From 2a8ec08b5c077392924cba1876d1ed4a1cb31223 Mon Sep 17 00:00:00 2001
From: Erik Burton <erik.burton@smartcontract.com>
Date: Mon, 11 May 2026 14:00:35 -0700
Subject: [PATCH 1/2] fix: secure PostgreSQL APT key installation in dockefile

---
 core/chainlink.Dockerfile    | 14 ++++++++++----
 plugins/chainlink.Dockerfile | 14 ++++++++++----
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/core/chainlink.Dockerfile b/core/chainlink.Dockerfile
index 9aa6a4f6700..b9b935a33a3 100644
--- a/core/chainlink.Dockerfile
+++ b/core/chainlink.Dockerfile
@@ -102,10 +102,16 @@ ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update && apt-get install -y ca-certificates gnupg lsb-release curl && rm -rf /var/lib/apt/lists/*
 
 # Install Postgres for CLI tools, needed specifically for DB backups
-RUN curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \
-  && echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" |tee /etc/apt/sources.list.d/pgdg.list \
-  && apt-get update && apt-get install -y postgresql-client-16 \
-  && rm -rf /var/lib/apt/lists/*
+RUN curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc \
+      | gpg --dearmor -o /usr/share/keyrings/postgresql-archive-keyring.gpg \
+    && gpg --no-default-keyring \
+           --keyring /usr/share/keyrings/postgresql-archive-keyring.gpg \
+           --fingerprint B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8 \
+    && echo "deb [signed-by=/usr/share/keyrings/postgresql-archive-keyring.gpg] \
+       https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" \
+       > /etc/apt/sources.list.d/pgdg.list \
+    && apt-get update && apt-get install -y postgresql-client-16 \
+    && rm -rf /var/lib/apt/lists/*
 
 RUN if [ ${CHAINLINK_USER} != root ]; then useradd --uid 14933 --create-home ${CHAINLINK_USER}; fi
 USER ${CHAINLINK_USER}
diff --git a/plugins/chainlink.Dockerfile b/plugins/chainlink.Dockerfile
index 690e3ffe2f3..2df7fceafbc 100644
--- a/plugins/chainlink.Dockerfile
+++ b/plugins/chainlink.Dockerfile
@@ -102,10 +102,16 @@ ENV DEBIAN_FRONTEND=noninteractive
 RUN apt-get update && apt-get install -y ca-certificates gnupg lsb-release curl && rm -rf /var/lib/apt/lists/*
 
 # Install Postgres for CLI tools, needed specifically for DB backups
-RUN curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \
-  && echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" |tee /etc/apt/sources.list.d/pgdg.list \
-  && apt-get update && apt-get install -y postgresql-client-16 \
-  && rm -rf /var/lib/apt/lists/*
+RUN curl -fsSL https://www.postgresql.org/media/keys/ACCC4CF8.asc \
+      | gpg --dearmor -o /usr/share/keyrings/postgresql-archive-keyring.gpg \
+    && gpg --no-default-keyring \
+           --keyring /usr/share/keyrings/postgresql-archive-keyring.gpg \
+           --fingerprint B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8 \
+    && echo "deb [signed-by=/usr/share/keyrings/postgresql-archive-keyring.gpg] \
+       https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" \
+       > /etc/apt/sources.list.d/pgdg.list \
+    && apt-get update && apt-get install -y postgresql-client-16 \
+    && rm -rf /var/lib/apt/lists/*
 
 RUN if [ ${CHAINLINK_USER} != root ]; then useradd --uid 14933 --create-home ${CHAINLINK_USER}; fi
 USER ${CHAINLINK_USER}

From 06dd9bde7386a317e1e37ebe57e7eb8cc58c8250 Mon Sep 17 00:00:00 2001
From: Erik Burton <erik.burton@smartcontract.com>
Date: Mon, 11 May 2026 14:46:04 -0700
Subject: [PATCH 2/2] empty commit