fix: always redownload the NGINX GPG signing key in the NGINX OSS Dockerfile (#270)

Author: alessfg

Dockerfile.oss

@@ -1,45 +1,63 @@
 FROM nginx:1.25.5@sha256:a484819eb60211f5299034ac80f6a681b06f89e65866ce91f356ed7c72af059c
 
-ENV NGINX_VERSION   1.25.5
+# NJS env vars
 ENV NJS_VERSION     0.8.4
 ENV NJS_RELEASE     3~bookworm
 
+# Proxy cache env vars
 ENV PROXY_CACHE_MAX_SIZE "10g"
 ENV PROXY_CACHE_INACTIVE "60m"
 ENV PROXY_CACHE_SLICE_SIZE "1m"
 ENV PROXY_CACHE_VALID_OK "1h"
 ENV PROXY_CACHE_VALID_NOTFOUND "1m"
 ENV PROXY_CACHE_VALID_FORBIDDEN "30s"
+
+# CORS env vars
 ENV CORS_ENABLED 0
 ENV CORS_ALLOW_PRIVATE_NETWORK_ACCESS ""
+
+# S3 proxy env vars
 ENV DIRECTORY_LISTING_PATH_PREFIX ""
 ENV STRIP_LEADING_DIRECTORY_PATH ""
 ENV PREFIX_LEADING_DIRECTORY_PATH ""
 
 # We modify the nginx base image by:
-# 1. Adding configuration files needed for proxying private S3 buckets
-# 2. Adding a directory for proxied objects to be stored
-# 3. Replacing the entrypoint script with a modified version that explicitly
-#    sets resolvers.
-# 4. Explicitly install the version of njs coded in the environment variable
-#    above.
+# 1. Explicitly install the version of njs coded in the environment variable above.
+# 2. Adding configuration files needed for proxying private S3 buckets
+# 3. Adding a directory for proxied objects to be stored
+# 4. Replacing the entrypoint script with a modified version that explicitly sets resolvers.
+
+RUN set -x \
+    && apt-get update \
+    && apt-get install --no-install-recommends --no-install-suggests -y gnupg1 ca-certificates \
+    && \
+    NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
+    NGINX_GPGKEY_PATH=/etc/apt/keyrings/nginx-archive-keyring.gpg; \
+    export GNUPGHOME="$(mktemp -d)"; \
+    found=''; \
+    for server in \
+        hkp://keyserver.ubuntu.com:80 \
+        pgp.mit.edu \
+    ; do \
+        echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
+        gpg1 --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
+    done; \
+    test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
+    gpg1 --export "$NGINX_GPGKEY" > "$NGINX_GPGKEY_PATH" ; \
+    rm -rf "$GNUPGHOME"; \
+    apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/*; \
+    echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
+    apt-get update \
+    && apt-get install --no-install-recommends --no-install-suggests -y \
+      libedit2 \
+      nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE} \
+    && apt-get remove --purge --auto-remove -y && rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list
 
 COPY common/etc /etc
+COPY oss/etc /etc
 COPY common/docker-entrypoint.sh /docker-entrypoint.sh
 COPY common/docker-entrypoint.d /docker-entrypoint.d/
-COPY oss/etc /etc
-
-RUN set -eux \
-    export DEBIAN_FRONTEND=noninteractive; \
-    mkdir -p /var/cache/nginx/s3_proxy; \
-    chown nginx:nginx /var/cache/nginx/s3_proxy; \
-    chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh; \
-    echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
-    apt-get update; \
-    apt-get install --no-install-recommends --no-install-suggests --yes \
-      curl \
-      libedit2 \
-      nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE}; \
-    apt-get remove --purge --auto-remove --yes; \
-    rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list
 
+RUN mkdir -p /var/cache/nginx/s3_proxy \
+    && chown nginx:nginx /var/cache/nginx/s3_proxy \
+    && chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh;