Please help verify signature within Dockerfile

Josef Wolf jw at raven.inka.de
Fri Jan 31 00:15:18 CET 2025 

Hello all,

I am trying to verify signature of downloaded files when creating a docker
container. This is what I am trying to do within the Dockerfile:

   RUN gpg -v --status-fd 1 --no-keyring \
      --trust-model always \
      --recipient-file /pubkes/release-key.txt \
      --verify sigfile.asc foo.tar.gz

This errors with "gpg: Can't check signature: No public key". Using strace, I
can see that gpg won't even try to open /pubkeys/release-key.txt

I also tried to de-armor the pubkey file and pass it as

   RUN gpg --yes -o release-key.gpg --dearmor release-key.txt
   RUN gpg -v --status-fd 1 --no-keyring \
      --trust-model always \
      --no-keyring --keyring /pubkes/release-key.gpg \
      --verify sigfile.asc foo.tar.gz

with exactly the same result: gpg won't even try to open the keyfile.

I also tried to import the pubkey and verify using the default keyring:

   RUN gpg --import ql/release-key.txt
   RUN gpg --verify --trust-model always ql/quicklisp.lisp.asc ql/quicklisp.lisp

but this one tries to start and connect to gpg-agent, which fails:

   [1/2] STEP 17/21: RUN gpg --verify --trust-model always ql/quicklisp.lisp.asc ql/quicklisp.lisp
   gpg: Signature made Wed Jan 28 21:13:26 2015 UTC
   gpg:                using RSA key 307965AB028B5FF7
   gpg: Note: database_open 134217901 waiting for lock (held by 3) ...
   gpg: Note: database_open 134217901 waiting for lock (held by 3) ...
   gpg: Note: database_open 134217901 waiting for lock (held by 3) ...
   gpg: Note: database_open 134217901 waiting for lock (held by 3) ...
   gpg: Note: database_open 134217901 waiting for lock (held by 3) ...
   gpg: keydb_search failed: Operation timed out
   gpg: Can't check signature: No public key
   Error: building at STEP "RUN gpg --verify --trust-model always ql/quicklisp.lisp.asc ql/quicklisp.lisp": while running runtime: exit status 2

BTW: I create an empty ~/.gnupg directory before the very first gpg invocation
to prevent use-keyboxd option to be set.

Does it really need to be that hard to verify signature with a given pubkey?

Any help?

-- 
Josef Wolf
jw at raven.inka.de

More information about the Gnupg-users mailing list