Please help verify signature within Dockerfile
Todd Zullinger
tmz at pobox.com
Fri Jan 31 15:23:30 CET 2025
Josef Wolf wrote:
> On Fri, Jan 31, 2025 at 09:57:24AM +0000, Andrew Gallagher wrote:
>> On 30 Jan 2025, at 23:15, Josef Wolf <jw at raven.inka.de> wrote:
>>>
>>> I am trying to verify signature of downloaded files when creating a docker
>>> container. This is what I am trying to do within the Dockerfile:
>>
>> Perhaps it would be easier to use gpgv?
>>
>> https://www.gnupg.org/documentation/manuals/gnupg/gpgv.html
>
> Thanks for the pointer, Andrew! This works. Just one addiotional note: gpgv
> don't have --recipient-file switch, so the pubkey needs to be de-armored:
>
> RUN gpg --yes -o release-key.gpg --dearmor release-key.txt
> RUN gpgv --keyring ./release-key.gpg sigfile.asc foo.tar.gz
>
> A --recipient-file (or --public-key-asc-file or something) would be a nice
> addition to gpgv
https://dev.gnupg.org/T2290 (Allow gpgv2 to use armored GPG
keys as keyring file with trusted keys) is a similar
wishlist item.
It's quite old, so I don't know that anyone who can fix it
has the time or desire. But it would make using gpgv nicer.
--
Todd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20250131/f400948e/attachment.sig>
More information about the Gnupg-users
mailing list