Replace GPG key short id for full fingerprint (#48)

Prevent dead beef attack
pull/54/merge
Jorge Marin 9 years ago committed by Thomas Orozco
parent b4824de6ca
commit df9dbc1055
  1. 4
      README.md
  2. 4
      ci/run_build.sh
  3. 4
      tpl/README.md.in

@ -58,7 +58,7 @@ Arguments for Tini itself should be passed like `-v` in the following example:
### Signed binaries ###
The `tini` and `tini-static` binaries are signed using the key `0527A9B7`.
The `tini` and `tini-static` binaries are signed using the key `595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7`.
You can verify their signatures using `gpg` (which you may install using
your package manager):
@ -66,7 +66,7 @@ your package manager):
ENV TINI_VERSION v0.10.0
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini.asc /tini.asc
RUN gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 0527A9B7 \
RUN gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 \
&& gpg --verify /tini.asc

@ -117,11 +117,13 @@ if [[ -n "$GPG_PASSPHRASE" ]] && [[ -f "${SOURCE_DIR}/sign.key" ]]; then
echo "Signing binaries"
GPG_SIGN_HOMEDIR="${BUILD_DIR}/gpg-sign"
GPG_VERIFY_HOMEDIR="${BUILD_DIR}/gpg-verify"
PGP_KEY_FINGERPRINT="595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7"
PGP_KEYSERVER="ha.pool.sks-keyservers.net"
mkdir "${GPG_SIGN_HOMEDIR}" "${GPG_VERIFY_HOMEDIR}"
chmod 700 "${GPG_SIGN_HOMEDIR}" "${GPG_VERIFY_HOMEDIR}"
gpg --homedir "${GPG_SIGN_HOMEDIR}" --import "${SOURCE_DIR}/sign.key"
gpg --homedir "${GPG_VERIFY_HOMEDIR}" --keyserver ha.pool.sks-keyservers.net --recv-keys 0527A9B7
gpg --homedir "${GPG_VERIFY_HOMEDIR}" --keyserver "$PGP_KEYSERVER" --recv-keys "$PGP_KEY_FINGERPRINT"
for tini in "${DIST_DIR}/tini" "${DIST_DIR}/tini-static"; do
echo "${GPG_PASSPHRASE}" | gpg --homedir "${GPG_SIGN_HOMEDIR}" --passphrase-fd 0 --armor --detach-sign "${tini}"

@ -58,7 +58,7 @@ Arguments for Tini itself should be passed like `-v` in the following example:
### Signed binaries ###
The `tini` and `tini-static` binaries are signed using the key `0527A9B7`.
The `tini` and `tini-static` binaries are signed using the key `595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7`.
You can verify their signatures using `gpg` (which you may install using
your package manager):
@ -66,7 +66,7 @@ your package manager):
ENV TINI_VERSION v@tini_VERSION_MAJOR@.@tini_VERSION_MINOR@.@tini_VERSION_PATCH@
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini /tini
ADD https://github.com/krallin/tini/releases/download/${TINI_VERSION}/tini.asc /tini.asc
RUN gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 0527A9B7 \
RUN gpg --keyserver ha.pool.sks-keyservers.net --recv-keys 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 \
&& gpg --verify /tini.asc

Loading…
Cancel
Save