diff --git a/ubuntu24.04/Dockerfile b/ubuntu24.04/Dockerfile index 27225d8e..c6be13b1 100644 --- a/ubuntu24.04/Dockerfile +++ b/ubuntu24.04/Dockerfile @@ -63,13 +63,8 @@ RUN echo "TARGETARCH=$TARGETARCH" ADD install.sh /tmp -# Fetch GPG keys for CUDA repo -RUN apt-key del 7fa2af80 && OS_ARCH=${TARGETARCH/amd64/x86_64} && OS_ARCH=${OS_ARCH/arm64/sbsa} && \ - apt-key adv --fetch-keys "https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2404/${OS_ARCH}/3bf863cc.pub" - RUN usermod -o -u 0 -g 0 _apt && \ - /tmp/install.sh depinstall - + /tmp/install.sh depinstall && /tmp/install.sh setup_cuda_repo COPY nvidia-driver /usr/local/bin diff --git a/ubuntu24.04/install.sh b/ubuntu24.04/install.sh index e4896d8f..aa7e4fb2 100755 --- a/ubuntu24.04/install.sh +++ b/ubuntu24.04/install.sh @@ -15,6 +15,7 @@ dep_install () { build-essential \ ca-certificates \ curl \ + gpg \ kmod \ file \ libelf-dev \ @@ -27,6 +28,7 @@ dep_install () { build-essential \ ca-certificates \ curl \ + gpg \ kmod \ file \ libelf-dev \ @@ -35,10 +37,23 @@ dep_install () { fi } +setup_cuda_repo() { + # Remove any existing CUDA GPG keys that are unconditionally trusted by apt + apt-key del 3bf863cc + rm /etc/apt/sources.list.d/cuda.list + + # Fetch public CUDA GPG key and configure apt to only use this key when downloading CUDA packages + OS_ARCH=${TARGETARCH/amd64/x86_64} && OS_ARCH=${OS_ARCH/arm64/sbsa}; + curl -fsSL https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2404/${OS_ARCH}/3bf863cc.pub | gpg --dearmor -o /etc/apt/keyrings/cuda.pub; + echo "deb [signed-by=/etc/apt/keyrings/cuda.pub] https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2404/${OS_ARCH} /" > /etc/apt/sources.list.d/cuda.list +} + if [ "$1" = "depinstall" ]; then dep_install elif [ "$1" = "download_installer" ]; then download_installer +elif [ "$1" = "setup_cuda_repo" ]; then + setup_cuda_repo else echo "Unknown function: $1" exit 1 diff --git a/ubuntu24.04/precompiled/Dockerfile b/ubuntu24.04/precompiled/Dockerfile index 3a16c87d..a8b77ba3 100644 --- a/ubuntu24.04/precompiled/Dockerfile +++ b/ubuntu24.04/precompiled/Dockerfile @@ -14,16 +14,13 @@ ENV NVIDIA_VISIBLE_DEVICES=void RUN echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections -# Fetch GPG keys for CUDA repo -RUN apt-key del 7fa2af80 && \ - apt-key adv --fetch-keys "https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2404/x86_64/3bf863cc.pub" - RUN dpkg --add-architecture i386 && \ apt-get update && apt-get install -y --no-install-recommends \ apt-utils \ build-essential \ ca-certificates \ curl \ + gpg \ kmod \ file \ libelf-dev \ @@ -31,6 +28,12 @@ RUN dpkg --add-architecture i386 && \ pkg-config && \ rm -rf /var/lib/apt/lists/* +# Fetch GPG keys for CUDA repo +RUN apt-key del 3bf863cc && \ + rm /etc/apt/sources.list.d/cuda.list && \ + curl -fsSL https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2404/x86_64/3bf863cc.pub | gpg --dearmor -o /etc/apt/keyrings/cuda.pub && \ + echo "deb [signed-by=/etc/apt/keyrings/cuda.pub] https://developer.download.nvidia.com/compute/cuda/repos/ubuntu2404/x86_64 /" > /etc/apt/sources.list.d/cuda.list + RUN usermod -o -u 0 -g 0 _apt # Install / upgrade packages here that are required to resolve CVEs