Closed joshuacherry closed 7 years ago
Functionally speaking, is there that big of a difference between the sha256sum
I'm doing on the package I download and verifying the chef.asc file before using the repository?
Alternatively, I could have the gpg key static in the dockerfile but that key is 34 lines of code vs the 64 digit sha256 that I have static in the Dockerfile.
I'm fine using either method, however i think what I've configured so far is slightly more secure per line of code used, unless we want to trust wget -qO - https://packages.chef.io/chef.asc | sudo apt-key add -
as "secure".
Alternatively, I could have the gpg key static in the dockerfile but that key is 34 lines of code vs the 64 digit sha256 that I have static in the Dockerfile.
Sorry, I wasn't quite clear. I mean storing the signing key and repo definitions in the docker/
directory, then copying them into the image on build.
Jessie doesn't seem to have the inspec package in their repo so I switched that 1 back to my previous method for now. Trusty is having a weird error that I cannot replicate locally yet. Travis error is "*** WARNING *** You are not using Java 8
@benwebber This branch looks good to merge now, thanks for addressing Java 8.
No problem. I had to fuss with the variables a bit, but basically we install Java 8 everywhere except 14.04 now.
This should resolve #13 . We may want to create a new issue for testing server.properties with the ini resource.