From 2ae4198e995df65eb97f6e707f84987b65fb6c66 Mon Sep 17 00:00:00 2001 From: Nikolai Prokoschenko Date: Mon, 3 Jun 2024 10:59:07 +0200 Subject: [PATCH] Address comments on the "rootless CA certs" patch Address the following problems with #538: 1. Correct the shell selection for entrypoint, Ubuntu flavours still need explicit `bash` for variables with dots in their names 2. Change unhelpful exported variable name (changed from `CACERT` to `JRE_CACERTS_PATH`) 3. Change `which` to more-POSIX-compatible `command -v` 4. More cleanup 5. Explicitely use `TMPDIR` when available instead of hard-coded `/tmp` --- .../tests/java-ca-certificates-update/run.sh | 2 +- 11/jdk/alpine/entrypoint.sh | 39 +++++++++++-------- 11/jdk/ubi/ubi9-minimal/entrypoint.sh | 39 +++++++++++-------- 11/jdk/ubuntu/focal/Dockerfile | 2 +- 11/jdk/ubuntu/focal/entrypoint.sh | 39 +++++++++++-------- 11/jdk/ubuntu/jammy/Dockerfile | 2 +- 11/jdk/ubuntu/jammy/entrypoint.sh | 39 +++++++++++-------- 11/jdk/ubuntu/noble/Dockerfile | 2 +- 11/jdk/ubuntu/noble/entrypoint.sh | 39 +++++++++++-------- 11/jre/alpine/entrypoint.sh | 39 +++++++++++-------- 11/jre/ubi/ubi9-minimal/entrypoint.sh | 39 +++++++++++-------- 11/jre/ubuntu/focal/Dockerfile | 2 +- 11/jre/ubuntu/focal/entrypoint.sh | 39 +++++++++++-------- 11/jre/ubuntu/jammy/Dockerfile | 2 +- 11/jre/ubuntu/jammy/entrypoint.sh | 39 +++++++++++-------- 11/jre/ubuntu/noble/Dockerfile | 2 +- 11/jre/ubuntu/noble/entrypoint.sh | 39 +++++++++++-------- 17/jdk/alpine/entrypoint.sh | 39 +++++++++++-------- 17/jdk/ubi/ubi9-minimal/entrypoint.sh | 39 +++++++++++-------- 17/jdk/ubuntu/focal/Dockerfile | 2 +- 17/jdk/ubuntu/focal/entrypoint.sh | 39 +++++++++++-------- 17/jdk/ubuntu/jammy/Dockerfile | 2 +- 17/jdk/ubuntu/jammy/entrypoint.sh | 39 +++++++++++-------- 17/jdk/ubuntu/noble/Dockerfile | 2 +- 17/jdk/ubuntu/noble/entrypoint.sh | 39 +++++++++++-------- 17/jre/alpine/entrypoint.sh | 39 +++++++++++-------- 17/jre/ubi/ubi9-minimal/entrypoint.sh | 39 +++++++++++-------- 17/jre/ubuntu/focal/Dockerfile | 2 +- 17/jre/ubuntu/focal/entrypoint.sh | 39 +++++++++++-------- 17/jre/ubuntu/jammy/Dockerfile | 2 +- 17/jre/ubuntu/jammy/entrypoint.sh | 39 +++++++++++-------- 17/jre/ubuntu/noble/Dockerfile | 2 +- 17/jre/ubuntu/noble/entrypoint.sh | 39 +++++++++++-------- 21/jdk/alpine/entrypoint.sh | 39 +++++++++++-------- 21/jdk/ubi/ubi9-minimal/entrypoint.sh | 39 +++++++++++-------- 21/jdk/ubuntu/jammy/Dockerfile | 2 +- 21/jdk/ubuntu/jammy/entrypoint.sh | 39 +++++++++++-------- 21/jdk/ubuntu/noble/Dockerfile | 2 +- 21/jdk/ubuntu/noble/entrypoint.sh | 39 +++++++++++-------- 21/jre/alpine/entrypoint.sh | 39 +++++++++++-------- 21/jre/ubi/ubi9-minimal/entrypoint.sh | 39 +++++++++++-------- 21/jre/ubuntu/jammy/Dockerfile | 2 +- 21/jre/ubuntu/jammy/entrypoint.sh | 39 +++++++++++-------- 21/jre/ubuntu/noble/Dockerfile | 2 +- 21/jre/ubuntu/noble/entrypoint.sh | 39 +++++++++++-------- 22/jdk/alpine/entrypoint.sh | 39 +++++++++++-------- 22/jdk/ubi/ubi9-minimal/entrypoint.sh | 39 +++++++++++-------- 22/jdk/ubuntu/jammy/Dockerfile | 2 +- 22/jdk/ubuntu/jammy/entrypoint.sh | 39 +++++++++++-------- 22/jdk/ubuntu/noble/Dockerfile | 2 +- 22/jdk/ubuntu/noble/entrypoint.sh | 39 +++++++++++-------- 22/jre/alpine/entrypoint.sh | 39 +++++++++++-------- 22/jre/ubi/ubi9-minimal/entrypoint.sh | 39 +++++++++++-------- 22/jre/ubuntu/jammy/Dockerfile | 2 +- 22/jre/ubuntu/jammy/entrypoint.sh | 39 +++++++++++-------- 22/jre/ubuntu/noble/Dockerfile | 2 +- 22/jre/ubuntu/noble/entrypoint.sh | 39 +++++++++++-------- 8/jdk/alpine/entrypoint.sh | 39 +++++++++++-------- 8/jdk/ubi/ubi9-minimal/entrypoint.sh | 39 +++++++++++-------- 8/jdk/ubuntu/focal/Dockerfile | 2 +- 8/jdk/ubuntu/focal/entrypoint.sh | 39 +++++++++++-------- 8/jdk/ubuntu/jammy/Dockerfile | 2 +- 8/jdk/ubuntu/jammy/entrypoint.sh | 39 +++++++++++-------- 8/jdk/ubuntu/noble/Dockerfile | 2 +- 8/jdk/ubuntu/noble/entrypoint.sh | 39 +++++++++++-------- 8/jre/alpine/entrypoint.sh | 39 +++++++++++-------- 8/jre/ubi/ubi9-minimal/entrypoint.sh | 39 +++++++++++-------- 8/jre/ubuntu/focal/Dockerfile | 2 +- 8/jre/ubuntu/focal/entrypoint.sh | 39 +++++++++++-------- 8/jre/ubuntu/jammy/Dockerfile | 2 +- 8/jre/ubuntu/jammy/entrypoint.sh | 39 +++++++++++-------- 8/jre/ubuntu/noble/Dockerfile | 2 +- 8/jre/ubuntu/noble/entrypoint.sh | 39 +++++++++++-------- config/hotspot.yml | 9 +++++ docker_templates/entrypoint.sh | 39 +++++++++++-------- docker_templates/ubuntu.Dockerfile.j2 | 4 +- generate_dockerfiles.py | 2 + 77 files changed, 1121 insertions(+), 781 deletions(-) mode change 100755 => 100644 docker_templates/entrypoint.sh diff --git a/.test/tests/java-ca-certificates-update/run.sh b/.test/tests/java-ca-certificates-update/run.sh index 7c883fa19..3ad348b53 100755 --- a/.test/tests/java-ca-certificates-update/run.sh +++ b/.test/tests/java-ca-certificates-update/run.sh @@ -10,7 +10,7 @@ CMD1=date # CMD2 in each run is to check for the `dockerbuilder` certificate in the Java keystore. Entrypoint export $CACERT to # point to the Java keystore. -CMD2=(sh -c "keytool -list -keystore \$CACERT -storepass changeit -alias dockerbuilder") +CMD2=(sh -c "keytool -list -keystore \"\$JRE_CACERTS_PATH\" -storepass changeit -alias dockerbuilder") # For a custom entrypoint test, we need to create a new image. This image will get cleaned up at the end of the script # by the `finish` trap function. diff --git a/11/jdk/alpine/entrypoint.sh b/11/jdk/alpine/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/11/jdk/alpine/entrypoint.sh +++ b/11/jdk/alpine/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jdk/ubi/ubi9-minimal/entrypoint.sh b/11/jdk/ubi/ubi9-minimal/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/11/jdk/ubi/ubi9-minimal/entrypoint.sh +++ b/11/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jdk/ubuntu/focal/Dockerfile b/11/jdk/ubuntu/focal/Dockerfile index cca09e3d6..fb5ebb5ea 100644 --- a/11/jdk/ubuntu/focal/Dockerfile +++ b/11/jdk/ubuntu/focal/Dockerfile @@ -92,6 +92,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/11/jdk/ubuntu/focal/entrypoint.sh b/11/jdk/ubuntu/focal/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/11/jdk/ubuntu/focal/entrypoint.sh +++ b/11/jdk/ubuntu/focal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jdk/ubuntu/jammy/Dockerfile b/11/jdk/ubuntu/jammy/Dockerfile index 9e296be55..747f6685b 100644 --- a/11/jdk/ubuntu/jammy/Dockerfile +++ b/11/jdk/ubuntu/jammy/Dockerfile @@ -92,6 +92,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/11/jdk/ubuntu/jammy/entrypoint.sh b/11/jdk/ubuntu/jammy/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/11/jdk/ubuntu/jammy/entrypoint.sh +++ b/11/jdk/ubuntu/jammy/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jdk/ubuntu/noble/Dockerfile b/11/jdk/ubuntu/noble/Dockerfile index 01c62482c..1c40bacb0 100644 --- a/11/jdk/ubuntu/noble/Dockerfile +++ b/11/jdk/ubuntu/noble/Dockerfile @@ -92,6 +92,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/11/jdk/ubuntu/noble/entrypoint.sh b/11/jdk/ubuntu/noble/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/11/jdk/ubuntu/noble/entrypoint.sh +++ b/11/jdk/ubuntu/noble/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jre/alpine/entrypoint.sh b/11/jre/alpine/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/11/jre/alpine/entrypoint.sh +++ b/11/jre/alpine/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jre/ubi/ubi9-minimal/entrypoint.sh b/11/jre/ubi/ubi9-minimal/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/11/jre/ubi/ubi9-minimal/entrypoint.sh +++ b/11/jre/ubi/ubi9-minimal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jre/ubuntu/focal/Dockerfile b/11/jre/ubuntu/focal/Dockerfile index 8d73f08ae..620993b2e 100644 --- a/11/jre/ubuntu/focal/Dockerfile +++ b/11/jre/ubuntu/focal/Dockerfile @@ -90,4 +90,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/11/jre/ubuntu/focal/entrypoint.sh b/11/jre/ubuntu/focal/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/11/jre/ubuntu/focal/entrypoint.sh +++ b/11/jre/ubuntu/focal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jre/ubuntu/jammy/Dockerfile b/11/jre/ubuntu/jammy/Dockerfile index c4d98d180..d68fe5623 100644 --- a/11/jre/ubuntu/jammy/Dockerfile +++ b/11/jre/ubuntu/jammy/Dockerfile @@ -90,4 +90,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/11/jre/ubuntu/jammy/entrypoint.sh b/11/jre/ubuntu/jammy/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/11/jre/ubuntu/jammy/entrypoint.sh +++ b/11/jre/ubuntu/jammy/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jre/ubuntu/noble/Dockerfile b/11/jre/ubuntu/noble/Dockerfile index 7dc7f8945..5e423677f 100644 --- a/11/jre/ubuntu/noble/Dockerfile +++ b/11/jre/ubuntu/noble/Dockerfile @@ -90,4 +90,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/11/jre/ubuntu/noble/entrypoint.sh b/11/jre/ubuntu/noble/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/11/jre/ubuntu/noble/entrypoint.sh +++ b/11/jre/ubuntu/noble/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jdk/alpine/entrypoint.sh b/17/jdk/alpine/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/17/jdk/alpine/entrypoint.sh +++ b/17/jdk/alpine/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jdk/ubi/ubi9-minimal/entrypoint.sh b/17/jdk/ubi/ubi9-minimal/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/17/jdk/ubi/ubi9-minimal/entrypoint.sh +++ b/17/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jdk/ubuntu/focal/Dockerfile b/17/jdk/ubuntu/focal/Dockerfile index 9f34b7052..669e7130a 100644 --- a/17/jdk/ubuntu/focal/Dockerfile +++ b/17/jdk/ubuntu/focal/Dockerfile @@ -103,6 +103,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/17/jdk/ubuntu/focal/entrypoint.sh b/17/jdk/ubuntu/focal/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/17/jdk/ubuntu/focal/entrypoint.sh +++ b/17/jdk/ubuntu/focal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jdk/ubuntu/jammy/Dockerfile b/17/jdk/ubuntu/jammy/Dockerfile index da35fe594..9cdf27770 100644 --- a/17/jdk/ubuntu/jammy/Dockerfile +++ b/17/jdk/ubuntu/jammy/Dockerfile @@ -103,6 +103,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/17/jdk/ubuntu/jammy/entrypoint.sh b/17/jdk/ubuntu/jammy/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/17/jdk/ubuntu/jammy/entrypoint.sh +++ b/17/jdk/ubuntu/jammy/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jdk/ubuntu/noble/Dockerfile b/17/jdk/ubuntu/noble/Dockerfile index 7c87f71e8..ca0f958f3 100644 --- a/17/jdk/ubuntu/noble/Dockerfile +++ b/17/jdk/ubuntu/noble/Dockerfile @@ -103,6 +103,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/17/jdk/ubuntu/noble/entrypoint.sh b/17/jdk/ubuntu/noble/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/17/jdk/ubuntu/noble/entrypoint.sh +++ b/17/jdk/ubuntu/noble/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jre/alpine/entrypoint.sh b/17/jre/alpine/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/17/jre/alpine/entrypoint.sh +++ b/17/jre/alpine/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jre/ubi/ubi9-minimal/entrypoint.sh b/17/jre/ubi/ubi9-minimal/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/17/jre/ubi/ubi9-minimal/entrypoint.sh +++ b/17/jre/ubi/ubi9-minimal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jre/ubuntu/focal/Dockerfile b/17/jre/ubuntu/focal/Dockerfile index d67ab6daf..40c4b1b2a 100644 --- a/17/jre/ubuntu/focal/Dockerfile +++ b/17/jre/ubuntu/focal/Dockerfile @@ -98,4 +98,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/17/jre/ubuntu/focal/entrypoint.sh b/17/jre/ubuntu/focal/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/17/jre/ubuntu/focal/entrypoint.sh +++ b/17/jre/ubuntu/focal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jre/ubuntu/jammy/Dockerfile b/17/jre/ubuntu/jammy/Dockerfile index 28a69e0b3..0411cbcdd 100644 --- a/17/jre/ubuntu/jammy/Dockerfile +++ b/17/jre/ubuntu/jammy/Dockerfile @@ -98,4 +98,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/17/jre/ubuntu/jammy/entrypoint.sh b/17/jre/ubuntu/jammy/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/17/jre/ubuntu/jammy/entrypoint.sh +++ b/17/jre/ubuntu/jammy/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jre/ubuntu/noble/Dockerfile b/17/jre/ubuntu/noble/Dockerfile index fcf0b06d7..7e32e9ba1 100644 --- a/17/jre/ubuntu/noble/Dockerfile +++ b/17/jre/ubuntu/noble/Dockerfile @@ -98,4 +98,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/17/jre/ubuntu/noble/entrypoint.sh b/17/jre/ubuntu/noble/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/17/jre/ubuntu/noble/entrypoint.sh +++ b/17/jre/ubuntu/noble/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/21/jdk/alpine/entrypoint.sh b/21/jdk/alpine/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/21/jdk/alpine/entrypoint.sh +++ b/21/jdk/alpine/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/21/jdk/ubi/ubi9-minimal/entrypoint.sh b/21/jdk/ubi/ubi9-minimal/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/21/jdk/ubi/ubi9-minimal/entrypoint.sh +++ b/21/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/21/jdk/ubuntu/jammy/Dockerfile b/21/jdk/ubuntu/jammy/Dockerfile index e10c3ab6d..17732f4a6 100644 --- a/21/jdk/ubuntu/jammy/Dockerfile +++ b/21/jdk/ubuntu/jammy/Dockerfile @@ -99,6 +99,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/21/jdk/ubuntu/jammy/entrypoint.sh b/21/jdk/ubuntu/jammy/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/21/jdk/ubuntu/jammy/entrypoint.sh +++ b/21/jdk/ubuntu/jammy/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/21/jdk/ubuntu/noble/Dockerfile b/21/jdk/ubuntu/noble/Dockerfile index b0ff0b199..bc43e034a 100644 --- a/21/jdk/ubuntu/noble/Dockerfile +++ b/21/jdk/ubuntu/noble/Dockerfile @@ -99,6 +99,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/21/jdk/ubuntu/noble/entrypoint.sh b/21/jdk/ubuntu/noble/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/21/jdk/ubuntu/noble/entrypoint.sh +++ b/21/jdk/ubuntu/noble/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/21/jre/alpine/entrypoint.sh b/21/jre/alpine/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/21/jre/alpine/entrypoint.sh +++ b/21/jre/alpine/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/21/jre/ubi/ubi9-minimal/entrypoint.sh b/21/jre/ubi/ubi9-minimal/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/21/jre/ubi/ubi9-minimal/entrypoint.sh +++ b/21/jre/ubi/ubi9-minimal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/21/jre/ubuntu/jammy/Dockerfile b/21/jre/ubuntu/jammy/Dockerfile index a2cef09a1..c4e1bfff0 100644 --- a/21/jre/ubuntu/jammy/Dockerfile +++ b/21/jre/ubuntu/jammy/Dockerfile @@ -94,4 +94,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/21/jre/ubuntu/jammy/entrypoint.sh b/21/jre/ubuntu/jammy/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/21/jre/ubuntu/jammy/entrypoint.sh +++ b/21/jre/ubuntu/jammy/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/21/jre/ubuntu/noble/Dockerfile b/21/jre/ubuntu/noble/Dockerfile index edbd1c4f5..bcdb398e6 100644 --- a/21/jre/ubuntu/noble/Dockerfile +++ b/21/jre/ubuntu/noble/Dockerfile @@ -94,4 +94,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/21/jre/ubuntu/noble/entrypoint.sh b/21/jre/ubuntu/noble/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/21/jre/ubuntu/noble/entrypoint.sh +++ b/21/jre/ubuntu/noble/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/22/jdk/alpine/entrypoint.sh b/22/jdk/alpine/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/22/jdk/alpine/entrypoint.sh +++ b/22/jdk/alpine/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/22/jdk/ubi/ubi9-minimal/entrypoint.sh b/22/jdk/ubi/ubi9-minimal/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/22/jdk/ubi/ubi9-minimal/entrypoint.sh +++ b/22/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/22/jdk/ubuntu/jammy/Dockerfile b/22/jdk/ubuntu/jammy/Dockerfile index aa1063bbc..1c06d36a4 100644 --- a/22/jdk/ubuntu/jammy/Dockerfile +++ b/22/jdk/ubuntu/jammy/Dockerfile @@ -93,6 +93,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/22/jdk/ubuntu/jammy/entrypoint.sh b/22/jdk/ubuntu/jammy/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/22/jdk/ubuntu/jammy/entrypoint.sh +++ b/22/jdk/ubuntu/jammy/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/22/jdk/ubuntu/noble/Dockerfile b/22/jdk/ubuntu/noble/Dockerfile index 5748ecedf..b8ed1e915 100644 --- a/22/jdk/ubuntu/noble/Dockerfile +++ b/22/jdk/ubuntu/noble/Dockerfile @@ -93,6 +93,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/22/jdk/ubuntu/noble/entrypoint.sh b/22/jdk/ubuntu/noble/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/22/jdk/ubuntu/noble/entrypoint.sh +++ b/22/jdk/ubuntu/noble/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/22/jre/alpine/entrypoint.sh b/22/jre/alpine/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/22/jre/alpine/entrypoint.sh +++ b/22/jre/alpine/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/22/jre/ubi/ubi9-minimal/entrypoint.sh b/22/jre/ubi/ubi9-minimal/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/22/jre/ubi/ubi9-minimal/entrypoint.sh +++ b/22/jre/ubi/ubi9-minimal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/22/jre/ubuntu/jammy/Dockerfile b/22/jre/ubuntu/jammy/Dockerfile index 0cbd4896b..ca196f054 100644 --- a/22/jre/ubuntu/jammy/Dockerfile +++ b/22/jre/ubuntu/jammy/Dockerfile @@ -88,4 +88,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/22/jre/ubuntu/jammy/entrypoint.sh b/22/jre/ubuntu/jammy/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/22/jre/ubuntu/jammy/entrypoint.sh +++ b/22/jre/ubuntu/jammy/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/22/jre/ubuntu/noble/Dockerfile b/22/jre/ubuntu/noble/Dockerfile index 4d97ec28a..70ce6c17c 100644 --- a/22/jre/ubuntu/noble/Dockerfile +++ b/22/jre/ubuntu/noble/Dockerfile @@ -88,4 +88,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/22/jre/ubuntu/noble/entrypoint.sh b/22/jre/ubuntu/noble/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/22/jre/ubuntu/noble/entrypoint.sh +++ b/22/jre/ubuntu/noble/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jdk/alpine/entrypoint.sh b/8/jdk/alpine/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/8/jdk/alpine/entrypoint.sh +++ b/8/jdk/alpine/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jdk/ubi/ubi9-minimal/entrypoint.sh b/8/jdk/ubi/ubi9-minimal/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/8/jdk/ubi/ubi9-minimal/entrypoint.sh +++ b/8/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jdk/ubuntu/focal/Dockerfile b/8/jdk/ubuntu/focal/Dockerfile index 11429dfc6..3834f2def 100644 --- a/8/jdk/ubuntu/focal/Dockerfile +++ b/8/jdk/ubuntu/focal/Dockerfile @@ -88,4 +88,4 @@ RUN set -eux; \ echo "java -version"; java -version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/8/jdk/ubuntu/focal/entrypoint.sh b/8/jdk/ubuntu/focal/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/8/jdk/ubuntu/focal/entrypoint.sh +++ b/8/jdk/ubuntu/focal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jdk/ubuntu/jammy/Dockerfile b/8/jdk/ubuntu/jammy/Dockerfile index 1bb3689f5..371c25e60 100644 --- a/8/jdk/ubuntu/jammy/Dockerfile +++ b/8/jdk/ubuntu/jammy/Dockerfile @@ -88,4 +88,4 @@ RUN set -eux; \ echo "java -version"; java -version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/8/jdk/ubuntu/jammy/entrypoint.sh b/8/jdk/ubuntu/jammy/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/8/jdk/ubuntu/jammy/entrypoint.sh +++ b/8/jdk/ubuntu/jammy/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jdk/ubuntu/noble/Dockerfile b/8/jdk/ubuntu/noble/Dockerfile index 550377a2c..c66692838 100644 --- a/8/jdk/ubuntu/noble/Dockerfile +++ b/8/jdk/ubuntu/noble/Dockerfile @@ -88,4 +88,4 @@ RUN set -eux; \ echo "java -version"; java -version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/8/jdk/ubuntu/noble/entrypoint.sh b/8/jdk/ubuntu/noble/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/8/jdk/ubuntu/noble/entrypoint.sh +++ b/8/jdk/ubuntu/noble/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jre/alpine/entrypoint.sh b/8/jre/alpine/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/8/jre/alpine/entrypoint.sh +++ b/8/jre/alpine/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jre/ubi/ubi9-minimal/entrypoint.sh b/8/jre/ubi/ubi9-minimal/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/8/jre/ubi/ubi9-minimal/entrypoint.sh +++ b/8/jre/ubi/ubi9-minimal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jre/ubuntu/focal/Dockerfile b/8/jre/ubuntu/focal/Dockerfile index 8cf42fc99..7e6a07fe5 100644 --- a/8/jre/ubuntu/focal/Dockerfile +++ b/8/jre/ubuntu/focal/Dockerfile @@ -87,4 +87,4 @@ RUN set -eux; \ echo "java -version"; java -version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/8/jre/ubuntu/focal/entrypoint.sh b/8/jre/ubuntu/focal/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/8/jre/ubuntu/focal/entrypoint.sh +++ b/8/jre/ubuntu/focal/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jre/ubuntu/jammy/Dockerfile b/8/jre/ubuntu/jammy/Dockerfile index 8b2da54ef..e384a2078 100644 --- a/8/jre/ubuntu/jammy/Dockerfile +++ b/8/jre/ubuntu/jammy/Dockerfile @@ -87,4 +87,4 @@ RUN set -eux; \ echo "java -version"; java -version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/8/jre/ubuntu/jammy/entrypoint.sh b/8/jre/ubuntu/jammy/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/8/jre/ubuntu/jammy/entrypoint.sh +++ b/8/jre/ubuntu/jammy/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jre/ubuntu/noble/Dockerfile b/8/jre/ubuntu/noble/Dockerfile index 33ee16ee1..e5ef02a77 100644 --- a/8/jre/ubuntu/noble/Dockerfile +++ b/8/jre/ubuntu/noble/Dockerfile @@ -87,4 +87,4 @@ RUN set -eux; \ echo "java -version"; java -version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/bin/bash", "/__cacert_entrypoint.sh"] diff --git a/8/jre/ubuntu/noble/entrypoint.sh b/8/jre/ubuntu/noble/entrypoint.sh index 0a5c75c36..a05b287dd 100755 --- a/8/jre/ubuntu/noble/entrypoint.sh +++ b/8/jre/ubuntu/noble/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/config/hotspot.yml b/config/hotspot.yml index cea1224fb..8b47bc518 100644 --- a/config/hotspot.yml +++ b/config/hotspot.yml @@ -21,18 +21,27 @@ configurations: - directory: ubuntu/noble image: ubuntu:24.04 architectures: [aarch64, arm, ppc64le, s390x, x64] + # `bash` is required for Ubuntu-based images to correctly resolve + # environment variables.with.dots.in.them. + shebang: /bin/bash os: ubuntu - directory: ubuntu/jammy image: ubuntu:22.04 architectures: [aarch64, arm, ppc64le, s390x, x64] deprecated: 23 + # `bash` is required for Ubuntu-based images to correctly resolve + # environment variables.with.dots.in.them. + shebang: /bin/bash os: ubuntu - directory: ubuntu/focal architectures: [aarch64, arm, ppc64le, s390x, x64] image: ubuntu:20.04 deprecated: 20 + # `bash` is required for Ubuntu-based images to correctly resolve + # environment variables.with.dots.in.them. + shebang: /bin/bash os: ubuntu - directory: ubi/ubi9-minimal diff --git a/docker_templates/entrypoint.sh b/docker_templates/entrypoint.sh old mode 100755 new mode 100644 index 0a5c75c36..a05b287dd --- a/docker_templates/entrypoint.sh +++ b/docker_templates/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/docker_templates/ubuntu.Dockerfile.j2 b/docker_templates/ubuntu.Dockerfile.j2 index 05dac147a..a74e892a6 100644 --- a/docker_templates/ubuntu.Dockerfile.j2 +++ b/docker_templates/ubuntu.Dockerfile.j2 @@ -43,5 +43,5 @@ ENV JAVA_VERSION {{ java_version }} {% endif %} {% include 'partials/version-check.j2' %} COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] -{% include 'partials/jshell.j2' %} \ No newline at end of file +ENTRYPOINT ["{{ shebang }}", "/__cacert_entrypoint.sh"] +{% include 'partials/jshell.j2' %} diff --git a/generate_dockerfiles.py b/generate_dockerfiles.py index 3708c3ceb..ab4a3351c 100644 --- a/generate_dockerfiles.py +++ b/generate_dockerfiles.py @@ -74,6 +74,7 @@ def archHelper(arch, os_name): directory = configuration["directory"] architectures = configuration["architectures"] os_name = configuration["os"] + shebang = configuration.get("shebang", "") base_image = configuration["image"] deprecated = configuration.get("deprecated", None) versions = configuration.get( @@ -162,6 +163,7 @@ def archHelper(arch, os_name): arch_data=arch_data, os_family=os_family, os=os_name, + shebang=shebang, ) print("Writing Dockerfile to", output_directory)