Merge branch 'main' into multiple-images

Signed-off-by: Jérôme Benoit <jerome.benoit@sap.com>

diff --git a/.xmake.cfg b/.xmake.cfg
index 412b278de2b0bb7bd8f4e4c8f94c9a422e22ccb2..36527216c90b7903e718a21ef06d605a82bcd0d6 100644 (file)
--- a/.xmake.cfg
+++ b/.xmake.cfg
@@ -1,5 +1,5 @@
 [xmake]
-version=1.0.3
+version=1.0.5
 # https://github.wdf.sap.corp/pages/xmake-ci/User-Guide/Setting_up_a_Build/Release_Procedure/Release_Versions/
 
 [buildplugin]

diff --git a/Dockerfile b/Dockerfile
index e8277c73f2df024947c1c28c92d02fe79e454f81..b475c250dc45a5a3ce893583ec98699beea13498 100644 (file)
--- a/Dockerfile
+++ b/Dockerfile
@@ -38,7 +38,7 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \
     && set -ex \
     && apt-get update \
     # libatomic1 for arm
-    && apt-get install -y ca-certificates curl wget gnupg dirmngr xz-utils libatomic1 --no-install-recommends \
+    && apt-get install -y ca-certificates curl gnupg dirmngr xz-utils libatomic1 --no-install-recommends \
     && rm -rf /var/lib/apt/lists/* \
     && for key in \
       4ED778F539E3634C779C87C6D7062848A1AB005C \
@@ -57,7 +57,7 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \
       B9E2F5981AA6E0CD28160D9FF13993A75599653C \
     ; do \
       gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
-      gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
+      gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys "$key" ; \
     done \
     && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" \
     && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \
@@ -84,13 +84,13 @@ ARG YARN_VERSION=1.22.19
 RUN set -ex \
   && savedAptMark="$(apt-mark showmanual)" \
   && apt-get update \
-  && apt-get install -y ca-certificates curl wget gnupg dirmngr --no-install-recommends \
+  && apt-get install -y ca-certificates curl gnupg dirmngr --no-install-recommends \
   && rm -rf /var/lib/apt/lists/* \
   && for key in \
     6A010C5166006599AA17F08146C2130DFD2497F5 \
   ; do \
     gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" ; \
+    gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys "$key" ; \
   done \
   && curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz" \
   && curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc" \
@@ -122,40 +122,57 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \
     esac \
   && set -ex \
   && apt-get update \
-  && apt-get install -y ca-certificates wget --no-install-recommends \
+  && apt-get install -y ca-certificates gnupg dirmngr --no-install-recommends \
   && rm -rf /var/lib/apt/lists/* \
-  && wget -q -O - https://dist.sapmachine.io/debian/sapmachine.key | tee /etc/apt/trusted.gpg.d/sapmachine.gpg.asc \
+  && for key in \
+    62754C3B3ABCFE23 \
+  ; do \
+    gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/sapmachine.gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
+    gpg --no-default-keyring --keyring gnupg-ring:/etc/apt/trusted.gpg.d/sapmachine.gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys "$key" ; \
+  done \
+  && chmod 644 /etc/apt/trusted.gpg.d/sapmachine.gpg \
   && echo "deb http://dist.sapmachine.io/debian/${ARCH}/ ./" | tee /etc/apt/sources.list.d/sapmachine.list \
   && apt-get update \
   && apt-get install -y sapmachine-$(echo ${SAPMACHINE_VERSION} | cut -d. -f1)-jdk=${SAPMACHINE_VERSION} --no-install-recommends \
   && rm -rf /var/lib/apt/lists/* \
-  && apt-get remove --purge --autoremove -y ca-certificates wget \
+  && apt-get remove --purge --autoremove -y ca-certificates gnupg dirmngr \
   # smoke test
   && java --version
 
 ARG MAVEN_VERSION=3.8.6
-ARG SHA=f790857f3b1f90ae8d16281f902c689e4f136ebe584aba45e4b1fa66c80cba826d3e0e52fdd04ed44b4c66f6d3fe3584a057c26dfcac544a60b301e6d0f91c26
-ARG BASE_URL=https://apache.osuosl.org/maven/maven-3/${MAVEN_VERSION}/binaries
+ARG BASE_URL=https://downloads.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries
 
 ENV MAVEN_HOME /usr/share/maven
 ENV M2_HOME ${MAVEN_HOME}
 
 RUN set -ex \
   && apt-get update \
-  && apt-get install -y ca-certificates curl procps --no-install-recommends \
+  && apt-get install -y ca-certificates curl gnupg dirmngr --no-install-recommends \
   && rm -rf /var/lib/apt/lists/* \
+  && curl -fsSLO --compressed ${BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz \
+  && curl -fsSLO --compressed ${BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz.asc \
+  && for key in \
+    6A814B1F869C2BBEAB7CB7271A2A1C94BDE89688 \
+  ; do \
+    gpg --batch --keyserver hkps://pgp.surf.nl --recv-keys "$key" || \
+    gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys "$key" ; \
+  done \
+  && gpg --batch --verify apache-maven-${MAVEN_VERSION}-bin.tar.gz.asc apache-maven-${MAVEN_VERSION}-bin.tar.gz \
   && mkdir -p ${MAVEN_HOME} ${MAVEN_HOME}/ref \
-  && curl -fsSL -o /tmp/apache-maven.tar.gz ${BASE_URL}/apache-maven-${MAVEN_VERSION}-bin.tar.gz \
-  && echo "${SHA}  /tmp/apache-maven.tar.gz" | sha512sum -c - \
-  && tar -xzf /tmp/apache-maven.tar.gz -C ${MAVEN_HOME} --strip-components=1 \
-  && rm -f /tmp/apache-maven.tar.gz \
+  && tar -xzf apache-maven-${MAVEN_VERSION}-bin.tar.gz -C ${MAVEN_HOME} --strip-components=1 \
+  && rm -f apache-maven-${MAVEN_VERSION}-bin.tar.gz.asc apache-maven-${MAVEN_VERSION}-bin.tar.gz \
+  && chmod --recursive a+w ${MAVEN_HOME}/conf/* \
   && ln -s ${MAVEN_HOME}/bin/mvn /usr/bin/mvn \
+<<<<<<< HEAD
   && chmod --recursive a+w ${MAVEN_HOME}/conf/* \
   && apt-get remove --purge --autoremove -y ca-certificates curl \
+=======
+  && apt-get remove --purge --autoremove -y ca-certificates curl gnupg dirmngr \
+>>>>>>> main
   # smoke test
   && mvn --version
 
-ARG MBT_VERSION=1.2.18
+ARG MBT_VERSION=1.2.19
 
 RUN set -ex \
   && npm install -g --unsafe-perm mbt@${MBT_VERSION} \

diff --git a/README.md b/README.md
index 6e31a211514769dcfdd83d0aa57ecd8a1a71d932..b5c8caba929553ea020fc6f664a31c2a6c2515d5 100644 (file)
--- a/README.md
+++ b/README.md
@@ -4,10 +4,10 @@
 
 * latest versions of node/sapmachine/maven
 * python 2->3
-* source integrity, source authentication, etc.
-* build debug logs
+* SAP security policy compliance: binaries authentication and integrity check
+* build debug
+* build stopped at any error => no corrupted images can be pushed
 * smoke tests
-* version handling compliant with renovate for automated upgrade
 
 Ref: https://github.com/SAP/cloud-mta-build-tool#the-cloud-mta-build-tool-images-deprecated
 

diff --git a/docker-compose.yml b/docker-compose.yml
index 58e138e54b577c7554b2e36c9903ded0b7c5f415..eed0c37d2bf304e8a1279b9644973b3955da43d8 100644 (file)
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -23,7 +23,7 @@ services:
     platform: linux/amd64
     build:
       args:
-        NODE_VERSION: 14.20.1
+        NODE_VERSION: 14.21.0
         SAPMACHINE_VERSION: 11.0.16.1
       dockerfile: Dockerfile
   mbt-node18-java17-docker:
@@ -44,7 +44,7 @@ services:
     platform: linux/amd64
     build:
       args:
-        NODE_VERSION: 14.20.1
+        NODE_VERSION: 14.21.0
         SAPMACHINE_VERSION: 17.0.4.1
       dockerfile: Dockerfile
   mbt-node18-java19-docker:
@@ -65,6 +65,6 @@ services:
     platform: linux/amd64
     build:
       args:
-        NODE_VERSION: 14.20.1
+        NODE_VERSION: 14.21.0
         SAPMACHINE_VERSION: 19.0.1
       dockerfile: Dockerfile