Skip to content

Commit e518026

Browse files
AlistairBAlistairB
committed
Use gpg verification to more securely install llvm
1 parent 37c69e2 commit e518026

File tree

2 files changed

+16
-8
lines changed

2 files changed

+16
-8
lines changed

8.10/buster/Dockerfile

+8-4
Original file line numberDiff line numberDiff line change
@@ -64,15 +64,19 @@ RUN set -eux; \
6464

6565
# GHC 8.10 requires LLVM version 9 - 12 on aarch64
6666
ARG LLVM_VERSION=12
67+
ARG LLVM_KEY=6084F3CF814B57C1CF12EFD515CF4D18AF4F7421
6768

6869
RUN set -eux; \
6970
if [ "$(dpkg-architecture --query DEB_BUILD_GNU_CPU)" = "aarch64" ]; then \
70-
# adapted from https://apt.llvm.org/llvm.sh
71-
curl -sSL https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add -; \
72-
echo "deb http://apt.llvm.org/buster/ llvm-toolchain-buster-$LLVM_VERSION main" > /etc/apt/sources.list.d/llvm.list; \
71+
GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \
72+
mkdir -p /usr/local/share/keyrings/; \
73+
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$LLVM_KEY"; \
74+
gpg --batch --armor --export "$LLVM_KEY" > /usr/local/share/keyrings/apt.llvm.org.gpg.asc; \
75+
echo "deb [ signed-by=/usr/local/share/keyrings/apt.llvm.org.gpg.asc ] http://apt.llvm.org/buster/ llvm-toolchain-buster-$LLVM_VERSION main" > /etc/apt/sources.list.d/llvm.list; \
7376
apt-get update; \
7477
apt-get install -y --no-install-recommends llvm-$LLVM_VERSION; \
75-
rm -rf /var/lib/apt/lists/*; \
78+
gpgconf --kill all; \
79+
rm -rf "$GNUPGHOME" /var/lib/apt/lists/*; \
7680
fi
7781

7882
ARG GHC=8.10.7

9.0/buster/Dockerfile

+8-4
Original file line numberDiff line numberDiff line change
@@ -64,15 +64,19 @@ RUN set -eux; \
6464

6565
# GHC 9.0 requires LLVM version 9 - 12 on aarch64
6666
ARG LLVM_VERSION=12
67+
ARG LLVM_KEY=6084F3CF814B57C1CF12EFD515CF4D18AF4F7421
6768

6869
RUN set -eux; \
6970
if [ "$(dpkg-architecture --query DEB_BUILD_GNU_CPU)" = "aarch64" ]; then \
70-
# adapted from https://apt.llvm.org/llvm.sh
71-
curl -sSL https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add -; \
72-
echo "deb http://apt.llvm.org/buster/ llvm-toolchain-buster-$LLVM_VERSION main" > /etc/apt/sources.list.d/llvm.list; \
71+
GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \
72+
mkdir -p /usr/local/share/keyrings/; \
73+
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$LLVM_KEY"; \
74+
gpg --batch --armor --export "$LLVM_KEY" > /usr/local/share/keyrings/apt.llvm.org.gpg.asc; \
75+
echo "deb [ signed-by=/usr/local/share/keyrings/apt.llvm.org.gpg.asc ] http://apt.llvm.org/buster/ llvm-toolchain-buster-$LLVM_VERSION main" > /etc/apt/sources.list.d/llvm.list; \
7376
apt-get update; \
7477
apt-get install -y --no-install-recommends llvm-$LLVM_VERSION; \
75-
rm -rf /var/lib/apt/lists/*; \
78+
gpgconf --kill all; \
79+
rm -rf "$GNUPGHOME" /var/lib/apt/lists/*; \
7680
fi
7781

7882
ARG GHC=9.0.2

0 commit comments

Comments
 (0)