBEMAIL_VERSION %%VERSION%%
# Define the GPG key used for the bundle verification process
ENV ROUNDCUBEMAIL_KEYID "F3E4 C04B B3DB 5D42 15C4 5F7F 5AB2 BAA1 41C4 F7D5"
# Download package and extract to web volume
RUN set -ex; \
fetchDeps="gnupg dirmngr locales libc-l10n"; \
@ -83,7 +86,11 @@ RUN set -ex; \
export GNUPGHOME="$(mktemp -d)"; \
# workaround for "Cannot assign requested address", see e.g. https://github.com/inversepath/usbarmory-debian-base_image/issues/9
echo "disable-ipv6" > "$GNUPGHOME/dirmngr.conf"; \
curl -fSL https://roundcube.net/download/pubkey.asc | gpg --batch --import -; \
curl -fSL https://roundcube.net/download/pubkey.asc -o /tmp/pubkey.asc; \
LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o 'Key fingerprint') != 1 ]; then echo 'The key file should contain only one GPG key'; exit 1; fi; \
LC_ALL=C.UTF-8 gpg -n --show-keys --with-fingerprint --keyid-format=long /tmp/pubkey.asc | if [ $(grep -c -o "${ROUNDCUBEMAIL_KEYID}") != 1 ]; then echo 'The key ID should be the roundcube one'; exit 1; fi; \
gpg --batch --import /tmp/pubkey.asc; \
rm /tmp/pubkey.asc; \
gpg --batch --verify roundcubemail.tar.gz.asc roundcubemail.tar.gz; \
gpgconf --kill all; \
mkdir /usr/src/roundcubemail; \