Please help verify signature within Dockerfile

Josef Wolf jw at raven.inka.de
Sun Feb 2 09:22:37 CET 2025 

Although I got a solution for the initial problem to use gpgv, I am still
curious why all the other methods fail.

Any ideas?

On Fri, Jan 31, 2025 at 12:15:18AM +0100, Josef Wolf wrote:
> Hello all,
> 
> I am trying to verify signature of downloaded files when creating a docker
> container. This is what I am trying to do within the Dockerfile:
> 
>    RUN gpg -v --status-fd 1 --no-keyring \
>       --trust-model always \
>       --recipient-file /pubkes/release-key.txt \
>       --verify sigfile.asc foo.tar.gz
> 
> This errors with "gpg: Can't check signature: No public key". Using strace, I
> can see that gpg won't even try to open /pubkeys/release-key.txt
> 
> I also tried to de-armor the pubkey file and pass it as
> 
>    RUN gpg --yes -o release-key.gpg --dearmor release-key.txt
>    RUN gpg -v --status-fd 1 --no-keyring \
>       --trust-model always \
>       --no-keyring --keyring /pubkes/release-key.gpg \
>       --verify sigfile.asc foo.tar.gz
> 
> with exactly the same result: gpg won't even try to open the keyfile.
> 
> I also tried to import the pubkey and verify using the default keyring:
> 
>    RUN gpg --import ql/release-key.txt
>    RUN gpg --verify --trust-model always ql/quicklisp.lisp.asc ql/quicklisp.lisp
> 
> but this one tries to start and connect to gpg-agent, which fails:
> 
>    [1/2] STEP 17/21: RUN gpg --verify --trust-model always ql/quicklisp.lisp.asc ql/quicklisp.lisp
>    gpg: Signature made Wed Jan 28 21:13:26 2015 UTC
>    gpg:                using RSA key 307965AB028B5FF7
>    gpg: Note: database_open 134217901 waiting for lock (held by 3) ...
>    gpg: Note: database_open 134217901 waiting for lock (held by 3) ...
>    gpg: Note: database_open 134217901 waiting for lock (held by 3) ...
>    gpg: Note: database_open 134217901 waiting for lock (held by 3) ...
>    gpg: Note: database_open 134217901 waiting for lock (held by 3) ...
>    gpg: keydb_search failed: Operation timed out
>    gpg: Can't check signature: No public key
>    Error: building at STEP "RUN gpg --verify --trust-model always ql/quicklisp.lisp.asc ql/quicklisp.lisp": while running runtime: exit status 2
> 
> BTW: I create an empty ~/.gnupg directory before the very first gpg invocation
> to prevent use-keyboxd option to be set.
> 
> Does it really need to be that hard to verify signature with a given pubkey?
> 
> Any help?
> 
> -- 
> Josef Wolf
> jw at raven.inka.de
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
Josef Wolf
jw at raven.inka.de

More information about the Gnupg-users mailing list