From baa733e60df973c20b109883eb77a903e706fb12 Mon Sep 17 00:00:00 2001
From: Luke Childs <lukechilds123@gmail.com>
Date: Sat, 21 Jan 2023 16:40:16 +0000
Subject: [PATCH] Fix key verification for v22 and up

---
 Dockerfile | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index f269408..c6f55f9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,24 +1,40 @@
-ARG ARCH=amd64
-ARG VERSION=0.19.1
+ARG ARCH="amd64"
+ARG VERSION="0.19.1"
+
+ARG LEGACY_BITCOIN_CORE_RELEASE_KEY="01EA5486DE18A882D4C2684590C8019E36C2E964"
+ARG ANDREW_CHOW="152812300785C96444D3334D17565732E08E5E41"
+ARG JON_ATACK="82921A4B88FD454B7EB8CE3C796C4109063D4EAF"
+ARG JONAS_SCHNELLI="32EE5C4C3FA15CCADB46ABE529D4BCB6416F53EC"
+ARG MATT_CORALLO="07DF3E57A548CCFB7530709189BBB8663E2E65CE"
+ARG LUKE_DASHJR="E463A93F5F3117EEDE6C7316BD02942421F4889F"
+ARG PETER_TODD="37EC7D7B0A217CDB4B4E007E7FAB114267E4FA04"
+ARG PIETER_WUILLE="133EAC179436F14A5CF1B794860FEB804E669320"
+ARG SJORS_PROVOOST="ED9BDF7AD6A55E232E84524257FF9BDBCC301009"
+ARG KEYS="${LEGACY_BITCOIN_CORE_RELEASE_KEY} ${ANDREW_CHOW} ${JON_ATACK} ${JONAS_SCHNELLI} ${MATT_CORALLO} ${LUKE_DASHJR} ${PETER_TODD} ${PIETER_WUILLE} ${SJORS_PROVOOST}"
 
 FROM $ARCH/debian:stable-slim
 LABEL maintainer="Luke Childs <lukechilds123@gmail.com>"
 
 ARG ARCH
 ARG VERSION
+ARG KEYS
 
 RUN cd /tmp && \
-    if [ "${ARCH}" = "amd64" ]; then export TARBALL_ARCH=x86_64-linux-gnu; fi && \
-    if [ "${ARCH}" = "arm64v8" ]; then export TARBALL_ARCH=aarch64-linux-gnu; fi && \
-    if [ "${ARCH}" = "arm32v7" ]; then export TARBALL_ARCH=arm-linux-gnueabihf; fi && \
+    if [ "${ARCH}" = "amd64" ]; then TARBALL_ARCH=x86_64-linux-gnu; fi && \
+    if [ "${ARCH}" = "arm64v8" ]; then TARBALL_ARCH=aarch64-linux-gnu; fi && \
+    if [ "${ARCH}" = "arm32v7" ]; then TARBALL_ARCH=arm-linux-gnueabihf; fi && \
     TARBALL="bitcoin-${VERSION}-${TARBALL_ARCH}.tar.gz" && \
     apt-get update && \
     apt-get install -y wget gpg && \
     wget https://bitcoincore.org/bin/bitcoin-core-${VERSION}/${TARBALL} && \
+    # This file only exists after v22
+    wget https://bitcoincore.org/bin/bitcoin-core-${VERSION}/SHA256SUMS || true && \
     wget https://bitcoincore.org/bin/bitcoin-core-${VERSION}/SHA256SUMS.asc && \
-    gpg --keyserver keyserver.ubuntu.com --recv-keys 01EA5486DE18A882D4C2684590C8019E36C2E964 && \
-    gpg --verify SHA256SUMS.asc && \
-    grep $TARBALL SHA256SUMS.asc | sha256sum -c && \
+    gpg --keyserver keyserver.ubuntu.com --recv-keys $KEYS && \
+    gpg --verify SHA256SUMS.asc 2>&1 >/dev/null | grep "^gpg: Good signature from" || { echo "No valid signature"; exit 1; } && \
+    if [ -f SHA256SUMS ]; then CHECKSUM_FILE="SHA256SUMS"; else CHECKSUM_FILE="SHA256SUMS.asc"; fi && \
+    grep $TARBALL $CHECKSUM_FILE | sha256sum -c && \
+    # sha256sum -c --ignore-missing "${CHECKSUM_FILE}" \
     tar -zxvf $TARBALL --strip-components=1 && \
     mv bin/bitcoind /usr/local/bin/ && \
     mv bin/bitcoin-cli /usr/local/bin/ && \