search

DopplerHQ / cli

The official CLI for interacting with your Doppler secrets and configuration.
https://docs.doppler.com
Apache License 2.0
214 stars 43 forks source link

[BUG] Dockerfile cannot find gpgv which causes install script to fail #451

Closed marytal closed 4 months ago

marytal commented 4 months ago

Describe the bug Running install script: RUN curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh | sh in Dockerfile

To Reproduce Run the above install script in a Dockerfile with gnupg installed on the docker image:

RUN yum update -y && \
    yum install -y gnupg && \
    yum clean all

RUN curl -Ls --tlsv1.2 --proto "=https" --retry 3 https://cli.doppler.com/install.sh | sh

Expected behavior Install successfully

Actual behavior RUN command -v gpg works fine but RUN command -v gpgv doesn't work. It appears that we cannot install gpgv independently (see here) so it should work when gnupg is installed.

Fails with error: "ERROR: Unable to find gpg binary for signature verification"

Started failing when this was merged: https://github.com/DopplerHQ/cli/pull/449

Screenshots N/A

Desktop (please complete the following information):

Dockerfile linux/amd64 amazonlinux:2023

CLI Version: N/A

Additional context N/A

Any help appreciated!

watsonian commented 4 months ago

@marytal The problem here is that amazonlinux:2023 comes with the gnupg2-minimal package installed (this is also what it tries installing when you run yum install gnupg). gpgv comes in the full gnupg2 package. If you run sudo yum install --allowerasing gnupg2 on the container, you should end up with the required binaries.

watsonian commented 4 months ago

As a quick follow-up, keep in mind that you can also install via package manager by following the installation instructions on the RedHat/CentOS tab of our CLI installation docs.

watsonian commented 4 months ago

Also, to elaborate a bit on why we changed from gpg to gpgv in #449 – the reason for that is newer versions of gnupg are defaulting to using keyboxd for key storage. When keyboxd is enabled, the --no-default-keyring and --keyring flags are ignored by the gpg command. This broke signature verification in our installer. The standard gnupg package that we have as a dependency requirement when using the install script comes with gpgv, which is a small binary designed specifically for doing signature verifications and isn't impacted by keyboxd being in use. This allows us to continue verifying in the same way we were before (i.e., without us having to import our public key into the machine's keyring and then remove it after – leaving the potential that the key might end up permanently installed on the machine if the script were interrupted). In this situation, it (unfortunately) looks like AmazonLinux has mapped gnupg to gnupg2-minimal rather than gnupg2, which results in their container coming without gpgv by default.

marytal commented 3 months ago

Thanks for your help! :)