Please help verify signature within Dockerfile

Andreas Metzler ametzler at bebt.de
Sun Feb 2 12:02:19 CET 2025 

On 2025-02-02 Josef Wolf <jw at raven.inka.de> wrote:
> Although I got a solution for the initial problem to use gpgv, I am still
> curious why all the other methods fail.

> Any ideas?

See below:

> On Fri, Jan 31, 2025 at 12:15:18AM +0100, Josef Wolf wrote:
> > Hello all,
> > 
> > I am trying to verify signature of downloaded files when creating a docker
> > container. This is what I am trying to do within the Dockerfile:
> > 
> >    RUN gpg -v --status-fd 1 --no-keyring \
> >       --trust-model always \
> >       --recipient-file /pubkes/release-key.txt \
> >       --verify sigfile.asc foo.tar.gz
> > 
> > This errors with "gpg: Can't check signature: No public key". Using strace, I
> > can see that gpg won't even try to open /pubkeys/release-key.txt

Looking at te manpage we find:
       --recipient-file file
       -f     This option is similar to --recipient except that it encrypts
              to a  key stored in the given file.  file must be the name
              of a file containing exactly one key.  gpg assumes that
              the  key  in  this file is fully valid.

So this has clearly nothing to do with specifying a keyring to check
against.

> > I also tried to de-armor the pubkey file and pass it as
> > 
> >    RUN gpg --yes -o release-key.gpg --dearmor release-key.txt
> >    RUN gpg -v --status-fd 1 --no-keyring \
> >       --trust-model always \
> >       --no-keyring --keyring /pubkes/release-key.gpg \
> >       --verify sigfile.asc foo.tar.gz
> > 
> > with exactly the same result: gpg won't even try to open the keyfile.

       --no-keyring
              Do  not  use  any keyring at all.  This overrides the default and
              all options which specify keyrings.

So --no-keyring should take care of ignoring --keyring
/pubkes/release-key.gpg. :-(

> > I also tried to import the pubkey and verify using the default keyring:
> > 
> >    RUN gpg --import ql/release-key.txt
> >    RUN gpg --verify --trust-model always ql/quicklisp.lisp.asc ql/quicklisp.lisp

This should work.

[...] 
> > BTW: I create an empty ~/.gnupg directory before the very first gpg
> > invocation to prevent use-keyboxd option to be set.
 
> > Does it really need to be that hard to verify signature with a given
> > pubkey?

(I would use a temporary directory with --homedir).

cu Andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Gnupg-users mailing list