-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathDockerfile.archlinux
50 lines (43 loc) · 1.91 KB
/
Dockerfile.archlinux
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
ARG PACKAGES="gcc neofetch"
# PKG_CACHE defaults to the "pkg-cache-local" stage in this image.
# Can be overridden to a custom image for reproducible builds.
ARG PKG_CACHE=pkg-cache-local
ARG BASE=archlinux:base-20230910.0.177821
FROM ${BASE} AS base
FROM base AS pkg-cache-local-base
ARG PACKAGES
RUN pacman -S --noconfirm --refresh --downloadonly ${PACKAGES}
FROM scratch AS pkg-cache-local
COPY --from=pkg-cache-local-base /var/cache/pacman /var/cache/pacman
COPY --from=pkg-cache-local-base /var/lib/pacman/sync /var/lib/pacman/sync
# pkg-cache is the stage to collect package cache files.
# This stage can be pushed for the sake of reproducible builds.
FROM ${PKG_CACHE} AS pkg-cache
FROM base
ADD --chmod=0755 <<-"EOT" /usr/local/bin/verify-var-cache-pacman-pkg.sh
#!/bin/bash
set -eux -o pipefail
for pkg in /var/cache/pacman/pkg/*.tar.zst; do
# Under the hood, `pacman-key` calls the following command:
# gpg --homedir /etc/pacman.d/gnupg/ --no-permission-warning --status-fd 1 --verify ${pkg}.sig ${pkg}
pacman-key --verify "${pkg}.sig"
done
EOT
ARG PACKAGES
RUN \
--mount=from=pkg-cache,source=/var/cache/pacman,target=/var/cache/pacman,rw \
--mount=from=pkg-cache,source=/var/lib/pacman/sync,target=/var/lib/pacman/sync,rw \
--network=none \
verify-var-cache-pacman-pkg.sh && \
pacman -S --noconfirm ${PACKAGES}
# WARNING: while pacman verifies the package signatures using `/var/lib/pacman/sync/*.db`,
# the signature files in `/var/cache/pacman/pkg/*.sig` are apparently ignored
# at the time of writing this (Sep 2023).
#
# This does not seem to cause a critical problem currently, though,
# `/var/cache/pacman/pkg/*.sig` are verified with the `verify-var-cache-pacman-pkg.sh` script
# above to avoid potential security issues with a future version of pacman.
# However, this script might not be robust.
#
# For ArchLinux, consider using https://github.com/reproducible-containers/repro-sources-list.sh
# instead.