fix: secure PostgreSQL APT key installation in dockerfile#22391
Merged
Conversation
Contributor
|
✅ No conflicts with other open PRs targeting |
erikburt
changed the title
|
product-security-plaid-production
Bot
requested review from
chainchad and
george-dorin
Contributor
There was a problem hiding this comment.
Pull request overview
Risk Rating: MEDIUM — Changes affect how production/testing Docker images add and trust an external APT repository (PostgreSQL), which can impact build reliability and supply-chain trust.
This PR updates the Chainlink Docker build to install the PostgreSQL APT signing key without apt-key, using a dedicated keyring and a fingerprint check to improve security.
Changes:
- Replace deprecated
apt-key addusage with a per-repo keyring under/usr/share/keyrings. - Add a GPG fingerprint check for the PostgreSQL repository key.
- Switch the PGDG APT source URL from
httptohttpsand usesigned-byin the source entry.
Scrupulous human review recommended (security-sensitive):
- The key download + dearmor + fingerprint validation pipeline, to ensure it strictly enforces the intended trust model (only the expected key(s) are trusted).
- The resulting keyring permissions/format and the
signed-bywiring, to ensureapt-get updateworks reliably in CI/build environments.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| core/chainlink.Dockerfile | Reworks PGDG key installation to use a dedicated keyring + fingerprint validation and signed-by. |
| plugins/chainlink.Dockerfile | Mirrors the same PGDG keyring + fingerprint + signed-by approach for the plugins image. |
chainchad
approved these changes
May 12, 2026
kalverra
approved these changes
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
apt-key addas that is deprecated, and less secureTesting
Builds are successful: https://github.com/smartcontractkit/chainlink/actions/runs/25699217695?pr=22391
Notes
Sonarqube is complaining with:
This is not that relevant as we are validating the fetched key with a known/static fingerprint baked into our Dockerfile. This means that we technically don't care if it ends up redirecting to http, because the key is still verified.
DX-4135