From 1530b82befdca8d89f53ff0784c897434da62219 Mon Sep 17 00:00:00 2001 From: Nikolai Prokoschenko Date: Mon, 3 Jun 2024 10:59:07 +0200 Subject: [PATCH] Address comments on the "rootless CA certs" patch Address the following problems with #538: 1. Correct the shell selection for entrypoint, Ubuntu flavours still need explicit `bash` for variables with dots in their names 2. Change unhelpful exported variable name (changed from `CACERT` to `JRE_CACERTS_PATH`) 3. Change `which` to more-POSIX-compatible `command -v` 4. More cleanup 5. Explicitely use `TMPDIR` when available instead of hard-coded `/tmp` --- .../tests/java-ca-certificates-update/run.sh | 2 +- 11/jdk/alpine/entrypoint.sh | 33 +++++++++------- 11/jdk/centos/entrypoint.sh | 33 +++++++++------- 11/jdk/ubi/ubi9-minimal/entrypoint.sh | 33 +++++++++------- 11/jdk/ubuntu/focal/Dockerfile | 2 +- 11/jdk/ubuntu/focal/entrypoint.sh | 33 +++++++++------- 11/jdk/ubuntu/jammy/Dockerfile | 2 +- 11/jdk/ubuntu/jammy/entrypoint.sh | 33 +++++++++------- 11/jre/alpine/entrypoint.sh | 33 +++++++++------- 11/jre/centos/entrypoint.sh | 33 +++++++++------- 11/jre/ubi/ubi9-minimal/entrypoint.sh | 33 +++++++++------- 11/jre/ubuntu/focal/Dockerfile | 2 +- 11/jre/ubuntu/focal/entrypoint.sh | 33 +++++++++------- 11/jre/ubuntu/jammy/Dockerfile | 2 +- 11/jre/ubuntu/jammy/entrypoint.sh | 33 +++++++++------- 17/jdk/alpine/entrypoint.sh | 33 +++++++++------- 17/jdk/centos/entrypoint.sh | 33 +++++++++------- 17/jdk/ubi/ubi9-minimal/entrypoint.sh | 33 +++++++++------- 17/jdk/ubuntu/focal/Dockerfile | 2 +- 17/jdk/ubuntu/focal/entrypoint.sh | 33 +++++++++------- 17/jdk/ubuntu/jammy/Dockerfile | 2 +- 17/jdk/ubuntu/jammy/entrypoint.sh | 33 +++++++++------- 17/jre/alpine/entrypoint.sh | 33 +++++++++------- 17/jre/centos/entrypoint.sh | 33 +++++++++------- 17/jre/ubi/ubi9-minimal/entrypoint.sh | 33 +++++++++------- 17/jre/ubuntu/focal/Dockerfile | 2 +- 17/jre/ubuntu/focal/entrypoint.sh | 33 +++++++++------- 17/jre/ubuntu/jammy/Dockerfile | 2 +- 17/jre/ubuntu/jammy/entrypoint.sh | 33 +++++++++------- 21/jdk/alpine/entrypoint.sh | 33 +++++++++------- 21/jdk/ubi/ubi9-minimal/entrypoint.sh | 33 +++++++++------- 21/jdk/ubuntu/jammy/Dockerfile | 2 +- 21/jdk/ubuntu/jammy/entrypoint.sh | 33 +++++++++------- 21/jre/alpine/entrypoint.sh | 33 +++++++++------- 21/jre/ubi/ubi9-minimal/entrypoint.sh | 33 +++++++++------- 21/jre/ubuntu/jammy/Dockerfile | 2 +- 21/jre/ubuntu/jammy/entrypoint.sh | 33 +++++++++------- 22/jdk/alpine/entrypoint.sh | 33 +++++++++------- 22/jdk/ubi/ubi9-minimal/entrypoint.sh | 33 +++++++++------- 22/jdk/ubuntu/jammy/Dockerfile | 2 +- 22/jdk/ubuntu/jammy/entrypoint.sh | 33 +++++++++------- 22/jre/alpine/entrypoint.sh | 33 +++++++++------- 22/jre/ubi/ubi9-minimal/entrypoint.sh | 33 +++++++++------- 22/jre/ubuntu/jammy/Dockerfile | 2 +- 22/jre/ubuntu/jammy/entrypoint.sh | 33 +++++++++------- 8/jdk/alpine/entrypoint.sh | 33 +++++++++------- 8/jdk/centos/entrypoint.sh | 33 +++++++++------- 8/jdk/ubi/ubi9-minimal/entrypoint.sh | 33 +++++++++------- 8/jdk/ubuntu/focal/Dockerfile | 2 +- 8/jdk/ubuntu/focal/entrypoint.sh | 33 +++++++++------- 8/jdk/ubuntu/jammy/Dockerfile | 2 +- 8/jdk/ubuntu/jammy/entrypoint.sh | 33 +++++++++------- 8/jre/alpine/entrypoint.sh | 33 +++++++++------- 8/jre/centos/entrypoint.sh | 33 +++++++++------- 8/jre/ubi/ubi9-minimal/entrypoint.sh | 33 +++++++++------- 8/jre/ubuntu/focal/Dockerfile | 2 +- 8/jre/ubuntu/focal/entrypoint.sh | 33 +++++++++------- 8/jre/ubuntu/jammy/Dockerfile | 2 +- 8/jre/ubuntu/jammy/entrypoint.sh | 33 +++++++++------- config/hotspot.yml | 10 +++++ docker_templates/entrypoint.sh | 39 +++++++++++-------- docker_templates/ubuntu.Dockerfile.j2 | 4 +- generate_dockerfiles.py | 2 + 63 files changed, 852 insertions(+), 623 deletions(-) mode change 100755 => 100644 docker_templates/entrypoint.sh diff --git a/.test/tests/java-ca-certificates-update/run.sh b/.test/tests/java-ca-certificates-update/run.sh index 7c883fa19..54bcef22d 100755 --- a/.test/tests/java-ca-certificates-update/run.sh +++ b/.test/tests/java-ca-certificates-update/run.sh @@ -10,7 +10,7 @@ CMD1=date # CMD2 in each run is to check for the `dockerbuilder` certificate in the Java keystore. Entrypoint export $CACERT to # point to the Java keystore. -CMD2=(sh -c "keytool -list -keystore \$CACERT -storepass changeit -alias dockerbuilder") +CMD2=(sh -c "keytool -list -keystore \$JRE_CACERTS_PATH -storepass changeit -alias dockerbuilder") # For a custom entrypoint test, we need to create a new image. This image will get cleaned up at the end of the script # by the `finish` trap function. diff --git a/11/jdk/alpine/entrypoint.sh b/11/jdk/alpine/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/11/jdk/alpine/entrypoint.sh +++ b/11/jdk/alpine/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jdk/centos/entrypoint.sh b/11/jdk/centos/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/11/jdk/centos/entrypoint.sh +++ b/11/jdk/centos/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jdk/ubi/ubi9-minimal/entrypoint.sh b/11/jdk/ubi/ubi9-minimal/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/11/jdk/ubi/ubi9-minimal/entrypoint.sh +++ b/11/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jdk/ubuntu/focal/Dockerfile b/11/jdk/ubuntu/focal/Dockerfile index b4a2286a3..c4f65abc8 100644 --- a/11/jdk/ubuntu/focal/Dockerfile +++ b/11/jdk/ubuntu/focal/Dockerfile @@ -100,6 +100,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/usr/bin/env", "bash", "-c", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/11/jdk/ubuntu/focal/entrypoint.sh b/11/jdk/ubuntu/focal/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/11/jdk/ubuntu/focal/entrypoint.sh +++ b/11/jdk/ubuntu/focal/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jdk/ubuntu/jammy/Dockerfile b/11/jdk/ubuntu/jammy/Dockerfile index 8493bffa7..276bfc776 100644 --- a/11/jdk/ubuntu/jammy/Dockerfile +++ b/11/jdk/ubuntu/jammy/Dockerfile @@ -100,6 +100,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/usr/bin/env", "bash", "-c", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/11/jdk/ubuntu/jammy/entrypoint.sh b/11/jdk/ubuntu/jammy/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/11/jdk/ubuntu/jammy/entrypoint.sh +++ b/11/jdk/ubuntu/jammy/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jre/alpine/entrypoint.sh b/11/jre/alpine/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/11/jre/alpine/entrypoint.sh +++ b/11/jre/alpine/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jre/centos/entrypoint.sh b/11/jre/centos/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/11/jre/centos/entrypoint.sh +++ b/11/jre/centos/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jre/ubi/ubi9-minimal/entrypoint.sh b/11/jre/ubi/ubi9-minimal/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/11/jre/ubi/ubi9-minimal/entrypoint.sh +++ b/11/jre/ubi/ubi9-minimal/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jre/ubuntu/focal/Dockerfile b/11/jre/ubuntu/focal/Dockerfile index 7b72337ac..d1d6da6f8 100644 --- a/11/jre/ubuntu/focal/Dockerfile +++ b/11/jre/ubuntu/focal/Dockerfile @@ -98,4 +98,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/usr/bin/env", "bash", "-c", "/__cacert_entrypoint.sh"] diff --git a/11/jre/ubuntu/focal/entrypoint.sh b/11/jre/ubuntu/focal/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/11/jre/ubuntu/focal/entrypoint.sh +++ b/11/jre/ubuntu/focal/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/11/jre/ubuntu/jammy/Dockerfile b/11/jre/ubuntu/jammy/Dockerfile index c9d67d7cb..21120023d 100644 --- a/11/jre/ubuntu/jammy/Dockerfile +++ b/11/jre/ubuntu/jammy/Dockerfile @@ -98,4 +98,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/usr/bin/env", "bash", "-c", "/__cacert_entrypoint.sh"] diff --git a/11/jre/ubuntu/jammy/entrypoint.sh b/11/jre/ubuntu/jammy/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/11/jre/ubuntu/jammy/entrypoint.sh +++ b/11/jre/ubuntu/jammy/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jdk/alpine/entrypoint.sh b/17/jdk/alpine/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/17/jdk/alpine/entrypoint.sh +++ b/17/jdk/alpine/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jdk/centos/entrypoint.sh b/17/jdk/centos/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/17/jdk/centos/entrypoint.sh +++ b/17/jdk/centos/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jdk/ubi/ubi9-minimal/entrypoint.sh b/17/jdk/ubi/ubi9-minimal/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/17/jdk/ubi/ubi9-minimal/entrypoint.sh +++ b/17/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jdk/ubuntu/focal/Dockerfile b/17/jdk/ubuntu/focal/Dockerfile index c4f9c82bf..b765f3226 100644 --- a/17/jdk/ubuntu/focal/Dockerfile +++ b/17/jdk/ubuntu/focal/Dockerfile @@ -103,6 +103,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/usr/bin/env", "bash", "-c", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/17/jdk/ubuntu/focal/entrypoint.sh b/17/jdk/ubuntu/focal/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/17/jdk/ubuntu/focal/entrypoint.sh +++ b/17/jdk/ubuntu/focal/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jdk/ubuntu/jammy/Dockerfile b/17/jdk/ubuntu/jammy/Dockerfile index 18beaa010..8df4ca895 100644 --- a/17/jdk/ubuntu/jammy/Dockerfile +++ b/17/jdk/ubuntu/jammy/Dockerfile @@ -103,6 +103,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/usr/bin/env", "bash", "-c", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/17/jdk/ubuntu/jammy/entrypoint.sh b/17/jdk/ubuntu/jammy/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/17/jdk/ubuntu/jammy/entrypoint.sh +++ b/17/jdk/ubuntu/jammy/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jre/alpine/entrypoint.sh b/17/jre/alpine/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/17/jre/alpine/entrypoint.sh +++ b/17/jre/alpine/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jre/centos/entrypoint.sh b/17/jre/centos/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/17/jre/centos/entrypoint.sh +++ b/17/jre/centos/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jre/ubi/ubi9-minimal/entrypoint.sh b/17/jre/ubi/ubi9-minimal/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/17/jre/ubi/ubi9-minimal/entrypoint.sh +++ b/17/jre/ubi/ubi9-minimal/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jre/ubuntu/focal/Dockerfile b/17/jre/ubuntu/focal/Dockerfile index 0d050c98b..cf1a776ca 100644 --- a/17/jre/ubuntu/focal/Dockerfile +++ b/17/jre/ubuntu/focal/Dockerfile @@ -98,4 +98,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/usr/bin/env", "bash", "-c", "/__cacert_entrypoint.sh"] diff --git a/17/jre/ubuntu/focal/entrypoint.sh b/17/jre/ubuntu/focal/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/17/jre/ubuntu/focal/entrypoint.sh +++ b/17/jre/ubuntu/focal/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/17/jre/ubuntu/jammy/Dockerfile b/17/jre/ubuntu/jammy/Dockerfile index 951147b38..db1b07649 100644 --- a/17/jre/ubuntu/jammy/Dockerfile +++ b/17/jre/ubuntu/jammy/Dockerfile @@ -98,4 +98,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/usr/bin/env", "bash", "-c", "/__cacert_entrypoint.sh"] diff --git a/17/jre/ubuntu/jammy/entrypoint.sh b/17/jre/ubuntu/jammy/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/17/jre/ubuntu/jammy/entrypoint.sh +++ b/17/jre/ubuntu/jammy/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/21/jdk/alpine/entrypoint.sh b/21/jdk/alpine/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/21/jdk/alpine/entrypoint.sh +++ b/21/jdk/alpine/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/21/jdk/ubi/ubi9-minimal/entrypoint.sh b/21/jdk/ubi/ubi9-minimal/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/21/jdk/ubi/ubi9-minimal/entrypoint.sh +++ b/21/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/21/jdk/ubuntu/jammy/Dockerfile b/21/jdk/ubuntu/jammy/Dockerfile index fb7d8197d..f3c0b1b90 100644 --- a/21/jdk/ubuntu/jammy/Dockerfile +++ b/21/jdk/ubuntu/jammy/Dockerfile @@ -99,6 +99,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/usr/bin/env", "bash", "-c", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/21/jdk/ubuntu/jammy/entrypoint.sh b/21/jdk/ubuntu/jammy/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/21/jdk/ubuntu/jammy/entrypoint.sh +++ b/21/jdk/ubuntu/jammy/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/21/jre/alpine/entrypoint.sh b/21/jre/alpine/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/21/jre/alpine/entrypoint.sh +++ b/21/jre/alpine/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/21/jre/ubi/ubi9-minimal/entrypoint.sh b/21/jre/ubi/ubi9-minimal/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/21/jre/ubi/ubi9-minimal/entrypoint.sh +++ b/21/jre/ubi/ubi9-minimal/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/21/jre/ubuntu/jammy/Dockerfile b/21/jre/ubuntu/jammy/Dockerfile index 1a456e5b8..84b6dc386 100644 --- a/21/jre/ubuntu/jammy/Dockerfile +++ b/21/jre/ubuntu/jammy/Dockerfile @@ -94,4 +94,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/usr/bin/env", "bash", "-c", "/__cacert_entrypoint.sh"] diff --git a/21/jre/ubuntu/jammy/entrypoint.sh b/21/jre/ubuntu/jammy/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/21/jre/ubuntu/jammy/entrypoint.sh +++ b/21/jre/ubuntu/jammy/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/22/jdk/alpine/entrypoint.sh b/22/jdk/alpine/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/22/jdk/alpine/entrypoint.sh +++ b/22/jdk/alpine/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/22/jdk/ubi/ubi9-minimal/entrypoint.sh b/22/jdk/ubi/ubi9-minimal/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/22/jdk/ubi/ubi9-minimal/entrypoint.sh +++ b/22/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/22/jdk/ubuntu/jammy/Dockerfile b/22/jdk/ubuntu/jammy/Dockerfile index f77d1c3cc..2302648e0 100644 --- a/22/jdk/ubuntu/jammy/Dockerfile +++ b/22/jdk/ubuntu/jammy/Dockerfile @@ -93,6 +93,6 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/usr/bin/env", "bash", "-c", "/__cacert_entrypoint.sh"] CMD ["jshell"] diff --git a/22/jdk/ubuntu/jammy/entrypoint.sh b/22/jdk/ubuntu/jammy/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/22/jdk/ubuntu/jammy/entrypoint.sh +++ b/22/jdk/ubuntu/jammy/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/22/jre/alpine/entrypoint.sh b/22/jre/alpine/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/22/jre/alpine/entrypoint.sh +++ b/22/jre/alpine/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/22/jre/ubi/ubi9-minimal/entrypoint.sh b/22/jre/ubi/ubi9-minimal/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/22/jre/ubi/ubi9-minimal/entrypoint.sh +++ b/22/jre/ubi/ubi9-minimal/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/22/jre/ubuntu/jammy/Dockerfile b/22/jre/ubuntu/jammy/Dockerfile index 28f2117e9..4f698d124 100644 --- a/22/jre/ubuntu/jammy/Dockerfile +++ b/22/jre/ubuntu/jammy/Dockerfile @@ -88,4 +88,4 @@ RUN set -eux; \ echo "java --version"; java --version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/usr/bin/env", "bash", "-c", "/__cacert_entrypoint.sh"] diff --git a/22/jre/ubuntu/jammy/entrypoint.sh b/22/jre/ubuntu/jammy/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/22/jre/ubuntu/jammy/entrypoint.sh +++ b/22/jre/ubuntu/jammy/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jdk/alpine/entrypoint.sh b/8/jdk/alpine/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/8/jdk/alpine/entrypoint.sh +++ b/8/jdk/alpine/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jdk/centos/entrypoint.sh b/8/jdk/centos/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/8/jdk/centos/entrypoint.sh +++ b/8/jdk/centos/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jdk/ubi/ubi9-minimal/entrypoint.sh b/8/jdk/ubi/ubi9-minimal/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/8/jdk/ubi/ubi9-minimal/entrypoint.sh +++ b/8/jdk/ubi/ubi9-minimal/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jdk/ubuntu/focal/Dockerfile b/8/jdk/ubuntu/focal/Dockerfile index f48185f2c..f6af769d9 100644 --- a/8/jdk/ubuntu/focal/Dockerfile +++ b/8/jdk/ubuntu/focal/Dockerfile @@ -96,4 +96,4 @@ RUN set -eux; \ echo "java -version"; java -version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/usr/bin/env", "bash", "-c", "/__cacert_entrypoint.sh"] diff --git a/8/jdk/ubuntu/focal/entrypoint.sh b/8/jdk/ubuntu/focal/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/8/jdk/ubuntu/focal/entrypoint.sh +++ b/8/jdk/ubuntu/focal/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jdk/ubuntu/jammy/Dockerfile b/8/jdk/ubuntu/jammy/Dockerfile index 2b4802316..627aa6ab8 100644 --- a/8/jdk/ubuntu/jammy/Dockerfile +++ b/8/jdk/ubuntu/jammy/Dockerfile @@ -96,4 +96,4 @@ RUN set -eux; \ echo "java -version"; java -version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/usr/bin/env", "bash", "-c", "/__cacert_entrypoint.sh"] diff --git a/8/jdk/ubuntu/jammy/entrypoint.sh b/8/jdk/ubuntu/jammy/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/8/jdk/ubuntu/jammy/entrypoint.sh +++ b/8/jdk/ubuntu/jammy/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jre/alpine/entrypoint.sh b/8/jre/alpine/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/8/jre/alpine/entrypoint.sh +++ b/8/jre/alpine/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jre/centos/entrypoint.sh b/8/jre/centos/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/8/jre/centos/entrypoint.sh +++ b/8/jre/centos/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jre/ubi/ubi9-minimal/entrypoint.sh b/8/jre/ubi/ubi9-minimal/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/8/jre/ubi/ubi9-minimal/entrypoint.sh +++ b/8/jre/ubi/ubi9-minimal/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jre/ubuntu/focal/Dockerfile b/8/jre/ubuntu/focal/Dockerfile index 086434ffd..9ece11108 100644 --- a/8/jre/ubuntu/focal/Dockerfile +++ b/8/jre/ubuntu/focal/Dockerfile @@ -95,4 +95,4 @@ RUN set -eux; \ echo "java -version"; java -version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/usr/bin/env", "bash", "-c", "/__cacert_entrypoint.sh"] diff --git a/8/jre/ubuntu/focal/entrypoint.sh b/8/jre/ubuntu/focal/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/8/jre/ubuntu/focal/entrypoint.sh +++ b/8/jre/ubuntu/focal/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/8/jre/ubuntu/jammy/Dockerfile b/8/jre/ubuntu/jammy/Dockerfile index bde0a5788..f36199f0f 100644 --- a/8/jre/ubuntu/jammy/Dockerfile +++ b/8/jre/ubuntu/jammy/Dockerfile @@ -95,4 +95,4 @@ RUN set -eux; \ echo "java -version"; java -version; \ echo "Complete." COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] +ENTRYPOINT ["/usr/bin/env", "bash", "-c", "/__cacert_entrypoint.sh"] diff --git a/8/jre/ubuntu/jammy/entrypoint.sh b/8/jre/ubuntu/jammy/entrypoint.sh index dfa0f703f..d99a03c28 100755 --- a/8/jre/ubuntu/jammy/entrypoint.sh +++ b/8/jre/ubuntu/jammy/entrypoint.sh @@ -1,14 +1,16 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set @@ -21,14 +23,14 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +39,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +73,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +89,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/config/hotspot.yml b/config/hotspot.yml index 25b1dd53e..6bfda2461 100644 --- a/config/hotspot.yml +++ b/config/hotspot.yml @@ -21,29 +21,39 @@ configurations: - directory: ubuntu/jammy image: ubuntu:22.04 architectures: [aarch64, arm, ppc64le, s390x, x64] + # `bash` is required for Ubuntu-based images to correctly resolve + # environment variables.with.dots.in.them. + shebang: bash os: ubuntu - directory: ubuntu/focal architectures: [aarch64, arm, ppc64le, s390x, x64] image: ubuntu:20.04 deprecated: 20 + shebang: bash os: ubuntu - directory: centos architectures: [aarch64, ppc64le, x64] image: centos:7 deprecated: 20 + # CentOS's `/bin/sh` does not sanitize dotted variable names, so `bash` is unneeded + shebang: sh os: centos - directory: ubi/ubi9-minimal architectures: [aarch64, ppc64le, s390x, x64] image: redhat/ubi9-minimal + # Ubi9's `/bin/sh` does not sanitize dotted variable names, so `bash` is unneeded + shebang: sh os: ubi9-minimal alpine-linux: - directory: alpine architectures: [aarch64, x64] image: alpine:3.19 + # Alpine's `/bin/sh` does not sanitize dotted variable names, so `bash` is unneeded + shebang: sh os: alpine-linux windows: diff --git a/docker_templates/entrypoint.sh b/docker_templates/entrypoint.sh old mode 100755 new mode 100644 index dfa0f703f..aa5738b12 --- a/docker_templates/entrypoint.sh +++ b/docker_templates/entrypoint.sh @@ -1,34 +1,38 @@ #!/usr/bin/env sh -# Converted to POSIX shell to avoid the need for bash in the image +# This script defines `sh` as the interpreter, which is available in all POSIX environments. However, it might get +# started with `bash` as the shell to support dotted.environment.variable.names which are not supported by POSIX, but +# are supported by `sh` in some Linux flavours. set -e +TMPDIR=${TMPDIR:-/tmp} + # JDK truststore location -CACERT=$JAVA_HOME/lib/security/cacerts +JRE_CACERTS_PATH=$JAVA_HOME/lib/security/cacerts # JDK8 puts its JRE in a subdirectory if [ -f "$JAVA_HOME/jre/lib/security/cacerts" ]; then - CACERT=$JAVA_HOME/jre/lib/security/cacerts + JRE_CACERTS_PATH=$JAVA_HOME/jre/lib/security/cacerts fi # Opt-in is only activated if the environment variable is set if [ -n "$USE_SYSTEM_CA_CERTS" ]; then - if [ ! -w /tmp ]; then - echo "Using additional CA certificates requires write permissions to /tmp. Cannot create truststore." + if [ ! -w "$TMPDIR" ]; then + echo "Using additional CA certificates requires write permissions to $TMPDIR. Cannot create truststore." exit 1 fi # Figure out whether we can write to the JVM truststore. If we can, we'll add the certificates there. If not, # we'll use a temporary truststore. - if [ ! -w "$CACERT" ]; then + if [ ! -w "$JRE_CACERTS_PATH" ]; then # We cannot write to the JVM truststore, so we create a temporary one - CACERT_NEW=$(mktemp) - echo "Using a temporary truststore at $CACERT_NEW" - cp $CACERT $CACERT_NEW - CACERT=$CACERT_NEW + JRE_CACERTS_PATH_NEW=$(mktemp) + echo "Using a temporary truststore at $JRE_CACERTS_PATH_NEW" + cp "$JRE_CACERTS_PATH" "$JRE_CACERTS_PATH_NEW" + JRE_CACERTS_PATH=$JRE_CACERTS_PATH_NEW # If we use a custom truststore, we need to make sure that the JVM uses it - export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${CACERT} -Djavax.net.ssl.trustStorePassword=changeit" + export JAVA_TOOL_OPTIONS="${JAVA_TOOL_OPTIONS} -Djavax.net.ssl.trustStore=${JRE_CACERTS_PATH} -Djavax.net.ssl.trustStorePassword=changeit" fi tmp_store=$(mktemp) @@ -37,14 +41,17 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then trust extract --overwrite --format=java-cacerts --filter=ca-anchors --purpose=server-auth "$tmp_store" # Add the system CA certificates to the JVM truststore. - keytool -importkeystore -destkeystore "$CACERT" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt # >/dev/null + keytool -importkeystore -destkeystore "$JRE_CACERTS_PATH" -srckeystore "$tmp_store" -srcstorepass changeit -deststorepass changeit -noprompt + + # Clean up the temporary truststore + rm "$tmp_store" # Import the additional certificate into JVM truststore for i in /certificates/*crt; do if [ ! -f "$i" ]; then continue fi - keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$CACERT" -storepass changeit # >/dev/null + keytool -import -noprompt -alias "$(basename "$i" .crt)" -file "$i" -keystore "$JRE_CACERTS_PATH" -storepass changeit # >/dev/null done # Add additional certificates to the system CA store. This requires write permissions to several system @@ -68,12 +75,12 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # UBI/CentOS - if which update-ca-trust >/dev/null; then + if command -v update-ca-trust >/dev/null; then update-ca-trust fi # Ubuntu/Alpine - if which update-ca-certificates >/dev/null; then + if command -v update-ca-certificates >/dev/null; then update-ca-certificates fi else @@ -84,6 +91,6 @@ if [ -n "$USE_SYSTEM_CA_CERTS" ]; then fi # Let's provide a variable with the correct path for tools that want or need to use it -export CACERT +export JRE_CACERTS_PATH exec "$@" diff --git a/docker_templates/ubuntu.Dockerfile.j2 b/docker_templates/ubuntu.Dockerfile.j2 index 05dac147a..62b43eb1e 100644 --- a/docker_templates/ubuntu.Dockerfile.j2 +++ b/docker_templates/ubuntu.Dockerfile.j2 @@ -43,5 +43,5 @@ ENV JAVA_VERSION {{ java_version }} {% endif %} {% include 'partials/version-check.j2' %} COPY entrypoint.sh /__cacert_entrypoint.sh -ENTRYPOINT ["/__cacert_entrypoint.sh"] -{% include 'partials/jshell.j2' %} \ No newline at end of file +ENTRYPOINT ["/usr/bin/env", "{{ shebang }}", "-c", "/__cacert_entrypoint.sh"] +{% include 'partials/jshell.j2' %} diff --git a/generate_dockerfiles.py b/generate_dockerfiles.py index 5c786bebf..4890dbe7d 100644 --- a/generate_dockerfiles.py +++ b/generate_dockerfiles.py @@ -54,6 +54,7 @@ def archHelper(arch, os_name): directory = configuration["directory"] architectures = configuration["architectures"] os_name = configuration["os"] + shebang = configuration.get("shebang", "") base_image = configuration["image"] deprecated = configuration.get("deprecated", None) versions = configuration.get( @@ -140,6 +141,7 @@ def archHelper(arch, os_name): arch_data=arch_data, os_family=os_family, os=os_name, + shebang=shebang, ) print("Writing Dockerfile to", output_directory)