Parcourir la source

uninstall `ca-certificates` package after download (cert pinned in `toit` executable)

Fabian Peter Hammerle il y a 2 ans
Parent
commit
32ca261867
1 fichiers modifiés avec 11 ajouts et 9 suppressions
  1. 11 9
      Dockerfile

+ 11 - 9
Dockerfile

@@ -1,17 +1,19 @@
 # TODO test alpine base image
 FROM docker.io/debian:bullseye-slim
 
-# TODO test if ca-certificates is required at runtime (cert pinned?)
+# > $ grep -azoP -- '\-+BEGIN CERTIFICATE\-+[\sa-zA-Z0-9\+/]+\=*\s\-+END CERTIFICATE\-+\s' \
+# >   /usr/local/bin/toit | openssl x509 -noout -serial -subject -issuer -dates -fingerprint
+# > serial=02008EB2023336658B64CDDB9B
+# > subject=C = US, O = Google Trust Services LLC, CN = GTS CA 1D4
+# > issuer=C = US, O = Google Trust Services LLC, CN = GTS Root R1
+# > notBefore=Aug 13 00:00:42 2020 GMT
+# > notAfter=Sep 30 00:00:42 2027 GMT
+# > SHA1 Fingerprint=34:9C:38:5F:F8:E3:30:F2:0E:AD:73:3C:D3:6F:B4:35:FE:E0:B4:03
 RUN apt-get update \
-    && apt-get install --no-install-recommends --yes \
-        curl
-# TODO merge
-RUN apt-get install --no-install-recommends --yes \
-        ca-certificates
-# TODO merge
-RUN curl https://archive.toit.io/cli/v1.18.2/linux \
+    && apt-get install --no-install-recommends --yes ca-certificates curl \
+    && curl https://archive.toit.io/cli/v1.18.2/linux \
         | tar -xvzf - -C /usr/local/bin \
-    && apt-get install --autoremove --yes curl \
+    && apt-get install --autoremove --yes ca-certificates curl \
     && rm -r /var/lib/apt/lists/*
 
 # TODO change user