@@ -14,29 +14,33 @@ RUN set -x \
1414 && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
1515 && \
1616 NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
17+ NGINX_GPGKEY_PATH=/usr/share/keyrings/nginx-archive-keyring.gpg; \
18+ export GNUPGHOME="$(mktemp -d)"; \
1719 found=''; \
1820 for server in \
1921 hkp://keyserver.ubuntu.com:80 \
2022 pgp.mit.edu \
2123 ; do \
2224 echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
23- apt-key adv --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
25+ gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
2426 done; \
2527 test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
28+ gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
29+ rm -rf "$GNUPGHOME"; \
2630 apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
2731 && dpkgArch="$(dpkg --print-architecture)" \
2832 && nginxPackages="%%PACKAGES%%
2933 " \
3034 && case "$dpkgArch" in \
3135 amd64|arm64) \
3236# arches officialy built by upstream
33- echo "deb %%PACKAGEREPO%% %%DEBIAN_VERSION%% nginx" >> /etc/apt/sources.list.d/nginx.list \
37+ echo "deb [signed-by=$NGINX_GPGKEY_PATH] %%PACKAGEREPO%% %%DEBIAN_VERSION%% nginx" >> /etc/apt/sources.list.d/nginx.list \
3438 && apt-get update \
3539 ;; \
3640 *) \
3741# we're on an architecture upstream doesn't officially build for
3842# let's build binaries from the published source packages
39- echo "deb-src %%PACKAGEREPO%% %%DEBIAN_VERSION%% nginx" >> /etc/apt/sources.list.d/nginx.list \
43+ echo "deb-src [signed-by=$NGINX_GPGKEY_PATH] %%PACKAGEREPO%% %%DEBIAN_VERSION%% nginx" >> /etc/apt/sources.list.d/nginx.list \
4044 \
4145# new directory for storing sources and .deb files
4246 && tempDir="$(mktemp -d)" \
0 commit comments