ubi: Restrict rpmkey import to specific keys

And not just whatever key is in the downloaded key file.

There could be more than one key included.

Per review: docker-library/official-images#16872 (comment)
by @tianon.

10.11-ubi/Dockerfile

@@ -63,18 +63,23 @@ ARG MARIADB_VERSION=10.11.8
 # procps, pv(epel) - missing dependencies of galera sst script
 # tzdata re-installed as only a fake version is part of the ubi-minimal base image.
 # FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key
+# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key
 RUN set -eux ; \
  curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \
- gpg --import-options show-only --import --with-colons /tmp/epelkey.txt | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \
+ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \
+ gpg --batch --import /tmp/epelkey.txt ; \
+ gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \
  rpmkeys --import /tmp/epelkey.txt ; \
  curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \
  rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \
  rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \
  rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \
  curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \
- gpg --import-options show-only --import --with-colons /tmp/MariaDB-Server-GPG-KEY | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \
+ gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \
+ gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \
  rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \
- rm /tmp/MariaDB-Server-GPG-KEY ; \
+ rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \
+ unset GNUPGHOME ; \
  microdnf update -y ; \
  microdnf reinstall -y tzdata ; \
  microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \

10.6-ubi/Dockerfile

@@ -64,18 +64,23 @@ ARG MARIADB_VERSION=10.6.18
 # procps, pv(epel) - missing dependencies of galera sst script
 # tzdata re-installed as only a fake version is part of the ubi-minimal base image.
 # FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key
+# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key
 RUN set -eux ; \
  curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \
- gpg --import-options show-only --import --with-colons /tmp/epelkey.txt | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \
+ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \
+ gpg --batch --import /tmp/epelkey.txt ; \
+ gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \
  rpmkeys --import /tmp/epelkey.txt ; \
  curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \
  rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \
  rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \
  rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \
  curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \
- gpg --import-options show-only --import --with-colons /tmp/MariaDB-Server-GPG-KEY | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \
+ gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \
+ gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \
  rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \
- rm /tmp/MariaDB-Server-GPG-KEY ; \
+ rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \
+ unset GNUPGHOME ; \
  microdnf update -y ; \
  microdnf reinstall -y tzdata ; \
  microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \

11.4-ubi/Dockerfile

@@ -63,18 +63,23 @@ ARG MARIADB_VERSION=11.4.2
 # procps, pv(epel) - missing dependencies of galera sst script
 # tzdata re-installed as only a fake version is part of the ubi-minimal base image.
 # FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key
+# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key
 RUN set -eux ; \
  curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \
- gpg --import-options show-only --import --with-colons /tmp/epelkey.txt | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \
+ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \
+ gpg --batch --import /tmp/epelkey.txt ; \
+ gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \
  rpmkeys --import /tmp/epelkey.txt ; \
  curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \
  rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \
  rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \
  rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \
  curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \
- gpg --import-options show-only --import --with-colons /tmp/MariaDB-Server-GPG-KEY | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \
+ gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \
+ gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \
  rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \
- rm /tmp/MariaDB-Server-GPG-KEY ; \
+ rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \
+ unset GNUPGHOME ; \
  microdnf update -y ; \
  microdnf reinstall -y tzdata ; \
  microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \

11.5-ubi/Dockerfile

@@ -63,18 +63,23 @@ ARG MARIADB_VERSION=11.5.1
 # procps, pv(epel) - missing dependencies of galera sst script
 # tzdata re-installed as only a fake version is part of the ubi-minimal base image.
 # FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key
+# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key
 RUN set -eux ; \
  curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \
- gpg --import-options show-only --import --with-colons /tmp/epelkey.txt | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \
+ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \
+ gpg --batch --import /tmp/epelkey.txt ; \
+ gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \
  rpmkeys --import /tmp/epelkey.txt ; \
  curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \
  rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \
  rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \
  rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \
  curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \
- gpg --import-options show-only --import --with-colons /tmp/MariaDB-Server-GPG-KEY | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \
+ gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \
+ gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \
  rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \
- rm /tmp/MariaDB-Server-GPG-KEY ; \
+ rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \
+ unset GNUPGHOME ; \
  microdnf update -y ; \
  microdnf reinstall -y tzdata ; \
  microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \

Dockerfile-ubi.template

@@ -64,18 +64,23 @@ ARG MARIADB_VERSION=%%MARIADB_VERSION%%
 # procps, pv(epel) - missing dependencies of galera sst script
 # tzdata re-installed as only a fake version is part of the ubi-minimal base image.
 # FF8AD1344597106ECE813B918A3872BF3228467C is the Fedora RPM key
+# 177F4010FE56CA3336300305F1656F24C74CD1D8 is the MariaDB Server RPM key
 RUN set -eux ; \
  curl --fail https://pagure.io/fedora-web/websites/raw/master/f/sites/getfedora.org/static/keys/FF8AD1344597106ECE813B918A3872BF3228467C.txt --output /tmp/epelkey.txt ; \
- gpg --import-options show-only --import --with-colons /tmp/epelkey.txt | grep '^pub:-:4096:1:8A3872BF3228467C:1631033579:::-:' ; \
+ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME ; \
+ gpg --batch --import /tmp/epelkey.txt ; \
+ gpg --batch --armor --export FF8AD1344597106ECE813B918A3872BF3228467C > /tmp/epelkey.txt ; \
  rpmkeys --import /tmp/epelkey.txt ; \
  curl --fail https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output /tmp/epel-release-latest-9.noarch.rpm ; \
  rpm -K /tmp/epel-release-latest-9.noarch.rpm ; \
  rpm -ivh /tmp/epel-release-latest-9.noarch.rpm ; \
  rm /tmp/epelkey.txt /tmp/epel-release-latest-9.noarch.rpm ; \
  curl --fail https://supplychain.mariadb.com/MariaDB-Server-GPG-KEY --output /tmp/MariaDB-Server-GPG-KEY ; \
- gpg --import-options show-only --import --with-colons /tmp/MariaDB-Server-GPG-KEY | grep '^pub:-:1024:17:CBCB082A1BB943DB:1265140880:::-:::scESC::::::::0:' ; \
+ gpg --batch --import /tmp/MariaDB-Server-GPG-KEY; \
+ gpg --batch --armor --export 177F4010FE56CA3336300305F1656F24C74CD1D8 > /tmp/MariaDB-Server-GPG-KEY ; \
  rpmkeys --import /tmp/MariaDB-Server-GPG-KEY ; \
- rm /tmp/MariaDB-Server-GPG-KEY ; \
+ rm -rf "$GNUPGHOME" /tmp/MariaDB-Server-GPG-KEY ; \
+ unset GNUPGHOME ; \
  microdnf update -y ; \
  microdnf reinstall -y tzdata ; \
  microdnf install -y procps-ng zstd xz jemalloc pwgen pv ; \