From a6f7d140744f8b15ff4314b8718b3f022efc7f43 Mon Sep 17 00:00:00 2001
From: Konstantin Pavlov <thresh@nginx.com>
Date: Thu, 20 Jun 2024 17:49:20 -0700
Subject: [PATCH] Updated GPG keys used to sign packages

Prebuilt binaries from nginx.org are to be signed with different keys
moving forward.  This change introduces two new 4096-bit RSA keys (aptly
named "signing key 2" and "signing key 3") that will be used for that
process.

The keys can be fetched from nginx.org, too:

$ curl -s https://nginx.org/keys/nginx_signing.key | gpg --show-keys -
pub   rsa4096 2024-05-29 [SC]
      8540A6F18833A80E9C1653A42FD21310B49F6B46
uid                      nginx signing key <signing-key-2@nginx.com>

pub   rsa2048 2011-08-19 [SC] [expires: 2027-05-24]
      573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
uid                      nginx signing key <signing-key@nginx.com>

pub   rsa4096 2024-05-29 [SC]
      9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3
uid                      nginx signing key <signing-key-3@nginx.com>

As a nice side-effect, this allows us to re-fetch the older 2048-bit RSA
key.  It expired on Jun 14 2024, but was extended to be valid for
another three years) still used to sign current packages.  Unfortunately
the key with the extended validity period was uploaded to the keyservers
a bit too late to be picked up by current image builds, resulting in
somewhat unexpected breakages for downstream images.
---
 Dockerfile-debian.template | 6 ++++--
 mainline/debian/Dockerfile | 6 ++++--
 stable/debian/Dockerfile   | 6 ++++--
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template
index 4fe841a..cccf6ea 100644
--- a/Dockerfile-debian.template
+++ b/Dockerfile-debian.template
@@ -14,10 +14,11 @@ RUN set -x \
     && apt-get update \
     && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
     && \
-    NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
+    NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \
     NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
     export GNUPGHOME="$(mktemp -d)"; \
     found=''; \
+    for NGINX_GPGKEY in $NGINX_GPGKEYS; do \
     for server in \
         hkp://keyserver.ubuntu.com:80 \
         pgp.mit.edu \
@@ -26,7 +27,8 @@ RUN set -x \
         gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
     done; \
     test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
-    gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
+    done; \
+    gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
     rm -rf "$GNUPGHOME"; \
     apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
     && dpkgArch="$(dpkg --print-architecture)" \
diff --git a/mainline/debian/Dockerfile b/mainline/debian/Dockerfile
index 0087d45..1795d6b 100644
--- a/mainline/debian/Dockerfile
+++ b/mainline/debian/Dockerfile
@@ -19,10 +19,11 @@ RUN set -x \
     && apt-get update \
     && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
     && \
-    NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
+    NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \
     NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
     export GNUPGHOME="$(mktemp -d)"; \
     found=''; \
+    for NGINX_GPGKEY in $NGINX_GPGKEYS; do \
     for server in \
         hkp://keyserver.ubuntu.com:80 \
         pgp.mit.edu \
@@ -31,7 +32,8 @@ RUN set -x \
         gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
     done; \
     test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
-    gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
+    done; \
+    gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
     rm -rf "$GNUPGHOME"; \
     apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
     && dpkgArch="$(dpkg --print-architecture)" \
diff --git a/stable/debian/Dockerfile b/stable/debian/Dockerfile
index 9c782b2..dfdc542 100644
--- a/stable/debian/Dockerfile
+++ b/stable/debian/Dockerfile
@@ -19,10 +19,11 @@ RUN set -x \
     && apt-get update \
     && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
     && \
-    NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
+    NGINX_GPGKEYS="573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 8540A6F18833A80E9C1653A42FD21310B49F6B46 9E9BE90EACBCDE69FE9B204CBCDCD8A38D88A2B3"; \
     NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
     export GNUPGHOME="$(mktemp -d)"; \
     found=''; \
+    for NGINX_GPGKEY in $NGINX_GPGKEYS; do \
     for server in \
         hkp://keyserver.ubuntu.com:80 \
         pgp.mit.edu \
@@ -31,7 +32,8 @@ RUN set -x \
         gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
     done; \
     test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
-    gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
+    done; \
+    gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
     rm -rf "$GNUPGHOME"; \
     apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
     && dpkgArch="$(dpkg --print-architecture)" \
-- 
GitLab