Please help verify signature within Dockerfile
Josef Wolf
jw at raven.inka.de
Fri Jan 31 11:39:43 CET 2025
On Fri, Jan 31, 2025 at 09:57:24AM +0000, Andrew Gallagher wrote:
> On 30 Jan 2025, at 23:15, Josef Wolf <jw at raven.inka.de> wrote:
> >
> > I am trying to verify signature of downloaded files when creating a docker
> > container. This is what I am trying to do within the Dockerfile:
>
> Perhaps it would be easier to use gpgv?
>
> https://www.gnupg.org/documentation/manuals/gnupg/gpgv.html
Thanks for the pointer, Andrew! This works. Just one addiotional note: gpgv
don't have --recipient-file switch, so the pubkey needs to be de-armored:
RUN gpg --yes -o release-key.gpg --dearmor release-key.txt
RUN gpgv --keyring ./release-key.gpg sigfile.asc foo.tar.gz
A --recipient-file (or --public-key-asc-file or something) would be a nice
addition to gpgv
Thanks!
--
Josef Wolf
jw at raven.inka.de
More information about the Gnupg-users
mailing list