You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The Mozilla repository key verification is implemented but the script continues regardless of verification result. Consider adding error handling to abort if key verification fails.
gpg -n -q --import --import-options import-show /etc/apt/keyrings/packages.mozilla.org.asc | awk '/pub/{getline; gsub(/^ +| +$/,""); if($0 == "35BAA0B33E9EB396F59CA838C0BA5CE6DC6315A3") print "\nThe key fingerprint matches ("$0").\n"; else print "\nVerification failed: the fingerprint ("$0") does not match the expected one.\n"}' && \
The GPG key verification doesn't halt the build if verification fails. This is a security risk as it only prints a message but continues execution even if the key doesn't match the expected fingerprint.
wget -q https://packages.mozilla.org/apt/repo-signing-key.gpg -O- | tee /etc/apt/keyrings/packages.mozilla.org.asc > /dev/null && \
-gpg -n -q --import --import-options import-show /etc/apt/keyrings/packages.mozilla.org.asc | awk '/pub/{getline; gsub(/^ +| +$/,""); if($0 == "35BAA0B33E9EB396F59CA838C0BA5CE6DC6315A3") print "\nThe key fingerprint matches ("$0").\n"; else print "\nVerification failed: the fingerprint ("$0") does not match the expected one.\n"}'+gpg -n -q --import --import-options import-show /etc/apt/keyrings/packages.mozilla.org.asc | awk '/pub/{getline; gsub(/^ +| +$/,""); if($0 == "35BAA0B33E9EB396F59CA838C0BA5CE6DC6315A3") print "\nThe key fingerprint matches ("$0").\n"; else print "\nVerification failed: the fingerprint ("$0") does not match the expected one.\n"; exit 1}'
[To ensure code accuracy, apply this suggestion manually]
Suggestion importance[1-10]: 9
__
Why: This is a critical security fix that prevents the build from continuing when the Mozilla GPG key verification fails. Without this change, the build would proceed even with an invalid key, potentially allowing compromised packages to be installed.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
Thanks for contributing to Selenium!
A PR well described will help maintainers to quickly review and merge it
Before submitting your PR, please check our contributing guidelines.
Avoid large PRs, help reviewers by making them as simple and short as possible.
Motivation and Context
Types of changes
Checklist
PR Type
Enhancement, Configuration changes
Description
Updated Bazelisk version in
create-cc-toolchain-within-image.sh.Changed Docker image references in multiple files.
Switched base image in
remote-image/Dockerfileto Ubuntu Focal.Added Mozilla repository setup and key verification in
remote-image/Dockerfile.Changes walkthrough 📝
create-cc-toolchain-within-image.sh
Update Bazelisk version in scriptscripts/remote-image/create-cc-toolchain-within-image.sh
BUILD.bazel
Update container image reference in BUILD.bazelcommon/remote-build/BUILD.bazel
container-imagereference to a new Docker image.Dockerfile
Update base image in dev Dockerfilescripts/dev-image/Dockerfile
selenium/selenium-remote-build:latest.shs96c/selenium-remote-build:latest.Dockerfile
Update base image and add Mozilla repositoryscripts/remote-image/Dockerfile