diff --git a/4.4/Dockerfile b/4.4/Dockerfile index cd37055f24..d814969c08 100644 --- a/4.4/Dockerfile +++ b/4.4/Dockerfile @@ -17,7 +17,6 @@ RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ ca-certificates \ - gnupg \ jq \ numactl \ procps \ @@ -29,15 +28,17 @@ ENV GOSU_VERSION 1.17 # grab "js-yaml" for parsing mongod's YAML config files (https://github.com/nodeca/js-yaml/releases) ENV JSYAML_VERSION 3.13.1 -RUN set -ex; \ +RUN set -eux; \ \ savedAptMark="$(apt-mark showmanual)"; \ apt-get update; \ apt-get install -y --no-install-recommends \ + gnupg \ wget \ ; \ rm -rf /var/lib/apt/lists/*; \ \ +# download/install gosu dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ @@ -47,12 +48,22 @@ RUN set -ex; \ gpgconf --kill all; \ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ \ +# download/install js-yaml mkdir -p /opt/js-yaml/; \ wget -O /opt/js-yaml/js-yaml.js "https://github.com/nodeca/js-yaml/raw/${JSYAML_VERSION}/dist/js-yaml.js"; \ wget -O /opt/js-yaml/package.json "https://github.com/nodeca/js-yaml/raw/${JSYAML_VERSION}/package.json"; \ ln -s /opt/js-yaml/js-yaml.js /js-yaml.js; \ # TODO some sort of download verification here \ +# download/install MongoDB PGP keys + export GNUPGHOME="$(mktemp -d)"; \ + wget -O KEYS 'https://pgp.mongodb.com/server-4.4.asc'; \ + gpg --batch --import KEYS; \ + mkdir -p /etc/apt/keyrings; \ + gpg --batch --export --armor '20691EEC35216C63CAF66CE1656408E390CFB1F5' > /etc/apt/keyrings/mongodb.asc; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" KEYS; \ + \ apt-mark auto '.*' > /dev/null; \ apt-mark manual $savedAptMark > /dev/null; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ @@ -64,17 +75,6 @@ RUN set -ex; \ RUN mkdir /docker-entrypoint-initdb.d -RUN set -ex; \ - export GNUPGHOME="$(mktemp -d)"; \ - set -- '20691EEC35216C63CAF66CE1656408E390CFB1F5'; \ - for key; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ - done; \ - mkdir -p /etc/apt/keyrings; \ - gpg --batch --export "$@" > /etc/apt/keyrings/mongodb.gpg; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" - # Allow build-time overrides (eg. to build image with MongoDB Enterprise version) # Options for MONGO_PACKAGE: mongodb-org OR mongodb-enterprise # Options for MONGO_REPO: repo.mongodb.org OR repo.mongodb.com @@ -84,7 +84,7 @@ ARG MONGO_REPO=repo.mongodb.org ENV MONGO_PACKAGE=${MONGO_PACKAGE} MONGO_REPO=${MONGO_REPO} ENV MONGO_MAJOR 4.4 -RUN echo "deb [ signed-by=/etc/apt/keyrings/mongodb.gpg ] http://$MONGO_REPO/apt/ubuntu focal/${MONGO_PACKAGE%-unstable}/$MONGO_MAJOR multiverse" | tee "/etc/apt/sources.list.d/${MONGO_PACKAGE%-unstable}.list" +RUN echo "deb [ signed-by=/etc/apt/keyrings/mongodb.asc ] http://$MONGO_REPO/apt/ubuntu focal/${MONGO_PACKAGE%-unstable}/$MONGO_MAJOR multiverse" | tee "/etc/apt/sources.list.d/${MONGO_PACKAGE%-unstable}.list" # https://docs.mongodb.org/master/release-notes/4.4/ ENV MONGO_VERSION 4.4.28 diff --git a/5.0/Dockerfile b/5.0/Dockerfile index c1c24b35d2..4b6be81a4d 100644 --- a/5.0/Dockerfile +++ b/5.0/Dockerfile @@ -17,7 +17,6 @@ RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ ca-certificates \ - gnupg \ jq \ numactl \ procps \ @@ -29,15 +28,17 @@ ENV GOSU_VERSION 1.17 # grab "js-yaml" for parsing mongod's YAML config files (https://github.com/nodeca/js-yaml/releases) ENV JSYAML_VERSION 3.13.1 -RUN set -ex; \ +RUN set -eux; \ \ savedAptMark="$(apt-mark showmanual)"; \ apt-get update; \ apt-get install -y --no-install-recommends \ + gnupg \ wget \ ; \ rm -rf /var/lib/apt/lists/*; \ \ +# download/install gosu dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ @@ -47,12 +48,22 @@ RUN set -ex; \ gpgconf --kill all; \ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ \ +# download/install js-yaml mkdir -p /opt/js-yaml/; \ wget -O /opt/js-yaml/js-yaml.js "https://github.com/nodeca/js-yaml/raw/${JSYAML_VERSION}/dist/js-yaml.js"; \ wget -O /opt/js-yaml/package.json "https://github.com/nodeca/js-yaml/raw/${JSYAML_VERSION}/package.json"; \ ln -s /opt/js-yaml/js-yaml.js /js-yaml.js; \ # TODO some sort of download verification here \ +# download/install MongoDB PGP keys + export GNUPGHOME="$(mktemp -d)"; \ + wget -O KEYS 'https://pgp.mongodb.com/server-5.0.asc'; \ + gpg --batch --import KEYS; \ + mkdir -p /etc/apt/keyrings; \ + gpg --batch --export --armor 'F5679A222C647C87527C2F8CB00A0BD1E2C63C11' > /etc/apt/keyrings/mongodb.asc; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" KEYS; \ + \ apt-mark auto '.*' > /dev/null; \ apt-mark manual $savedAptMark > /dev/null; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ @@ -64,17 +75,6 @@ RUN set -ex; \ RUN mkdir /docker-entrypoint-initdb.d -RUN set -ex; \ - export GNUPGHOME="$(mktemp -d)"; \ - set -- 'F5679A222C647C87527C2F8CB00A0BD1E2C63C11'; \ - for key; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ - done; \ - mkdir -p /etc/apt/keyrings; \ - gpg --batch --export "$@" > /etc/apt/keyrings/mongodb.gpg; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" - # Allow build-time overrides (eg. to build image with MongoDB Enterprise version) # Options for MONGO_PACKAGE: mongodb-org OR mongodb-enterprise # Options for MONGO_REPO: repo.mongodb.org OR repo.mongodb.com @@ -84,7 +84,7 @@ ARG MONGO_REPO=repo.mongodb.org ENV MONGO_PACKAGE=${MONGO_PACKAGE} MONGO_REPO=${MONGO_REPO} ENV MONGO_MAJOR 5.0 -RUN echo "deb [ signed-by=/etc/apt/keyrings/mongodb.gpg ] http://$MONGO_REPO/apt/ubuntu focal/${MONGO_PACKAGE%-unstable}/$MONGO_MAJOR multiverse" | tee "/etc/apt/sources.list.d/${MONGO_PACKAGE%-unstable}.list" +RUN echo "deb [ signed-by=/etc/apt/keyrings/mongodb.asc ] http://$MONGO_REPO/apt/ubuntu focal/${MONGO_PACKAGE%-unstable}/$MONGO_MAJOR multiverse" | tee "/etc/apt/sources.list.d/${MONGO_PACKAGE%-unstable}.list" # https://docs.mongodb.org/master/release-notes/5.0/ ENV MONGO_VERSION 5.0.24 diff --git a/6.0/Dockerfile b/6.0/Dockerfile index 7d76fe22ea..1250d538fa 100644 --- a/6.0/Dockerfile +++ b/6.0/Dockerfile @@ -17,7 +17,6 @@ RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ ca-certificates \ - gnupg \ jq \ numactl \ procps \ @@ -29,15 +28,17 @@ ENV GOSU_VERSION 1.17 # grab "js-yaml" for parsing mongod's YAML config files (https://github.com/nodeca/js-yaml/releases) ENV JSYAML_VERSION 3.13.1 -RUN set -ex; \ +RUN set -eux; \ \ savedAptMark="$(apt-mark showmanual)"; \ apt-get update; \ apt-get install -y --no-install-recommends \ + gnupg \ wget \ ; \ rm -rf /var/lib/apt/lists/*; \ \ +# download/install gosu dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ @@ -47,12 +48,22 @@ RUN set -ex; \ gpgconf --kill all; \ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ \ +# download/install js-yaml mkdir -p /opt/js-yaml/; \ wget -O /opt/js-yaml/js-yaml.js "https://github.com/nodeca/js-yaml/raw/${JSYAML_VERSION}/dist/js-yaml.js"; \ wget -O /opt/js-yaml/package.json "https://github.com/nodeca/js-yaml/raw/${JSYAML_VERSION}/package.json"; \ ln -s /opt/js-yaml/js-yaml.js /js-yaml.js; \ # TODO some sort of download verification here \ +# download/install MongoDB PGP keys + export GNUPGHOME="$(mktemp -d)"; \ + wget -O KEYS 'https://pgp.mongodb.com/server-6.0.asc'; \ + gpg --batch --import KEYS; \ + mkdir -p /etc/apt/keyrings; \ + gpg --batch --export --armor '39BD841E4BE5FB195A65400E6A26B1AE64C3C388' > /etc/apt/keyrings/mongodb.asc; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" KEYS; \ + \ apt-mark auto '.*' > /dev/null; \ apt-mark manual $savedAptMark > /dev/null; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ @@ -64,17 +75,6 @@ RUN set -ex; \ RUN mkdir /docker-entrypoint-initdb.d -RUN set -ex; \ - export GNUPGHOME="$(mktemp -d)"; \ - set -- '39BD841E4BE5FB195A65400E6A26B1AE64C3C388'; \ - for key; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ - done; \ - mkdir -p /etc/apt/keyrings; \ - gpg --batch --export "$@" > /etc/apt/keyrings/mongodb.gpg; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" - # Allow build-time overrides (eg. to build image with MongoDB Enterprise version) # Options for MONGO_PACKAGE: mongodb-org OR mongodb-enterprise # Options for MONGO_REPO: repo.mongodb.org OR repo.mongodb.com @@ -84,7 +84,7 @@ ARG MONGO_REPO=repo.mongodb.org ENV MONGO_PACKAGE=${MONGO_PACKAGE} MONGO_REPO=${MONGO_REPO} ENV MONGO_MAJOR 6.0 -RUN echo "deb [ signed-by=/etc/apt/keyrings/mongodb.gpg ] http://$MONGO_REPO/apt/ubuntu jammy/${MONGO_PACKAGE%-unstable}/$MONGO_MAJOR multiverse" | tee "/etc/apt/sources.list.d/${MONGO_PACKAGE%-unstable}.list" +RUN echo "deb [ signed-by=/etc/apt/keyrings/mongodb.asc ] http://$MONGO_REPO/apt/ubuntu jammy/${MONGO_PACKAGE%-unstable}/$MONGO_MAJOR multiverse" | tee "/etc/apt/sources.list.d/${MONGO_PACKAGE%-unstable}.list" # https://docs.mongodb.org/master/release-notes/6.0/ ENV MONGO_VERSION 6.0.13 diff --git a/7.0/Dockerfile b/7.0/Dockerfile index 9b1767b7c3..8b32155e7b 100644 --- a/7.0/Dockerfile +++ b/7.0/Dockerfile @@ -17,7 +17,6 @@ RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ ca-certificates \ - gnupg \ jq \ numactl \ procps \ @@ -29,15 +28,17 @@ ENV GOSU_VERSION 1.17 # grab "js-yaml" for parsing mongod's YAML config files (https://github.com/nodeca/js-yaml/releases) ENV JSYAML_VERSION 3.13.1 -RUN set -ex; \ +RUN set -eux; \ \ savedAptMark="$(apt-mark showmanual)"; \ apt-get update; \ apt-get install -y --no-install-recommends \ + gnupg \ wget \ ; \ rm -rf /var/lib/apt/lists/*; \ \ +# download/install gosu dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ @@ -47,12 +48,22 @@ RUN set -ex; \ gpgconf --kill all; \ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ \ +# download/install js-yaml mkdir -p /opt/js-yaml/; \ wget -O /opt/js-yaml/js-yaml.js "https://github.com/nodeca/js-yaml/raw/${JSYAML_VERSION}/dist/js-yaml.js"; \ wget -O /opt/js-yaml/package.json "https://github.com/nodeca/js-yaml/raw/${JSYAML_VERSION}/package.json"; \ ln -s /opt/js-yaml/js-yaml.js /js-yaml.js; \ # TODO some sort of download verification here \ +# download/install MongoDB PGP keys + export GNUPGHOME="$(mktemp -d)"; \ + wget -O KEYS 'https://pgp.mongodb.com/server-7.0.asc'; \ + gpg --batch --import KEYS; \ + mkdir -p /etc/apt/keyrings; \ + gpg --batch --export --armor 'E58830201F7DD82CD808AA84160D26BB1785BA38' > /etc/apt/keyrings/mongodb.asc; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" KEYS; \ + \ apt-mark auto '.*' > /dev/null; \ apt-mark manual $savedAptMark > /dev/null; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ @@ -64,17 +75,6 @@ RUN set -ex; \ RUN mkdir /docker-entrypoint-initdb.d -RUN set -ex; \ - export GNUPGHOME="$(mktemp -d)"; \ - set -- 'E58830201F7DD82CD808AA84160D26BB1785BA38'; \ - for key; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ - done; \ - mkdir -p /etc/apt/keyrings; \ - gpg --batch --export "$@" > /etc/apt/keyrings/mongodb.gpg; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" - # Allow build-time overrides (eg. to build image with MongoDB Enterprise version) # Options for MONGO_PACKAGE: mongodb-org OR mongodb-enterprise # Options for MONGO_REPO: repo.mongodb.org OR repo.mongodb.com @@ -84,7 +84,7 @@ ARG MONGO_REPO=repo.mongodb.org ENV MONGO_PACKAGE=${MONGO_PACKAGE} MONGO_REPO=${MONGO_REPO} ENV MONGO_MAJOR 7.0 -RUN echo "deb [ signed-by=/etc/apt/keyrings/mongodb.gpg ] http://$MONGO_REPO/apt/ubuntu jammy/${MONGO_PACKAGE%-unstable}/$MONGO_MAJOR multiverse" | tee "/etc/apt/sources.list.d/${MONGO_PACKAGE%-unstable}.list" +RUN echo "deb [ signed-by=/etc/apt/keyrings/mongodb.asc ] http://$MONGO_REPO/apt/ubuntu jammy/${MONGO_PACKAGE%-unstable}/$MONGO_MAJOR multiverse" | tee "/etc/apt/sources.list.d/${MONGO_PACKAGE%-unstable}.list" # https://docs.mongodb.org/master/release-notes/7.0/ ENV MONGO_VERSION 7.0.5 diff --git a/Dockerfile-linux.template b/Dockerfile-linux.template index 5f7b1853fa..bcb85f59d0 100644 --- a/Dockerfile-linux.template +++ b/Dockerfile-linux.template @@ -12,7 +12,6 @@ RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends \ ca-certificates \ - gnupg \ jq \ numactl \ procps \ @@ -24,15 +23,17 @@ ENV GOSU_VERSION 1.17 # grab "js-yaml" for parsing mongod's YAML config files (https://github.com/nodeca/js-yaml/releases) ENV JSYAML_VERSION 3.13.1 -RUN set -ex; \ +RUN set -eux; \ \ savedAptMark="$(apt-mark showmanual)"; \ apt-get update; \ apt-get install -y --no-install-recommends \ + gnupg \ wget \ ; \ rm -rf /var/lib/apt/lists/*; \ \ +# download/install gosu dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ @@ -42,12 +43,22 @@ RUN set -ex; \ gpgconf --kill all; \ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ \ +# download/install js-yaml mkdir -p /opt/js-yaml/; \ wget -O /opt/js-yaml/js-yaml.js "https://github.com/nodeca/js-yaml/raw/${JSYAML_VERSION}/dist/js-yaml.js"; \ wget -O /opt/js-yaml/package.json "https://github.com/nodeca/js-yaml/raw/${JSYAML_VERSION}/package.json"; \ ln -s /opt/js-yaml/js-yaml.js /js-yaml.js; \ # TODO some sort of download verification here \ +# download/install MongoDB PGP keys + export GNUPGHOME="$(mktemp -d)"; \ + wget -O KEYS {{ [ .pgp[].url ] | map(@sh) | join(" ") }}; \ + gpg --batch --import KEYS; \ + mkdir -p /etc/apt/keyrings; \ + gpg --batch --export --armor {{ [ .pgp[].fingerprints[] ] | map(@sh) | join(" ") }} > /etc/apt/keyrings/mongodb.asc; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" KEYS; \ + \ apt-mark auto '.*' > /dev/null; \ apt-mark manual $savedAptMark > /dev/null; \ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ @@ -59,17 +70,6 @@ RUN set -ex; \ RUN mkdir /docker-entrypoint-initdb.d -RUN set -ex; \ - export GNUPGHOME="$(mktemp -d)"; \ - set -- {{ .gpg | map(@sh) | join(" ") }}; \ - for key; do \ - gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ - done; \ - mkdir -p /etc/apt/keyrings; \ - gpg --batch --export "$@" > /etc/apt/keyrings/mongodb.gpg; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" - # Allow build-time overrides (eg. to build image with MongoDB Enterprise version) # Options for MONGO_PACKAGE: mongodb-org OR mongodb-enterprise # Options for MONGO_REPO: repo.mongodb.org OR repo.mongodb.com @@ -79,14 +79,14 @@ ARG MONGO_REPO=repo.mongodb.org ENV MONGO_PACKAGE=${MONGO_PACKAGE} MONGO_REPO=${MONGO_REPO} ENV MONGO_MAJOR {{ if env.version != env.rcVersion then "testing" else env.version end }} -RUN echo "deb [ signed-by=/etc/apt/keyrings/mongodb.gpg ] http://$MONGO_REPO/apt/{{ target.image | gsub(":.*$"; "") }} {{ target.suite }}/${MONGO_PACKAGE%-unstable}/$MONGO_MAJOR {{ if target.image | test("^debian") then "main" else "multiverse" end }}" | tee "/etc/apt/sources.list.d/${MONGO_PACKAGE%-unstable}.list" +RUN echo "deb [ signed-by=/etc/apt/keyrings/mongodb.asc ] http://$MONGO_REPO/apt/{{ target.image | gsub(":.*$"; "") }} {{ target.suite }}/${MONGO_PACKAGE%-unstable}/$MONGO_MAJOR {{ if target.image | test("^debian") then "main" else "multiverse" end }}" | tee "/etc/apt/sources.list.d/${MONGO_PACKAGE%-unstable}.list" {{ if env.version != env.rcVersion and (env.rcVersion | tonumber >= 5) then ( -}} {{ if .version | ltrimstr(env.rcVersion) | startswith(".0-") then ( -}} # {{ env.rcVersion }} is not GA, so we need the previous release for mongodb-mongosh and mongodb-database-tools -RUN echo "deb [ signed-by=/etc/apt/keyrings/mongodb.gpg ] http://$MONGO_REPO/apt/{{ target.image | gsub(":.*$"; "") }} {{ target.suite }}/${MONGO_PACKAGE%-unstable}/{{ env.rcVersion | split(".") | .[0] |= (tonumber - 1 | tostring) | join(".") }} {{ if target.image | test("^debian") then "main" else "multiverse" end }}" | tee "/etc/apt/sources.list.d/mongodb-previous.list" +RUN echo "deb [ signed-by=/etc/apt/keyrings/mongodb.asc ] http://$MONGO_REPO/apt/{{ target.image | gsub(":.*$"; "") }} {{ target.suite }}/${MONGO_PACKAGE%-unstable}/{{ env.rcVersion | split(".") | .[0] |= (tonumber - 1 | tostring) | join(".") }} {{ if target.image | test("^debian") then "main" else "multiverse" end }}" | tee "/etc/apt/sources.list.d/mongodb-previous.list" {{ ) else ( -}} # add GA repo for mongodb-mongosh and mongodb-database-tools -RUN echo "deb [ signed-by=/etc/apt/keyrings/mongodb.gpg ] http://$MONGO_REPO/apt/{{ target.image | gsub(":.*$"; "") }} {{ target.suite }}/${MONGO_PACKAGE%-unstable}/{{ env.rcVersion }} {{ if target.image | test("^debian") then "main" else "multiverse" end }}" | tee "/etc/apt/sources.list.d/mongodb-{{ env.rcVersion }}.list" +RUN echo "deb [ signed-by=/etc/apt/keyrings/mongodb.asc ] http://$MONGO_REPO/apt/{{ target.image | gsub(":.*$"; "") }} {{ target.suite }}/${MONGO_PACKAGE%-unstable}/{{ env.rcVersion }} {{ if target.image | test("^debian") then "main" else "multiverse" end }}" | tee "/etc/apt/sources.list.d/mongodb-{{ env.rcVersion }}.list" {{ ) end -}} {{ ) else "" end -}} diff --git a/gpg-keys.sh b/gpg-keys.sh deleted file mode 100755 index ea249a47ae..0000000000 --- a/gpg-keys.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env bash -set -Eeuo pipefail - -versions=( $(grep -vE '^#|^$' gpg-keys.txt | cut -d: -f1) ) - -for version in "${versions[@]}"; do - fingerprints="$( - docker run --rm -e v="$version" buildpack-deps:bullseye-curl bash -Eeuo pipefail -xc ' - wget -O key.asc "https://www.mongodb.org/static/pgp/server-$v.asc" >&2 - gpg --batch --import key.asc >&2 - gpg --batch --fingerprint --with-colons | grep "^fpr:" | cut -d: -f10 - ' - )" - awk -F: -v v="$version" -v fpr="$fingerprints" ' - $1 == v { - printf "%s:%s\n", v, fpr - next - } - { print } - ' gpg-keys.txt > gpg-keys.txt.new - mv gpg-keys.txt.new gpg-keys.txt -done diff --git a/gpg-keys.txt b/gpg-keys.txt deleted file mode 100644 index eae2d2e3c1..0000000000 --- a/gpg-keys.txt +++ /dev/null @@ -1,12 +0,0 @@ -# this file's values are updated via "./gpg-keys.sh" - -dev:28DE23AF08040FB24C33F36381B0EBBBADCEA95C -7.0:E58830201F7DD82CD808AA84160D26BB1785BA38 -6.0:39BD841E4BE5FB195A65400E6A26B1AE64C3C388 -5.0:F5679A222C647C87527C2F8CB00A0BD1E2C63C11 -4.4:20691EEC35216C63CAF66CE1656408E390CFB1F5 -4.2:E162F504A20CDF15827F718D4B7C549A058F8B6B -4.0:9DA31620334BD75D9DCB49F368818C72E52529D4 - -# these all come directly via https://www.mongodb.org/static/pgp/server-X.Y.asc -# see https://www.mongodb.org/static/pgp/?C=M;O=D diff --git a/pgp-keys.json b/pgp-keys.json new file mode 100644 index 0000000000..88fce4479a --- /dev/null +++ b/pgp-keys.json @@ -0,0 +1,50 @@ +{ + "dev": { + "url": "https://pgp.mongodb.com/server-dev.asc", + "fingerprints": [ + "28DE23AF08040FB24C33F36381B0EBBBADCEA95C" + ] + }, + "8.0": { + "url": "https://pgp.mongodb.com/server-8.0.asc", + "fingerprints": [ + "4B0752C1BCA238C0B4EE14DC41DE058A4E7DCA05" + ] + }, + "7.0": { + "url": "https://pgp.mongodb.com/server-7.0.asc", + "fingerprints": [ + "E58830201F7DD82CD808AA84160D26BB1785BA38" + ] + }, + "6.0": { + "url": "https://pgp.mongodb.com/server-6.0.asc", + "fingerprints": [ + "39BD841E4BE5FB195A65400E6A26B1AE64C3C388" + ] + }, + "5.0": { + "url": "https://pgp.mongodb.com/server-5.0.asc", + "fingerprints": [ + "F5679A222C647C87527C2F8CB00A0BD1E2C63C11" + ] + }, + "4.4": { + "url": "https://pgp.mongodb.com/server-4.4.asc", + "fingerprints": [ + "20691EEC35216C63CAF66CE1656408E390CFB1F5" + ] + }, + "4.2": { + "url": "https://pgp.mongodb.com/server-4.2.asc", + "fingerprints": [ + "E162F504A20CDF15827F718D4B7C549A058F8B6B" + ] + }, + "4.0": { + "url": "https://pgp.mongodb.com/server-4.0.asc", + "fingerprints": [ + "9DA31620334BD75D9DCB49F368818C72E52529D4" + ] + } +} diff --git a/pgp-keys.sh b/pgp-keys.sh new file mode 100755 index 0000000000..35d01a47bd --- /dev/null +++ b/pgp-keys.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash +set -Eeuo pipefail + +versions="$(jq -r 'keys_unsorted | map(@sh) | join(" ")' pgp-keys.json)" +eval "set -- $versions" + +json='{}' + +for version; do + url="https://pgp.mongodb.com/server-$version.asc" + export version url + fingerprints="$( + docker run --rm --env url buildpack-deps:bookworm-curl bash -Eeuo pipefail -xc ' + wget -O key.asc "$url" >&2 + gpg --batch --import key.asc >&2 + gpg --batch --fingerprint --with-colons | grep "^fpr:" | cut -d: -f10 + ' + )" + export fingerprints + json="$(jq <<<"$json" -c ' + .[env.version] = { + url: env.url, + fingerprints: ( + env.fingerprints + | rtrimstr("\n") + | split("\n") + ), + } + ')" +done + +jq <<<"$json" ' + to_entries + | sort_by(.key | split(".") | map(tonumber? // .)) + | reverse + | from_entries +' > pgp-keys.json diff --git a/versions.json b/versions.json index ef3ff6097b..b88e46af2a 100644 --- a/versions.json +++ b/versions.json @@ -3,11 +3,16 @@ "changes": "https://jira.mongodb.org/issues/?jql=project%20%3D%20SERVER%20AND%20fixVersion%20%3D%20%224.4.28%22%20ORDER%20BY%20status%20DESC%2C%20priority%20DESC", "date": "01/11/2024", "githash": "61c2baf63a060f7c12bd76e779044800ae18710b", - "gpg": [ - "20691EEC35216C63CAF66CE1656408E390CFB1F5" - ], "linux": "ubuntu2004", "notes": "https://docs.mongodb.org/master/release-notes/4.4/", + "pgp": [ + { + "fingerprints": [ + "20691EEC35216C63CAF66CE1656408E390CFB1F5" + ], + "url": "https://pgp.mongodb.com/server-4.4.asc" + } + ], "targets": { "debian10": { "arches": [ @@ -51,11 +56,16 @@ "changes": "https://jira.mongodb.org/issues/?jql=project%20%3D%20SERVER%20AND%20fixVersion%20%3D%20%225.0.24%22%20ORDER%20BY%20status%20DESC%2C%20priority%20DESC", "date": "01/11/2024", "githash": "f034f0c51b3dffef4b8c9452d77ede9888f28f66", - "gpg": [ - "F5679A222C647C87527C2F8CB00A0BD1E2C63C11" - ], "linux": "ubuntu2004", "notes": "https://docs.mongodb.org/master/release-notes/5.0/", + "pgp": [ + { + "fingerprints": [ + "F5679A222C647C87527C2F8CB00A0BD1E2C63C11" + ], + "url": "https://pgp.mongodb.com/server-5.0.asc" + } + ], "targets": { "debian10": { "arches": [ @@ -106,11 +116,16 @@ "changes": "https://jira.mongodb.org/issues/?jql=project%20%3D%20SERVER%20AND%20fixVersion%20%3D%20%226.0.13%22%20ORDER%20BY%20status%20DESC%2C%20priority%20DESC", "date": "01/11/2024", "githash": "3b13907f9bdf6bd3264d67140d6c215d51bbd20c", - "gpg": [ - "39BD841E4BE5FB195A65400E6A26B1AE64C3C388" - ], "linux": "ubuntu2204", "notes": "https://docs.mongodb.org/master/release-notes/6.0/", + "pgp": [ + { + "fingerprints": [ + "39BD841E4BE5FB195A65400E6A26B1AE64C3C388" + ], + "url": "https://pgp.mongodb.com/server-6.0.asc" + } + ], "targets": { "debian10": { "arches": [ @@ -168,11 +183,16 @@ "changes": "https://jira.mongodb.org/issues/?jql=project%20%3D%20SERVER%20AND%20fixVersion%20%3D%20%227.0.5%22%20ORDER%20BY%20status%20DESC%2C%20priority%20DESC", "date": "12/28/2023", "githash": "7809d71e84e314b497f282ea8aa06d7ded3eb205", - "gpg": [ - "E58830201F7DD82CD808AA84160D26BB1785BA38" - ], "linux": "ubuntu2204", "notes": "https://docs.mongodb.org/master/release-notes/7.0/", + "pgp": [ + { + "fingerprints": [ + "E58830201F7DD82CD808AA84160D26BB1785BA38" + ], + "url": "https://pgp.mongodb.com/server-7.0.asc" + } + ], "targets": { "debian11": { "arches": [ diff --git a/versions.sh b/versions.sh index 8d4915e03f..3cd673af7f 100755 --- a/versions.sh +++ b/versions.sh @@ -65,7 +65,12 @@ shell="$( ] # now convert all that data to a basic shell list + map so we can loop over/use it appropriately - | "allVersions=( " + (map(.version | @sh) | join(" ")) + " )\n" + | "allVersions=( " + ( + map(.version | ., if endswith("-rc") then empty else . + "-rc" end) + | unique + | map(@sh) + | join(" ") + ) + " )\n" + "declare -A versionMeta=(\n" + ( map( "\t[" + (.version | @sh) + "]=" @@ -107,25 +112,23 @@ for version in "${versions[@]}"; do msiSha256="${msiSha256%% *}" export msiUrl msiSha256 - # GPG keys - gpgKeyVersion="${version%-rc}" - minor="${gpgKeyVersion#*.}" # "4.3" -> "3" - if [ "$(( minor % 2 ))" = 1 ]; then - gpgKeyVersion="${version%.*}.$(( minor + 1 ))" + pgpKeyVersion="${version%-rc}" + pgp='[]' + if [ "$pgpKeyVersion" != "$version" ]; then + # the "testing" repository (used for RCs) has a dedicated PGP key (but still needs the "release" key for the release line) + pgp="$(jq -c --argjson pgp "$pgp" '$pgp + [ .dev // error("missing PGP key for dev") ]' pgp-keys.json)" fi - gpgKeys="$(grep "^$gpgKeyVersion:" gpg-keys.txt | cut -d: -f2)" - if [[ "$version" == *-rc ]]; then - # the "testing" repository (used for RCs) has a dedicated GPG key - gpgKeys+=" $(grep -E '^dev:' gpg-keys.txt | cut -d: -f2 | xargs)" + minor="${pgpKeyVersion#*.}" # "4.3" -> "3" + if [ "$(( minor % 2 ))" = 1 ]; then + pgpKeyVersion="${version%.*}.$(( minor + 1 ))" fi - - [ -n "$gpgKeys" ] - export gpgKeys + export pgpKeyVersion + pgp="$(jq -c --argjson pgp "$pgp" '$pgp + [ .[env.pgpKeyVersion] // error("missing PGP key for \(env.pgpKeyVersion)") ]' pgp-keys.json)" json="$( { jq <<<"$json" -c . - _jq '{ (env.version): ( + _jq --argjson pgp "$pgp" '{ (env.version): ( with_entries(select(.key as $key | [ # interesting bits of raw upstream metadata "changes", @@ -136,7 +139,7 @@ for version in "${versions[@]}"; do null # ... trailing comma hack ] | index($key))) + { - gpg: (env.gpgKeys | split(" ") | sort), + pgp: $pgp, targets: ( reduce ( .downloads[]