Skip to content

Commit 5f8acc1

Browse files
AlistairBAlistairB
authored
Merge pull request #58 from AlistairB/address-feedback
Address feedback from official images people
2 parents f0d12a8 + e518026 commit 5f8acc1

File tree

3 files changed

+28
-11
lines changed

3 files changed

+28
-11
lines changed

8.10/buster/Dockerfile

+12-5
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,8 @@ ARG CABAL_INSTALL_RELEASE_KEY=A970DF3AC3B9709706D74544B3D9F94B8DCAE210
3131
RUN set -eux; \
3232
cd /tmp; \
3333
ARCH="$(dpkg-architecture --query DEB_BUILD_GNU_CPU)"; \
34-
CABAL_INSTALL_URL="https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/cabal-install-$CABAL_INSTALL-$ARCH-linux-deb10.tar.xz"; \
34+
CABAL_INSTALL_TAR="cabal-install-$CABAL_INSTALL-$ARCH-linux-deb10.tar.xz"; \
35+
CABAL_INSTALL_URL="https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/$CABAL_INSTALL_TAR"; \
3536
CABAL_INSTALL_SHA256SUMS_URL="https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS"; \
3637
# sha256 from https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS
3738
case "$ARCH" in \
@@ -51,6 +52,8 @@ RUN set -eux; \
5152
GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \
5253
gpg --batch --keyserver keyserver.ubuntu.com --receive-keys "$CABAL_INSTALL_RELEASE_KEY"; \
5354
gpg --batch --verify SHA256SUMS.sig SHA256SUMS; \
55+
# confirm we are verying SHA256SUMS that matches the release + sha256
56+
grep "$CABAL_INSTALL_SHA256 $CABAL_INSTALL_TAR" SHA256SUMS; \
5457
gpgconf --kill all; \
5558
\
5659
tar -xf cabal-install.tar.gz -C /usr/local/bin; \
@@ -61,15 +64,19 @@ RUN set -eux; \
6164

6265
# GHC 8.10 requires LLVM version 9 - 12 on aarch64
6366
ARG LLVM_VERSION=12
67+
ARG LLVM_KEY=6084F3CF814B57C1CF12EFD515CF4D18AF4F7421
6468

6569
RUN set -eux; \
6670
if [ "$(dpkg-architecture --query DEB_BUILD_GNU_CPU)" = "aarch64" ]; then \
67-
# adapted from https://apt.llvm.org/llvm.sh
68-
curl -sSL https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add -; \
69-
echo "deb http://apt.llvm.org/buster/ llvm-toolchain-buster-$LLVM_VERSION main" > /etc/apt/sources.list.d/llvm.list; \
71+
GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \
72+
mkdir -p /usr/local/share/keyrings/; \
73+
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$LLVM_KEY"; \
74+
gpg --batch --armor --export "$LLVM_KEY" > /usr/local/share/keyrings/apt.llvm.org.gpg.asc; \
75+
echo "deb [ signed-by=/usr/local/share/keyrings/apt.llvm.org.gpg.asc ] http://apt.llvm.org/buster/ llvm-toolchain-buster-$LLVM_VERSION main" > /etc/apt/sources.list.d/llvm.list; \
7076
apt-get update; \
7177
apt-get install -y --no-install-recommends llvm-$LLVM_VERSION; \
72-
rm -rf /var/lib/apt/lists/*; \
78+
gpgconf --kill all; \
79+
rm -rf "$GNUPGHOME" /var/lib/apt/lists/*; \
7380
fi
7481

7582
ARG GHC=8.10.7

9.0/buster/Dockerfile

+12-5
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,8 @@ ARG CABAL_INSTALL_RELEASE_KEY=A970DF3AC3B9709706D74544B3D9F94B8DCAE210
3131
RUN set -eux; \
3232
cd /tmp; \
3333
ARCH="$(dpkg-architecture --query DEB_BUILD_GNU_CPU)"; \
34-
CABAL_INSTALL_URL="https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/cabal-install-$CABAL_INSTALL-$ARCH-linux-deb10.tar.xz"; \
34+
CABAL_INSTALL_TAR="cabal-install-$CABAL_INSTALL-$ARCH-linux-deb10.tar.xz"; \
35+
CABAL_INSTALL_URL="https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/$CABAL_INSTALL_TAR"; \
3536
CABAL_INSTALL_SHA256SUMS_URL="https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS"; \
3637
# sha256 from https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS
3738
case "$ARCH" in \
@@ -51,6 +52,8 @@ RUN set -eux; \
5152
GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \
5253
gpg --batch --keyserver keyserver.ubuntu.com --receive-keys "$CABAL_INSTALL_RELEASE_KEY"; \
5354
gpg --batch --verify SHA256SUMS.sig SHA256SUMS; \
55+
# confirm we are verying SHA256SUMS that matches the release + sha256
56+
grep "$CABAL_INSTALL_SHA256 $CABAL_INSTALL_TAR" SHA256SUMS; \
5457
gpgconf --kill all; \
5558
\
5659
tar -xf cabal-install.tar.gz -C /usr/local/bin; \
@@ -61,15 +64,19 @@ RUN set -eux; \
6164

6265
# GHC 9.0 requires LLVM version 9 - 12 on aarch64
6366
ARG LLVM_VERSION=12
67+
ARG LLVM_KEY=6084F3CF814B57C1CF12EFD515CF4D18AF4F7421
6468

6569
RUN set -eux; \
6670
if [ "$(dpkg-architecture --query DEB_BUILD_GNU_CPU)" = "aarch64" ]; then \
67-
# adapted from https://apt.llvm.org/llvm.sh
68-
curl -sSL https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add -; \
69-
echo "deb http://apt.llvm.org/buster/ llvm-toolchain-buster-$LLVM_VERSION main" > /etc/apt/sources.list.d/llvm.list; \
71+
GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \
72+
mkdir -p /usr/local/share/keyrings/; \
73+
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$LLVM_KEY"; \
74+
gpg --batch --armor --export "$LLVM_KEY" > /usr/local/share/keyrings/apt.llvm.org.gpg.asc; \
75+
echo "deb [ signed-by=/usr/local/share/keyrings/apt.llvm.org.gpg.asc ] http://apt.llvm.org/buster/ llvm-toolchain-buster-$LLVM_VERSION main" > /etc/apt/sources.list.d/llvm.list; \
7076
apt-get update; \
7177
apt-get install -y --no-install-recommends llvm-$LLVM_VERSION; \
72-
rm -rf /var/lib/apt/lists/*; \
78+
gpgconf --kill all; \
79+
rm -rf "$GNUPGHOME" /var/lib/apt/lists/*; \
7380
fi
7481

7582
ARG GHC=9.0.2

9.2/buster/Dockerfile

+4-1
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,8 @@ ARG CABAL_INSTALL_RELEASE_KEY=A970DF3AC3B9709706D74544B3D9F94B8DCAE210
3131
RUN set -eux; \
3232
cd /tmp; \
3333
ARCH="$(dpkg-architecture --query DEB_BUILD_GNU_CPU)"; \
34-
CABAL_INSTALL_URL="https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/cabal-install-$CABAL_INSTALL-$ARCH-linux-deb10.tar.xz"; \
34+
CABAL_INSTALL_TAR="cabal-install-$CABAL_INSTALL-$ARCH-linux-deb10.tar.xz"; \
35+
CABAL_INSTALL_URL="https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/$CABAL_INSTALL_TAR"; \
3536
CABAL_INSTALL_SHA256SUMS_URL="https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS"; \
3637
# sha256 from https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS
3738
case "$ARCH" in \
@@ -51,6 +52,8 @@ RUN set -eux; \
5152
GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \
5253
gpg --batch --keyserver keyserver.ubuntu.com --receive-keys "$CABAL_INSTALL_RELEASE_KEY"; \
5354
gpg --batch --verify SHA256SUMS.sig SHA256SUMS; \
55+
# confirm we are verying SHA256SUMS that matches the release + sha256
56+
grep "$CABAL_INSTALL_SHA256 $CABAL_INSTALL_TAR" SHA256SUMS; \
5457
gpgconf --kill all; \
5558
\
5659
tar -xf cabal-install.tar.gz -C /usr/local/bin; \

0 commit comments

Comments
 (0)