ensure build failure upon signature verification failure

GoogleCloudPlatform · Jun 19, 2020 · 6bf95d6 · 6bf95d6
1 parent 084d7b8
commit 6bf95d6
Showing 1 changed file with 21 additions and 20 deletions.
diff --git a/.kokoro/docker/Dockerfile b/.kokoro/docker/Dockerfile
@@ -92,10 +92,7 @@ RUN curl https://packages.microsoft.com/keys/microsoft.asc | apt-key add - \
   && rm -f /var/cache/apt/archives/*.deb
 
 # Install the desired versions of Python.
-RUN for PYTHON_VERSION in 2.7.18 3.6.10 3.7.7 3.8.3; do \
-  set -ex \
-    && wget --no-check-certificate -O python-${PYTHON_VERSION}.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \
-    && wget --no-check-certificate -O python-${PYTHON_VERSION}.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc" \
+RUN set -ex \
     && export GNUPGHOME="$(mktemp -d)" \
     && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys \
       # 2.7.17 (Benjamin Peterson)
@@ -106,23 +103,27 @@ RUN for PYTHON_VERSION in 2.7.18 3.6.10 3.7.7 3.8.3; do \
       0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D \
       # 3.8.0 (Łukasz Langa)
       E3FF2839C048B25C084DEBE9B26995E310250568 \
-    && gpg --batch --verify python-${PYTHON_VERSION}.tar.xz.asc python-${PYTHON_VERSION}.tar.xz \
-    && rm -r "$GNUPGHOME" python-${PYTHON_VERSION}.tar.xz.asc \
-    && mkdir -p /usr/src/python-${PYTHON_VERSION} \
-    && tar -xJC /usr/src/python-${PYTHON_VERSION} --strip-components=1 -f python-${PYTHON_VERSION}.tar.xz \
-    && rm python-${PYTHON_VERSION}.tar.xz \
-    && cd /usr/src/python-${PYTHON_VERSION} \
-    && ./configure \
-        --enable-shared \
-      # This works only on Python 2.7 and throws a warning on every other
-      # version, but seems otherwise harmless.
-        --enable-unicode=ucs4 \
-        --with-system-ffi \
-        --without-ensurepip \
-    && make -j$(nproc) \
-    && make install \
-    && ldconfig \
+    && for PYTHON_VERSION in 2.7.18 3.6.10 3.7.7 3.8.3; do \
+        wget --no-check-certificate -O python-${PYTHON_VERSION}.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \
+        && wget --no-check-certificate -O python-${PYTHON_VERSION}.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc" \
+        && gpg --batch --verify python-${PYTHON_VERSION}.tar.xz.asc python-${PYTHON_VERSION}.tar.xz \
+        && rm -r python-${PYTHON_VERSION}.tar.xz.asc \
+        && mkdir -p /usr/src/python-${PYTHON_VERSION} \
+        && tar -xJC /usr/src/python-${PYTHON_VERSION} --strip-components=1 -f python-${PYTHON_VERSION}.tar.xz \
+        && rm python-${PYTHON_VERSION}.tar.xz \
+        && cd /usr/src/python-${PYTHON_VERSION} \
+        && ./configure \
+            --enable-shared \
+            # This works only on Python 2.7 and throws a warning on every other
+            # version, but seems otherwise harmless.
+            --enable-unicode=ucs4 \
+            --with-system-ffi \
+            --without-ensurepip \
+        && make -j$(nproc) \
+        && make install \
+        && ldconfig \
   ; done \
+  && rm -r "${GNUPGHOME}" \
   && rm -rf /usr/src/python* \
   && rm -rf ~/.cache/