Update image to 2019.03

[hoelzro]

The change is normally pretty trivial, but now that the docker build process uses GPG to verify the integrity of the tarball, and since the key used to generate the signature for 2019.03 differs from the one used for 2018.10, we need a way to verify that the key is authentic.

CC @jstuder-gh

[tianon]

It would appear that https://github.com/rakudo/star/issues/124#issuecomment-472484846 is referencing this new key but doesn't include a fingerprint (or even keyid). :confused:

Maybe the release fingerprint is something they'd be willing to add to the website so users can verify it easily as well as distributors?

[hankache]

@hoelzro @tianon Hi. I signed the tarball. Is there anything I could do to make your life easier?

[tianon]

I figured you did but didn't want to be rude and @ you directly! 😅

It would be really awesome to publish the PGP key full fingerprint somewhere like the website (accessible via gpg --fingerprint on a system which has the public key, although I'm guessing you already know that 😅).

[hankache]

@tianon I am not really sure what I should do 😅 but if you walk me through the steps I'll make them. Thanks :)

[hankache]

@tianon my key is listed here if it helps: http://ha.pool.sks-keyservers.net/pks/lookup?op=vindex&fingerprint=on&search=0x18C438E6FF24326D

[tianon]

Oh nice, yeah, I'd recommend publishing 7A6C 9EB8 809C FEAF 0ED4 E09F 18C4 38E6 FF24 326D somewhere on the website as a known "release signer" (and @hoelzro that's the fingerprint you'll need to do the bump) so folks can both know what key to fetch and can easily verify that the Dockerfile here is consuming a known-published key from "the perl6 project", if that makes sense.

It would probably also make sense to include the old signing key for posterity's sake.

This is one place the PHP project really shines: https://www.php.net/downloads.php (see "GPG Keys" down on that page where they publish the full fingerprint for each release's "release team" members so downloads can be verified appropriately). They've also got https://www.php.net/gpg-keys.php for folks looking to verify even older releases, although I don't think you necessarily need to go to that extent. :sweat_smile:

[AlexDaniel]

There is a similar issue in rakudo.

@kawaii, @stmuk.

[jstuder-gh]

Hey @hoelzro, @tianon, @hankache, I added a commit updating the version and including the new fingerprint. I've submitted a PR for it here.

I'm not sure what I submitted is the the best way to go about it (it's got an ugly bit of shell scripting to select between the old and new fingerprints depending on the rakudo_version), but if you guys think it's acceptable, feel free to merge :)

[tianon]

This was fixed by https://github.com/perl6/docker/pull/24, right?

[jstuder-gh]

Yes this was fixed and can be closed.