Add --repo-base-url option

Author: thomasleplus

README.md

@@ -11,6 +11,22 @@ Docker container to verify jars PGP signatures.
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/10079/badge)](https://bestpractices.coreinfrastructure.org/projects/10079)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/leplusorg/docker-pgp-verify-jar/badge)](https://securityscorecards.dev/viewer/?uri=github.com/leplusorg/docker-pgp-verify-jar)
 
+## Goal and limitations
+
+The goal of this docker container image is to provide an easy way to
+verify jar files signatures. Currently it can only verify files that
+it downloads from a Maven repository that doesn't require
+authentication and that use a certificate issues by a trusted public
+CA.
+
+This image has the benefit of being platform-agnostic and it
+doesn't rely on Maven or Java. But if your goal is to validate
+signatures for your project dependencies at build time and/or runtime,
+there are Maven plugins (e.g.
+[Verify PGP signatures](https://www.simplify4u.org/pgpverify-maven-plugin/)).
+Gradle even has this feature
+(out-of-the-box)[https://docs.gradle.org/current/userguide/dependency_verification.html].
+
 ## Examples
 
 Assuming that you want to see the signature of a jar with coordinates 'org.leplus:ristretto:1.0.0':

pgp-verify-jar/Dockerfile

@@ -19,6 +19,7 @@ RUN apk -U upgrade \
       apk -u list ; \
       exit 1 ; \
     fi \
+    && apk cache clean \
     && rm -rf /var/cache/apk/*
 
 # create gpg directory to prevent keyboxd to automagically start, see https://github.com/nodejs/docker-node/pull/1895#issuecomment-1550389150

pgp-verify-jar/pgp-verify-jar.sh

@@ -11,7 +11,12 @@ Options:
  
  -h                                 display this help and exit
  -v, --verification-mode MODE       use the corresponding verification mode
-                                    (online or offline). Default is online.
+                                    (online or offline). In online mode, keys
+                                    are downloaded from a keyserver. In offline
+                                    mode, keys are read from local key store.
+                                    Default is online.
+ -r, --repo-base-url URL            use the provided URL to fecth signature
+                                    files. Default is https://repo1.maven.org/maven2.
  -k, --keyserver SERVER             use the provided keyserver for online
                                     operations. Default is keyserver.ubuntu.com.
  -b, --bootstrap-online-keys KEYS   download from the keyserver the keys with
@@ -75,6 +80,25 @@ while :; do
 	--verification-mode=)
 		die 'ERROR: "--verification-mode" requires an option argument.'
 		;;
+	-r | --repo-base-url)
+		if [ -z ${2+x} ]; then
+		    REPO_BASE_URL=${2}
+		    shift
+		else
+		    die 'ERROR: "--repo-base-url" requires an option argument.'
+		fi
+		;;
+	--repo-base-url=?*)
+		if [ "${1#*=}" ]; then
+		    REPO_BASE_URL=${1#*=}
+		    shift
+		else
+		    die 'ERROR: "--repo-base-url" requires an option argument.'
+		fi
+		;;
+	--repo-base-url=)
+		die 'ERROR: "--repo-base-url" requires an option argument.'
+		;;
 	-k | --keyserver)
 		if [ -z ${2+x} ]; then
 			KEYSERVER=${2}
@@ -145,6 +169,10 @@ while :; do
 	esac
 done
 
+if [ -z ${REPO_BASE_URL+x} ]; then
+    REPO_BASE_URL='https://repo1.maven.org/maven2'
+fi
+
 if [ -z ${VERIFICATION_MODE+x} ]; then
 	VERIFICATION_MODE='online'
 fi
@@ -192,8 +220,8 @@ for artifact in "${@}"; do
 	else
 		artifactClassifierSuffix="-${coordinates[3]}"
 	fi
-	artifactUrl="https://repo1.maven.org/maven2/${groupId//\.//}/${artifactId}/${artifactVersion}/${artifactId}-${artifactVersion}${artifactClassifierSuffix}.${artifactExtension}"
 	artifactFile="${artifactId}-${artifactVersion}${artifactClassifierSuffix}.${artifactExtension}"
+	artifactUrl="${REPO_BASE_URL}/${groupId//\.//}/${artifactId}/${artifactVersion}/${artifactFile}"
 	signatureUrl="${artifactUrl}.asc"
 	signatureFile="${artifactFile}.asc"
 	\echo Downloading "${artifactUrl}"