diff --git a/Dockerfile b/Dockerfile index 43a083b..cb3dbdd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -78,14 +78,6 @@ RUN pacman -Syu --noconfirm && \ zlib \ && pacman -Scc --noconfirm -# Import WebKitGTK PGP signing keys -RUN gpg --keyserver keyserver.ubuntu.com --recv-keys \ - 5AA3BC334FD7E3369E7C77B291C559DBE4C9123B \ - 013A0127AC9C65B34FFA62526C1009B693975393 || \ - gpg --keyserver hkps://keys.openpgp.org --recv-keys \ - 5AA3BC334FD7E3369E7C77B291C559DBE4C9123B \ - 013A0127AC9C65B34FFA62526C1009B693975393 - # Non-root build user (makepkg refuses to run as root) RUN useradd -m -G wheel builduser && \ echo '%wheel ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers diff --git a/scripts/entrypoint.sh b/scripts/entrypoint.sh index 60ab805..1317d77 100755 --- a/scripts/entrypoint.sh +++ b/scripts/entrypoint.sh @@ -28,6 +28,23 @@ fi sudo -u builduser git config --global user.name "${AUR_MAINTAINER_NAME:-webkit2gtk-automator}" sudo -u builduser git config --global user.email "${AUR_MAINTAINER_EMAIL:-noreply@localhost}" +# Import WebKitGTK PGP signing keys into builduser's keyring +# makepkg verifies the source tarball signature against these keys. +# Try the bundled local keys first (no network needed), then fall back to keyservers. +echo "[entrypoint] Importing WebKitGTK PGP signing keys" +if ls /workspace/webkit2gtk/keys/pgp/*.asc &>/dev/null; then + sudo -u builduser gpg --import /workspace/webkit2gtk/keys/pgp/*.asc + echo "[entrypoint] PGP keys imported from local bundle" +else + sudo -u builduser gpg --keyserver keyserver.ubuntu.com --recv-keys \ + 5AA3BC334FD7E3369E7C77B291C559DBE4C9123B \ + 013A0127AC9C65B34FFA62526C1009B693975393 || \ + sudo -u builduser gpg --keyserver hkps://keys.openpgp.org --recv-keys \ + 5AA3BC334FD7E3369E7C77B291C559DBE4C9123B \ + 013A0127AC9C65B34FFA62526C1009B693975393 + echo "[entrypoint] PGP keys imported from keyserver" +fi + # Drop to builduser and start the polling loop echo "[entrypoint] Starting polling loop, interval: ${POLL_INTERVAL_SECONDS}s" exec sudo -u builduser bash -c '