Skip to content

Commit 01f6b66

Browse files
ericbusboomericbusboom
committed
Refactor Dockerfile to improve Yarn GPG key handling and add fallback mechanism
1 parent 456eaaa commit 01f6b66

File tree

1 file changed

+21
-9
lines changed

1 file changed

+21
-9
lines changed

.devcontainer/Dockerfile

Lines changed: 21 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -4,15 +4,21 @@ USER root
44

55
# Import Yarn GPG key (try keys.openpgp.org first, fall back to yarn's pubkey)
66
RUN set -eux \
7+
&& rm -f /etc/apt/sources.list.d/yarn.list || true \
78
&& apt-get update \
89
&& apt-get install -y --no-install-recommends curl gnupg dirmngr ca-certificates apt-transport-https \
910
&& mkdir -p /etc/apt/keyrings /tmp || true \
10-
&& (curl -fsSL "https://keys.openpgp.org/vks/v1/by-fingerprint/72ECF46A56B4AD39C907BBB71646B01B86E50310" -o /tmp/yarnkey || true) \
11-
&& if [ -s /tmp/yarnkey ]; then \
12-
gpg --dearmor --yes -o /etc/apt/keyrings/yarn-archive-keyring.gpg /tmp/yarnkey; \
13-
else \
14-
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor --yes -o /etc/apt/keyrings/yarn-archive-keyring.gpg; \
15-
fi \
11+
&& (curl -fsSL "https://keys.openpgp.org/vks/v1/by-fingerprint/72ECF46A56B4AD39C907BBB71646B01B86E50310" -o /tmp/yarnkey || true) \
12+
&& if [ -s /tmp/yarnkey ]; then \
13+
gpg --dearmor --batch --yes -o /etc/apt/keyrings/yarn-archive-keyring.gpg /tmp/yarnkey; \
14+
# also add to legacy apt keyring as a fallback for environments where signed-by fails
15+
&& curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - || true \
16+
else \
17+
curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg -o /tmp/yarnkey_fallback || true; \
18+
if [ -s /tmp/yarnkey_fallback ]; then \
19+
gpg --dearmor --batch --yes -o /etc/apt/keyrings/yarn-archive-keyring.gpg /tmp/yarnkey_fallback; \
20+
fi; \
21+
fi \
1622
# If GPG verification fails in some environments, fall back to marking the repo trusted
1723
&& echo "deb [arch=$(dpkg --print-architecture) trusted=yes] https://dl.yarnpkg.com/debian/ stable main" > /etc/apt/sources.list.d/yarn.list \
1824
&& apt-get update \
@@ -23,11 +29,17 @@ FROM mcr.microsoft.com/devcontainers/java:1-21-bullseye
2329
# Ensure Yarn APT repo has its GPG key so later feature installs don't fail with NO_PUBKEY
2430
USER root
2531
RUN set -eux \
32+
&& rm -f /etc/apt/sources.list.d/yarn.list || true \
2633
&& apt-get update \
2734
&& apt-get install -y --no-install-recommends curl gnupg dirmngr \
28-
&& curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor -o /usr/share/keyrings/yarn-archive-keyring.gpg \
29-
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/yarn-archive-keyring.gpg] https://dl.yarnpkg.com/debian/ stable main" \
30-
> /etc/apt/sources.list.d/yarn.list \
35+
&& curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg -o /tmp/yarnkey || true \
36+
&& if [ -s /tmp/yarnkey ]; then \
37+
gpg --dearmor --batch --yes -o /usr/share/keyrings/yarn-archive-keyring.gpg /tmp/yarnkey; \
38+
else \
39+
echo "Warning: failed to fetch yarn pubkey"; \
40+
fi \
41+
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/yarn-archive-keyring.gpg] https://dl.yarnpkg.com/debian/ stable main" \
42+
> /etc/apt/sources.list.d/yarn.list \
3143
&& apt-get update \
3244
&& apt-get clean \
3345
&& rm -rf /var/lib/apt/lists/*

0 commit comments

Comments
 (0)