Merge pull request #58 from keybase/david/gpg-v2

GPG Verify Keybase Installer v2
keybase · Sep 11, 2019 · 8c974f5 · 8c974f5
2 parents 44f7145 + 672947f
commit 8c974f5
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 5 deletions.
diff --git a/docker/Dockerfile-ca b/docker/Dockerfile-ca
@@ -2,15 +2,28 @@
 # between this file and Dockerfile-kssh.
 FROM ubuntu:18.04
 
+# Dependencies
 RUN apt-get -qq update
-RUN apt-get -qq  install curl software-properties-common -y
+RUN apt-get -qq  install curl software-properties-common ca-certificates gnupg -y
 RUN useradd -ms /bin/bash keybase
 USER keybase
 WORKDIR /home/keybase
+
+# Download and verify the deb
+# Key fingerprint from https://keybase.io/docs/server_security/our_code_signing_key
 RUN curl --remote-name https://prerelease.keybase.io/keybase_amd64.deb
-USER root
+RUN curl --remote-name https://prerelease.keybase.io/keybase_amd64.deb.sig
+# Import our gpg key from our website. Pulling from key servers caused a flakey build so
+# we get the key from the Keybase website instead.
+RUN curl -sSL https://keybase.io/docs/server_security/code_signing_key.asc | gpg --import
+# This line will error if the fingerprint of the key in the file does not match the
+# known fingerprint of the our PGP key
+RUN gpg --fingerprint 222B85B0F90BE2D24CFEB93F47484E50656D16C7
+# And then verify the signature now that we have the key
+RUN gpg --verify keybase_amd64.deb.sig keybase_amd64.deb
 
 # Silence the error from dpkg about failing to configure keybase since `apt-get install -f` fixes it
+USER root
 RUN dpkg -i keybase_amd64.deb || true
 RUN apt-get install -fy
 USER keybase

diff --git a/integrationTest.sh b/integrationTest.sh
@@ -17,7 +17,6 @@ if [ -z "$CIRCLECI" ]; then
   cd ../
 fi
 
-
 # Ensure we have the correct environment variables
 if [[ -f "tests/env.sh" ]]; then
   echo "env.sh already exists, skipping configuring new accounts..."

diff --git a/tests/Dockerfile-kssh b/tests/Dockerfile-kssh
@@ -2,15 +2,27 @@
 # between this file and Dockerfile-ca.
 FROM ubuntu:18.04
 
+# Dependencies
 RUN apt-get -qq update
-RUN apt-get -qq  install curl software-properties-common -y
+RUN apt-get -qq  install curl software-properties-common ca-certificates gnupg -y
 RUN useradd -ms /bin/bash keybase
 USER keybase
 WORKDIR /home/keybase
+
+# Download and verify the deb
 RUN curl --remote-name https://prerelease.keybase.io/keybase_amd64.deb
-USER root
+RUN curl --remote-name https://prerelease.keybase.io/keybase_amd64.deb.sig
+# Import our gpg key from our website. Pulling from key servers caused a flakey build so
+# we get the key from the Keybase website instead.
+RUN curl -sSL https://keybase.io/docs/server_security/code_signing_key.asc | gpg --import
+# This line will error if the fingerprint of the key in the file does not match the
+# known fingerprint of the our PGP key
+RUN gpg --fingerprint 222B85B0F90BE2D24CFEB93F47484E50656D16C7
+# And then verify the signature now that we have the key
+RUN gpg --verify keybase_amd64.deb.sig keybase_amd64.deb
 
 # Silence the error from dpkg about failing to configure keybase since `apt-get install -f` fixes it
+USER root
 RUN dpkg -i keybase_amd64.deb || true
 RUN apt-get install -fy
 USER keybase
-Original file line number
+Diff line change
@@ Expand Up / @@ -17,7 +17,6 @@ if [ -z "$CIRCLECI" ]; then @@
       cd ../
     fi
     # Ensure we have the correct environment variables
     if [[ -f "tests/env.sh" ]]; then
       echo "env.sh already exists, skipping configuring new accounts..."
@@ Expand Down @@