From 8f787310fa05191de6161bcfbb118d02411a16b6 Mon Sep 17 00:00:00 2001 From: Keyu Wu Date: Fri, 20 Jun 2025 22:21:02 +0000 Subject: [PATCH 1/7] Add public key verification for aws cli download --- template/v2/Dockerfile | 16 +++++++++++----- template/v2/aws-cli-public-key.asc | 29 +++++++++++++++++++++++++++++ template/v3/Dockerfile | 15 ++++++++++----- template/v3/aws-cli-public-key.asc | 29 +++++++++++++++++++++++++++++ 4 files changed, 79 insertions(+), 10 deletions(-) create mode 100644 template/v2/aws-cli-public-key.asc create mode 100644 template/v3/aws-cli-public-key.asc diff --git a/template/v2/Dockerfile b/template/v2/Dockerfile index c04dde066..2b6b66279 100644 --- a/template/v2/Dockerfile +++ b/template/v2/Dockerfile @@ -54,13 +54,19 @@ RUN apt-get update && apt-get upgrade -y && \ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata krb5-user libkrb5-dev libsasl2-dev libsasl2-modules && \ chmod g+w /etc/passwd && \ echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \ - touch /etc/krb5.conf.lock && chown ${NB_USER}:${MAMBA_USER} /etc/krb5.conf* && \ + touch /etc/krb5.conf.lock && chown ${NB_USER}:${MAMBA_USER} /etc/krb5.conf* # Note that we do NOT run `rm -rf /var/lib/apt/lists/*` here. If we did, anyone building on top of our images will # not be able to run any `apt-get install` commands and that would hamper customizability of the images. - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \ - unzip awscliv2.zip && \ - sudo ./aws/install && \ - rm -rf aws awscliv2.zip && \ + +COPY aws-cli-public-key.asc . +RUN curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" && \ + curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig" +RUN gpg --import aws-cli-public-key.asc +RUN gpg --fingerprint FB5DB77FD5C118B80511ADA8A6310ACC4672475C +RUN gpg --verify awscli-exe-linux-x86_64.zip.sig awscli-exe-linux-x86_64.zip && \ + unzip awscli-exe-linux-x86_64.zip && \ + ./aws/install && \ + rm -rf aws awscli-exe-linux-x86_64.zip awscli-exe-linux-x86_64.zip.sig aws-cli-public-key.asc && \ : && \ echo "source /usr/local/bin/_activate_current_env.sh" | tee --append /etc/profile && \ # CodeEditor - create server, user data dirs diff --git a/template/v2/aws-cli-public-key.asc b/template/v2/aws-cli-public-key.asc new file mode 100644 index 000000000..b415d17d9 --- /dev/null +++ b/template/v2/aws-cli-public-key.asc @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF2Cr7UBEADJZHcgusOJl7ENSyumXh85z0TRV0xJorM2B/JL0kHOyigQluUG +ZMLhENaG0bYatdrKP+3H91lvK050pXwnO/R7fB/FSTouki4ciIx5OuLlnJZIxSzx +PqGl0mkxImLNbGWoi6Lto0LYxqHN2iQtzlwTVmq9733zd3XfcXrZ3+LblHAgEt5G +TfNxEKJ8soPLyWmwDH6HWCnjZ/aIQRBTIQ05uVeEoYxSh6wOai7ss/KveoSNBbYz +gbdzoqI2Y8cgH2nbfgp3DSasaLZEdCSsIsK1u05CinE7k2qZ7KgKAUIcT/cR/grk +C6VwsnDU0OUCideXcQ8WeHutqvgZH1JgKDbznoIzeQHJD238GEu+eKhRHcz8/jeG +94zkcgJOz3KbZGYMiTh277Fvj9zzvZsbMBCedV1BTg3TqgvdX4bdkhf5cH+7NtWO +lrFj6UwAsGukBTAOxC0l/dnSmZhJ7Z1KmEWilro/gOrjtOxqRQutlIqG22TaqoPG +fYVN+en3Zwbt97kcgZDwqbuykNt64oZWc4XKCa3mprEGC3IbJTBFqglXmZ7l9ywG +EEUJYOlb2XrSuPWml39beWdKM8kzr1OjnlOm6+lpTRCBfo0wa9F8YZRhHPAkwKkX +XDeOGpWRj4ohOx0d2GWkyV5xyN14p2tQOCdOODmz80yUTgRpPVQUtOEhXQARAQAB +tCFBV1MgQ0xJIFRlYW0gPGF3cy1jbGlAYW1hem9uLmNvbT6JAlQEEwEIAD4CGwMF +CwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQT7Xbd/1cEYuAURraimMQrMRnJHXAUC +ZqFYbwUJCv/cOgAKCRCmMQrMRnJHXKYuEAC+wtZ611qQtOl0t5spM9SWZuszbcyA +0xBAJq2pncnp6wdCOkuAPu4/R3UCIoD2C49MkLj9Y0Yvue8CCF6OIJ8L+fKBv2DI +yWZGmHL0p9wa/X8NCKQrKxK1gq5PuCzi3f3SqwfbZuZGeK/ubnmtttWXpUtuU/Iz +VR0u/0sAy3j4uTGKh2cX7XnZbSqgJhUk9H324mIJiSwzvw1Ker6xtH/LwdBeJCck +bVBdh3LZis4zuD4IZeBO1vRvjot3Oq4xadUv5RSPATg7T1kivrtLCnwvqc6L4LnF +0OkNysk94L3LQSHyQW2kQS1cVwr+yGUSiSp+VvMbAobAapmMJWP6e/dKyAUGIX6+ +2waLdbBs2U7MXznx/2ayCLPH7qCY9cenbdj5JhG9ibVvFWqqhSo22B/URQE/CMrG ++3xXwtHEBoMyWEATr1tWwn2yyQGbkUGANneSDFiTFeoQvKNyyCFTFO1F2XKCcuDs +19nj34PE2TJilTG2QRlMr4D0NgwLLAMg2Los1CK6nXWnImYHKuaKS9LVaCoC8vu7 +IRBik1NX6SjrQnftk0M9dY+s0ZbAN1gbdjZ8H3qlbl/4TxMdr87m8LP4FZIIo261 +Eycv34pVkCePZiP+dgamEiQJ7IL4ZArio9mv6HbDGV6mLY45+l6/0EzCwkI5IyIf +BfWC9s/USgxchg== +=ptgS +-----END PGP PUBLIC KEY BLOCK----- \ No newline at end of file diff --git a/template/v3/Dockerfile b/template/v3/Dockerfile index 92754a045..a5a35bf20 100644 --- a/template/v3/Dockerfile +++ b/template/v3/Dockerfile @@ -54,13 +54,18 @@ RUN apt-get update && apt-get upgrade -y && \ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata krb5-user libkrb5-dev libsasl2-dev libsasl2-modules && \ chmod g+w /etc/passwd && \ echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \ - touch /etc/krb5.conf.lock && chown ${NB_USER}:${MAMBA_USER} /etc/krb5.conf* && \ + touch /etc/krb5.conf.lock && chown ${NB_USER}:${MAMBA_USER} /etc/krb5.conf* # Note that we do NOT run `rm -rf /var/lib/apt/lists/*` here. If we did, anyone building on top of our images will # not be able to run any `apt-get install` commands and that would hamper customizability of the images. - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" && \ - unzip awscliv2.zip && \ - sudo ./aws/install && \ - rm -rf aws awscliv2.zip && \ +COPY aws-cli-public-key.asc . +RUN curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" && \ + curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig" +RUN gpg --import aws-cli-public-key.asc +RUN gpg --fingerprint FB5DB77FD5C118B80511ADA8A6310ACC4672475C +RUN gpg --verify awscli-exe-linux-x86_64.zip.sig awscli-exe-linux-x86_64.zip && \ + unzip awscli-exe-linux-x86_64.zip && \ + ./aws/install && \ + rm -rf aws awscli-exe-linux-x86_64.zip awscli-exe-linux-x86_64.zip.sig aws-cli-public-key.asc && \ : && \ echo "source /usr/local/bin/_activate_current_env.sh" | tee --append /etc/profile && \ # CodeEditor - create server, user data dirs diff --git a/template/v3/aws-cli-public-key.asc b/template/v3/aws-cli-public-key.asc new file mode 100644 index 000000000..b415d17d9 --- /dev/null +++ b/template/v3/aws-cli-public-key.asc @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF2Cr7UBEADJZHcgusOJl7ENSyumXh85z0TRV0xJorM2B/JL0kHOyigQluUG +ZMLhENaG0bYatdrKP+3H91lvK050pXwnO/R7fB/FSTouki4ciIx5OuLlnJZIxSzx +PqGl0mkxImLNbGWoi6Lto0LYxqHN2iQtzlwTVmq9733zd3XfcXrZ3+LblHAgEt5G +TfNxEKJ8soPLyWmwDH6HWCnjZ/aIQRBTIQ05uVeEoYxSh6wOai7ss/KveoSNBbYz +gbdzoqI2Y8cgH2nbfgp3DSasaLZEdCSsIsK1u05CinE7k2qZ7KgKAUIcT/cR/grk +C6VwsnDU0OUCideXcQ8WeHutqvgZH1JgKDbznoIzeQHJD238GEu+eKhRHcz8/jeG +94zkcgJOz3KbZGYMiTh277Fvj9zzvZsbMBCedV1BTg3TqgvdX4bdkhf5cH+7NtWO +lrFj6UwAsGukBTAOxC0l/dnSmZhJ7Z1KmEWilro/gOrjtOxqRQutlIqG22TaqoPG +fYVN+en3Zwbt97kcgZDwqbuykNt64oZWc4XKCa3mprEGC3IbJTBFqglXmZ7l9ywG +EEUJYOlb2XrSuPWml39beWdKM8kzr1OjnlOm6+lpTRCBfo0wa9F8YZRhHPAkwKkX +XDeOGpWRj4ohOx0d2GWkyV5xyN14p2tQOCdOODmz80yUTgRpPVQUtOEhXQARAQAB +tCFBV1MgQ0xJIFRlYW0gPGF3cy1jbGlAYW1hem9uLmNvbT6JAlQEEwEIAD4CGwMF +CwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQT7Xbd/1cEYuAURraimMQrMRnJHXAUC +ZqFYbwUJCv/cOgAKCRCmMQrMRnJHXKYuEAC+wtZ611qQtOl0t5spM9SWZuszbcyA +0xBAJq2pncnp6wdCOkuAPu4/R3UCIoD2C49MkLj9Y0Yvue8CCF6OIJ8L+fKBv2DI +yWZGmHL0p9wa/X8NCKQrKxK1gq5PuCzi3f3SqwfbZuZGeK/ubnmtttWXpUtuU/Iz +VR0u/0sAy3j4uTGKh2cX7XnZbSqgJhUk9H324mIJiSwzvw1Ker6xtH/LwdBeJCck +bVBdh3LZis4zuD4IZeBO1vRvjot3Oq4xadUv5RSPATg7T1kivrtLCnwvqc6L4LnF +0OkNysk94L3LQSHyQW2kQS1cVwr+yGUSiSp+VvMbAobAapmMJWP6e/dKyAUGIX6+ +2waLdbBs2U7MXznx/2ayCLPH7qCY9cenbdj5JhG9ibVvFWqqhSo22B/URQE/CMrG ++3xXwtHEBoMyWEATr1tWwn2yyQGbkUGANneSDFiTFeoQvKNyyCFTFO1F2XKCcuDs +19nj34PE2TJilTG2QRlMr4D0NgwLLAMg2Los1CK6nXWnImYHKuaKS9LVaCoC8vu7 +IRBik1NX6SjrQnftk0M9dY+s0ZbAN1gbdjZ8H3qlbl/4TxMdr87m8LP4FZIIo261 +Eycv34pVkCePZiP+dgamEiQJ7IL4ZArio9mv6HbDGV6mLY45+l6/0EzCwkI5IyIf +BfWC9s/USgxchg== +=ptgS +-----END PGP PUBLIC KEY BLOCK----- \ No newline at end of file From 4cecf38047f7a240a1f25b965885d59035e5462e Mon Sep 17 00:00:00 2001 From: Keyu Wu Date: Thu, 26 Jun 2025 21:44:58 +0000 Subject: [PATCH 2/7] store publickey in assets folder, add file copying logic --- .../v2 => assets}/aws-cli-public-key.asc | 0 src/main.py | 7 ++++- template/v3/aws-cli-public-key.asc | 29 ------------------- 3 files changed, 6 insertions(+), 30 deletions(-) rename {template/v2 => assets}/aws-cli-public-key.asc (100%) delete mode 100644 template/v3/aws-cli-public-key.asc diff --git a/template/v2/aws-cli-public-key.asc b/assets/aws-cli-public-key.asc similarity index 100% rename from template/v2/aws-cli-public-key.asc rename to assets/aws-cli-public-key.asc diff --git a/src/main.py b/src/main.py index e3bd03a45..39efc6e23 100644 --- a/src/main.py +++ b/src/main.py @@ -125,13 +125,18 @@ def _copy_static_files(base_version_dir, new_version_dir, new_version_major, run for f in glob.glob(os.path.relpath(f"{base_path}/Dockerfile")): shutil.copy2(f, new_version_dir) + + # Copy AWS CLI public key if it exists in template + aws_cli_key_path = os.path.relpath(f"assets/aws-cli-public-key.asc") + if os.path.exists(aws_cli_key_path): + shutil.copy2(aws_cli_key_path, new_version_dir) if int(new_version_major) >= 1: # dirs directory doesn't exist for v0. It was introduced only for v1 dirs_relative_path = os.path.relpath(f"{base_path}/dirs") for f in glob.glob(dirs_relative_path): shutil.copytree(f, os.path.join(new_version_dir, "dirs")) - + def _create_new_version_conda_specs( base_version_dir, new_version_dir, runtime_version_upgrade_type, image_generator_config diff --git a/template/v3/aws-cli-public-key.asc b/template/v3/aws-cli-public-key.asc deleted file mode 100644 index b415d17d9..000000000 --- a/template/v3/aws-cli-public-key.asc +++ /dev/null @@ -1,29 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQINBF2Cr7UBEADJZHcgusOJl7ENSyumXh85z0TRV0xJorM2B/JL0kHOyigQluUG -ZMLhENaG0bYatdrKP+3H91lvK050pXwnO/R7fB/FSTouki4ciIx5OuLlnJZIxSzx -PqGl0mkxImLNbGWoi6Lto0LYxqHN2iQtzlwTVmq9733zd3XfcXrZ3+LblHAgEt5G -TfNxEKJ8soPLyWmwDH6HWCnjZ/aIQRBTIQ05uVeEoYxSh6wOai7ss/KveoSNBbYz -gbdzoqI2Y8cgH2nbfgp3DSasaLZEdCSsIsK1u05CinE7k2qZ7KgKAUIcT/cR/grk -C6VwsnDU0OUCideXcQ8WeHutqvgZH1JgKDbznoIzeQHJD238GEu+eKhRHcz8/jeG -94zkcgJOz3KbZGYMiTh277Fvj9zzvZsbMBCedV1BTg3TqgvdX4bdkhf5cH+7NtWO -lrFj6UwAsGukBTAOxC0l/dnSmZhJ7Z1KmEWilro/gOrjtOxqRQutlIqG22TaqoPG -fYVN+en3Zwbt97kcgZDwqbuykNt64oZWc4XKCa3mprEGC3IbJTBFqglXmZ7l9ywG -EEUJYOlb2XrSuPWml39beWdKM8kzr1OjnlOm6+lpTRCBfo0wa9F8YZRhHPAkwKkX -XDeOGpWRj4ohOx0d2GWkyV5xyN14p2tQOCdOODmz80yUTgRpPVQUtOEhXQARAQAB -tCFBV1MgQ0xJIFRlYW0gPGF3cy1jbGlAYW1hem9uLmNvbT6JAlQEEwEIAD4CGwMF -CwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQT7Xbd/1cEYuAURraimMQrMRnJHXAUC -ZqFYbwUJCv/cOgAKCRCmMQrMRnJHXKYuEAC+wtZ611qQtOl0t5spM9SWZuszbcyA -0xBAJq2pncnp6wdCOkuAPu4/R3UCIoD2C49MkLj9Y0Yvue8CCF6OIJ8L+fKBv2DI -yWZGmHL0p9wa/X8NCKQrKxK1gq5PuCzi3f3SqwfbZuZGeK/ubnmtttWXpUtuU/Iz -VR0u/0sAy3j4uTGKh2cX7XnZbSqgJhUk9H324mIJiSwzvw1Ker6xtH/LwdBeJCck -bVBdh3LZis4zuD4IZeBO1vRvjot3Oq4xadUv5RSPATg7T1kivrtLCnwvqc6L4LnF -0OkNysk94L3LQSHyQW2kQS1cVwr+yGUSiSp+VvMbAobAapmMJWP6e/dKyAUGIX6+ -2waLdbBs2U7MXznx/2ayCLPH7qCY9cenbdj5JhG9ibVvFWqqhSo22B/URQE/CMrG -+3xXwtHEBoMyWEATr1tWwn2yyQGbkUGANneSDFiTFeoQvKNyyCFTFO1F2XKCcuDs -19nj34PE2TJilTG2QRlMr4D0NgwLLAMg2Los1CK6nXWnImYHKuaKS9LVaCoC8vu7 -IRBik1NX6SjrQnftk0M9dY+s0ZbAN1gbdjZ8H3qlbl/4TxMdr87m8LP4FZIIo261 -Eycv34pVkCePZiP+dgamEiQJ7IL4ZArio9mv6HbDGV6mLY45+l6/0EzCwkI5IyIf -BfWC9s/USgxchg== -=ptgS ------END PGP PUBLIC KEY BLOCK----- \ No newline at end of file From 43594faf9171b130f038ad839eb7214c64aa9d45 Mon Sep 17 00:00:00 2001 From: Keyu Wu Date: Tue, 1 Jul 2025 17:27:50 +0000 Subject: [PATCH 3/7] remove finger pring verify, as it is trivial --- template/v2/Dockerfile | 15 +++++++-------- template/v3/Dockerfile | 14 +++++++------- 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/template/v2/Dockerfile b/template/v2/Dockerfile index 2b6b66279..dd49adb22 100644 --- a/template/v2/Dockerfile +++ b/template/v2/Dockerfile @@ -48,22 +48,21 @@ RUN usermod "--login=${NB_USER}" "--home=/home/${NB_USER}" --move-home "-u ${NB_ ENV MAMBA_USER=$NB_USER ENV USER=$NB_USER +COPY aws-cli-public-key.asc /tmp/ + RUN apt-get update && apt-get upgrade -y && \ apt-get install -y --no-install-recommends sudo gettext-base wget curl unzip git rsync build-essential openssh-client nano cron less mandoc jq ca-certificates gnupg && \ # We just install tzdata below but leave default time zone as UTC. This helps packages like Pandas to function correctly. DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata krb5-user libkrb5-dev libsasl2-dev libsasl2-modules && \ chmod g+w /etc/passwd && \ echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \ - touch /etc/krb5.conf.lock && chown ${NB_USER}:${MAMBA_USER} /etc/krb5.conf* + touch /etc/krb5.conf.lock && chown ${NB_USER}:${MAMBA_USER} /etc/krb5.conf* && \ # Note that we do NOT run `rm -rf /var/lib/apt/lists/*` here. If we did, anyone building on top of our images will # not be able to run any `apt-get install` commands and that would hamper customizability of the images. - -COPY aws-cli-public-key.asc . -RUN curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" && \ - curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig" -RUN gpg --import aws-cli-public-key.asc -RUN gpg --fingerprint FB5DB77FD5C118B80511ADA8A6310ACC4672475C -RUN gpg --verify awscli-exe-linux-x86_64.zip.sig awscli-exe-linux-x86_64.zip && \ + curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" && \ + curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig" && \ + gpg --import /tmp/aws-cli-public-key.asc && \ + gpg --verify awscli-exe-linux-x86_64.zip.sig awscli-exe-linux-x86_64.zip && \ unzip awscli-exe-linux-x86_64.zip && \ ./aws/install && \ rm -rf aws awscli-exe-linux-x86_64.zip awscli-exe-linux-x86_64.zip.sig aws-cli-public-key.asc && \ diff --git a/template/v3/Dockerfile b/template/v3/Dockerfile index a5a35bf20..232f76fec 100644 --- a/template/v3/Dockerfile +++ b/template/v3/Dockerfile @@ -48,21 +48,21 @@ RUN usermod "--login=${NB_USER}" "--home=/home/${NB_USER}" --move-home "-u ${NB_ ENV MAMBA_USER=$NB_USER ENV USER=$NB_USER +COPY aws-cli-public-key.asc /tmp/ + RUN apt-get update && apt-get upgrade -y && \ apt-get install -y --no-install-recommends sudo gettext-base wget curl unzip git rsync build-essential openssh-client nano cron less mandoc jq ca-certificates gnupg && \ # We just install tzdata below but leave default time zone as UTC. This helps packages like Pandas to function correctly. DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends tzdata krb5-user libkrb5-dev libsasl2-dev libsasl2-modules && \ chmod g+w /etc/passwd && \ echo "ALL ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers && \ - touch /etc/krb5.conf.lock && chown ${NB_USER}:${MAMBA_USER} /etc/krb5.conf* + touch /etc/krb5.conf.lock && chown ${NB_USER}:${MAMBA_USER} /etc/krb5.conf* && \ # Note that we do NOT run `rm -rf /var/lib/apt/lists/*` here. If we did, anyone building on top of our images will # not be able to run any `apt-get install` commands and that would hamper customizability of the images. -COPY aws-cli-public-key.asc . -RUN curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" && \ - curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig" -RUN gpg --import aws-cli-public-key.asc -RUN gpg --fingerprint FB5DB77FD5C118B80511ADA8A6310ACC4672475C -RUN gpg --verify awscli-exe-linux-x86_64.zip.sig awscli-exe-linux-x86_64.zip && \ + curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" && \ + curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig" && \ + gpg --import /tmp/aws-cli-public-key.asc && \ + gpg --verify awscli-exe-linux-x86_64.zip.sig awscli-exe-linux-x86_64.zip && \ unzip awscli-exe-linux-x86_64.zip && \ ./aws/install && \ rm -rf aws awscli-exe-linux-x86_64.zip awscli-exe-linux-x86_64.zip.sig aws-cli-public-key.asc && \ From ff474fc5d75e384e535c675382d39dcbf12ea4c1 Mon Sep 17 00:00:00 2001 From: Keyu Wu Date: Tue, 1 Jul 2025 17:39:59 +0000 Subject: [PATCH 4/7] format code with black --- src/main.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/main.py b/src/main.py index 39efc6e23..7595e4ebe 100644 --- a/src/main.py +++ b/src/main.py @@ -125,8 +125,8 @@ def _copy_static_files(base_version_dir, new_version_dir, new_version_major, run for f in glob.glob(os.path.relpath(f"{base_path}/Dockerfile")): shutil.copy2(f, new_version_dir) - - # Copy AWS CLI public key if it exists in template + + # Copy AWS CLI public key from assets aws_cli_key_path = os.path.relpath(f"assets/aws-cli-public-key.asc") if os.path.exists(aws_cli_key_path): shutil.copy2(aws_cli_key_path, new_version_dir) @@ -136,7 +136,7 @@ def _copy_static_files(base_version_dir, new_version_dir, new_version_major, run dirs_relative_path = os.path.relpath(f"{base_path}/dirs") for f in glob.glob(dirs_relative_path): shutil.copytree(f, os.path.join(new_version_dir, "dirs")) - + def _create_new_version_conda_specs( base_version_dir, new_version_dir, runtime_version_upgrade_type, image_generator_config From 316e83cc68e2ec20a124228cee059f16ecb2bdf8 Mon Sep 17 00:00:00 2001 From: Keyu Wu Date: Mon, 11 Aug 2025 21:50:44 +0000 Subject: [PATCH 5/7] add sudo back to follow the doc --- template/v2/Dockerfile | 2 +- template/v3/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/template/v2/Dockerfile b/template/v2/Dockerfile index dd49adb22..77081e4d0 100644 --- a/template/v2/Dockerfile +++ b/template/v2/Dockerfile @@ -64,7 +64,7 @@ RUN apt-get update && apt-get upgrade -y && \ gpg --import /tmp/aws-cli-public-key.asc && \ gpg --verify awscli-exe-linux-x86_64.zip.sig awscli-exe-linux-x86_64.zip && \ unzip awscli-exe-linux-x86_64.zip && \ - ./aws/install && \ + sudo ./aws/install && \ rm -rf aws awscli-exe-linux-x86_64.zip awscli-exe-linux-x86_64.zip.sig aws-cli-public-key.asc && \ : && \ echo "source /usr/local/bin/_activate_current_env.sh" | tee --append /etc/profile && \ diff --git a/template/v3/Dockerfile b/template/v3/Dockerfile index 232f76fec..ef47d2148 100644 --- a/template/v3/Dockerfile +++ b/template/v3/Dockerfile @@ -64,7 +64,7 @@ RUN apt-get update && apt-get upgrade -y && \ gpg --import /tmp/aws-cli-public-key.asc && \ gpg --verify awscli-exe-linux-x86_64.zip.sig awscli-exe-linux-x86_64.zip && \ unzip awscli-exe-linux-x86_64.zip && \ - ./aws/install && \ + sudo ./aws/install && \ rm -rf aws awscli-exe-linux-x86_64.zip awscli-exe-linux-x86_64.zip.sig aws-cli-public-key.asc && \ : && \ echo "source /usr/local/bin/_activate_current_env.sh" | tee --append /etc/profile && \ From bb2e3bce773fe1892545052a1ee9b79972069d7e Mon Sep 17 00:00:00 2001 From: Keyu Wu Date: Fri, 22 Aug 2025 22:44:25 +0000 Subject: [PATCH 6/7] address comments --- template/v2/Dockerfile | 4 +++- template/v3/Dockerfile | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/template/v2/Dockerfile b/template/v2/Dockerfile index 77081e4d0..6948c6545 100644 --- a/template/v2/Dockerfile +++ b/template/v2/Dockerfile @@ -62,7 +62,9 @@ RUN apt-get update && apt-get upgrade -y && \ curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" && \ curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig" && \ gpg --import /tmp/aws-cli-public-key.asc && \ - gpg --verify awscli-exe-linux-x86_64.zip.sig awscli-exe-linux-x86_64.zip && \ + echo "trust\n5\ny\n" | gpg --command-fd 0 --edit-key "aws-cli@amazon.com" && \ + gpg --verify awscli-exe-linux-x86_64.zip.sig awscli-exe-linux-x86_64.zip || \ + (echo "GPG verification failed" && exit 1) && \ unzip awscli-exe-linux-x86_64.zip && \ sudo ./aws/install && \ rm -rf aws awscli-exe-linux-x86_64.zip awscli-exe-linux-x86_64.zip.sig aws-cli-public-key.asc && \ diff --git a/template/v3/Dockerfile b/template/v3/Dockerfile index ef47d2148..af1bf0ccf 100644 --- a/template/v3/Dockerfile +++ b/template/v3/Dockerfile @@ -62,7 +62,8 @@ RUN apt-get update && apt-get upgrade -y && \ curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" && \ curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig" && \ gpg --import /tmp/aws-cli-public-key.asc && \ - gpg --verify awscli-exe-linux-x86_64.zip.sig awscli-exe-linux-x86_64.zip && \ + gpg --trust-model always --verify awscli-exe-linux-x86_64.zip.sig awscli-exe-linux-x86_64.zip || \ + (echo "GPG verification failed" && exit 1) && \ unzip awscli-exe-linux-x86_64.zip && \ sudo ./aws/install && \ rm -rf aws awscli-exe-linux-x86_64.zip awscli-exe-linux-x86_64.zip.sig aws-cli-public-key.asc && \ From 0d001f90e50cd43a1f2db2c2c553a1e1df9e7812 Mon Sep 17 00:00:00 2001 From: Keyu Wu Date: Fri, 22 Aug 2025 22:48:04 +0000 Subject: [PATCH 7/7] address comments --- template/v2/Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/template/v2/Dockerfile b/template/v2/Dockerfile index 6948c6545..9fe174024 100644 --- a/template/v2/Dockerfile +++ b/template/v2/Dockerfile @@ -62,8 +62,7 @@ RUN apt-get update && apt-get upgrade -y && \ curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" && \ curl -O "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip.sig" && \ gpg --import /tmp/aws-cli-public-key.asc && \ - echo "trust\n5\ny\n" | gpg --command-fd 0 --edit-key "aws-cli@amazon.com" && \ - gpg --verify awscli-exe-linux-x86_64.zip.sig awscli-exe-linux-x86_64.zip || \ + gpg --trust-model always --verify awscli-exe-linux-x86_64.zip.sig awscli-exe-linux-x86_64.zip || \ (echo "GPG verification failed" && exit 1) && \ unzip awscli-exe-linux-x86_64.zip && \ sudo ./aws/install && \