From 79bf2fe42dcf1df2dbf414341aaa2614f65900bc Mon Sep 17 00:00:00 2001
From: Daniel Fiala <danfiala23@gmail.com>
Date: Fri, 20 Sep 2024 07:26:15 +0200
Subject: [PATCH] Remove gpg, multistage from windowservercore images and use
 NODE_CHECKSUM

Signed-off-by: Daniel Fiala <danfiala23@gmail.com>
---
 .github/workflows/build-test-windows.yml      |  6 +-
 22/windowsservercore-ltsc2019/Dockerfile      | 60 +++----------------
 .../docker-entrypoint.ps1                     | 16 -----
 22/windowsservercore-ltsc2022/Dockerfile      | 60 +++----------------
 .../docker-entrypoint.ps1                     | 16 -----
 Dockerfile-windows.template                   | 45 ++------------
 docker-entrypoint.ps1                         | 16 -----
 update.sh                                     |  2 -
 8 files changed, 22 insertions(+), 199 deletions(-)
 delete mode 100644 22/windowsservercore-ltsc2019/docker-entrypoint.ps1
 delete mode 100644 22/windowsservercore-ltsc2022/docker-entrypoint.ps1
 delete mode 100644 docker-entrypoint.ps1

diff --git a/.github/workflows/build-test-windows.yml b/.github/workflows/build-test-windows.yml
index 4565f16bc..1a5bc0c0c 100644
--- a/.github/workflows/build-test-windows.yml
+++ b/.github/workflows/build-test-windows.yml
@@ -98,15 +98,15 @@ jobs:
             exit 1
           }
 
-      - name: Verify entrypoint runs regular, non-executable files with node
+      - name: Verify node runs regular files
         shell: pwsh
         run: |
           $tempDir = New-Item -ItemType Directory -Path $env:TEMP -Name "tempNodeApp"
           $tmp_file = Join-Path $tempDir "index.js"
           "console.log('success')" | Out-File -FilePath $tmp_file -Encoding utf8
-          $output = (docker run --rm -w /app --mount "type=bind,src=$tempDir,target=c:\app" node:${{ matrix.version }}-${{ matrix.variant }} C:/app/index.js)
+          $output = (docker run --rm -w /app --mount "type=bind,src=$tempDir,target=c:\app" node:${{ matrix.version }}-${{ matrix.variant }} node C:/app/index.js)
           if ($output -ne 'success') {
-              Write-Host "Invalid"
+              exit 1
           }
 
       - name: Test for npm
diff --git a/22/windowsservercore-ltsc2019/Dockerfile b/22/windowsservercore-ltsc2019/Dockerfile
index 1a0e2e037..03aa9a01a 100644
--- a/22/windowsservercore-ltsc2019/Dockerfile
+++ b/22/windowsservercore-ltsc2019/Dockerfile
@@ -3,66 +3,20 @@ FROM mcr.microsoft.com/windows/servercore:ltsc2019 as installer
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
 # PATH isn't actually set in the Docker image, so we have to set it from within the container
-RUN $newPath = ('C:\Program Files (x86)\GnuPG\bin;{0}' -f $env:PATH); \
-    Write-Host ('Updating PATH: {0}' -f $newPath); \
+RUN $newPath = ('C:\nodejs;{0};{0}' -f $env:PATH); \
     [Environment]::SetEnvironmentVariable('PATH', $newPath, [EnvironmentVariableTarget]::Machine)
 # doing this first to share cache across versions more aggressively
 
-ENV NODE_VERSION 22.8.0
-ENV NODE_CHECKSUM d6e1c4fca93997224cac0bec09b4201aa018f50171d38c6b85abe483012839c9
+ENV NODE_VERSION 22.9.0
+ENV NODE_CHECKSUM 8af226c0aa71fefe5228e881f4b5c5d90a8b41c290b96f44f56990d8dc3fac1c
 
-# Version and checksum of the GPG installer (Source: https://www.gnupg.org/download/integrity_check.html)
-ENV GPG_VERSION 2.4.5_20240307
-ENV GPG_CHECKSUM d2ac821ceacf9409ebcdb42ae330087ada30c732981f00b356f9c2f08fac4dc1
-
-RUN Invoke-WebRequest $('https://www.gnupg.org/ftp/gcrypt/binary/gnupg-w32-{0}.exe' -f $env:GPG_VERSION) -OutFile 'gpg-installer.exe'; \
-    if ((Get-FileHash gpg-installer.exe -Algorithm sha256).Hash -ne $env:GPG_CHECKSUM) { Write-Error 'GPG checksum mismatch' }; \
-    Start-Process -FilePath 'gpg-installer.exe' -ArgumentList '/S' -Wait; \
-    gpg --version;
-
-RUN @( \
-      '4ED778F539E3634C779C87C6D7062848A1AB005C', \
-      '141F07595B7B3FFE74309A937405533BE57C7D57', \
-      '74F12602B6F1C4E913FAA37AD3A89613643B6201', \
-      'DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7', \
-      '61FC681DFB92A079F1685E77973F295594EC4689', \
-      '8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600', \
-      'C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8', \
-      '890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4', \
-      'C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C', \
-      '108F52B48DB57BB0CC439B2997B01419BD92F80A', \
-      'A363A499291CBBC940DD62E41F10027AF002F8B0', \
-      'CC68F5A3106FF448322E48ED27F5E38D5B0A215F' \
-    ) | foreach { \
-      gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys $_ ; \
-      if (-not $?) { \
-        gpg --batch --keyserver keyserver.ubuntu.com --recv-keys $_ ; \
-      } \
-    } ; \
-    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; \
-    Invoke-WebRequest $('https://nodejs.org/dist/v{0}/SHASUMS256.txt.asc' -f $env:NODE_VERSION) -OutFile 'SHASUMS256.txt.asc' -UseBasicParsing ; \
-    gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc ; \
+RUN [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; \
     Invoke-WebRequest $('https://nodejs.org/dist/v{0}/node-v{0}-win-x64.zip' -f $env:NODE_VERSION) -OutFile 'node.zip' -UseBasicParsing ; \
-    $sum = $(cat SHASUMS256.txt.asc | sls $('  node-v{0}-win-x64.zip' -f $env:NODE_VERSION)) -Split ' ' ; \
-    if ((Get-FileHash node.zip -Algorithm sha256).Hash -ne $sum[0]) { Write-Error 'SHA256 mismatch' } ; \
+    if ((Get-FileHash node.zip -Algorithm sha256).Hash -ne $env:NODE_CHECKSUM) { Write-Error 'SHA256 mismatch' } ; \
     Expand-Archive node.zip -DestinationPath C:\ ; \
-    Rename-Item -Path $('C:\node-v{0}-win-x64' -f $env:NODE_VERSION) -NewName 'C:\nodejs'
-
-FROM mcr.microsoft.com/windows/servercore:ltsc2019 as runner
-
-SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
-
-COPY --from=installer C:/nodejs C:/nodejs
-COPY docker-entrypoint.ps1 C:/docker-entrypoint.ps1
-
-RUN $newPath = ('C:\nodejs;{0}' -f $env:PATH); \
-    Write-Host ('Updating PATH: {0}' -f $newPath); \
-    [Environment]::SetEnvironmentVariable('PATH', $newPath, [EnvironmentVariableTarget]::Machine); \
-    # Because we need to use it in the current session
-    $env:PATH = $newPath; \
+    Rename-Item -Path $('C:\node-v{0}-win-x64' -f $env:NODE_VERSION) -NewName 'C:\nodejs' ; \
+    Remove-Item node.zip -Force ; \
     node --version; \
     npm --version;
 
-ENTRYPOINT [ "powershell.exe" , "C:/docker-entrypoint.ps1" ]
-
 CMD [ "node.exe" ]
diff --git a/22/windowsservercore-ltsc2019/docker-entrypoint.ps1 b/22/windowsservercore-ltsc2019/docker-entrypoint.ps1
deleted file mode 100644
index 016d737b7..000000000
--- a/22/windowsservercore-ltsc2019/docker-entrypoint.ps1
+++ /dev/null
@@ -1,16 +0,0 @@
-# Ensure script stops on any error
-$ErrorActionPreference = 'Stop'
-
-# Check if the first argument:
-# 1. Contains a "-"
-# 2. Is NOT a recognized command
-# 3. Is a file that's NOT executable
-if (($args[0] -like '*-') -or
-    (!(Get-Command $args[0] -ErrorAction SilentlyContinue)) -or
-    (((Test-Path $args[0] -PathType Leaf)) -and -not ((Get-Item $args[0]).Attributes -band 'ReadOnly'))) {
-    # Prepend 'node' to the argument list
-    $args = @('node') + $args
-}
-
-# Execute the (potentially modified) command
-& $args[0] $args[1..($args.Length-1)]
diff --git a/22/windowsservercore-ltsc2022/Dockerfile b/22/windowsservercore-ltsc2022/Dockerfile
index f88b0c2d5..eae112a63 100644
--- a/22/windowsservercore-ltsc2022/Dockerfile
+++ b/22/windowsservercore-ltsc2022/Dockerfile
@@ -3,66 +3,20 @@ FROM mcr.microsoft.com/windows/servercore:ltsc2022 as installer
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
 # PATH isn't actually set in the Docker image, so we have to set it from within the container
-RUN $newPath = ('C:\Program Files (x86)\GnuPG\bin;{0}' -f $env:PATH); \
-    Write-Host ('Updating PATH: {0}' -f $newPath); \
+RUN $newPath = ('C:\nodejs;{0};{0}' -f $env:PATH); \
     [Environment]::SetEnvironmentVariable('PATH', $newPath, [EnvironmentVariableTarget]::Machine)
 # doing this first to share cache across versions more aggressively
 
-ENV NODE_VERSION 22.8.0
-ENV NODE_CHECKSUM d6e1c4fca93997224cac0bec09b4201aa018f50171d38c6b85abe483012839c9
+ENV NODE_VERSION 22.9.0
+ENV NODE_CHECKSUM 8af226c0aa71fefe5228e881f4b5c5d90a8b41c290b96f44f56990d8dc3fac1c
 
-# Version and checksum of the GPG installer (Source: https://www.gnupg.org/download/integrity_check.html)
-ENV GPG_VERSION 2.4.5_20240307
-ENV GPG_CHECKSUM d2ac821ceacf9409ebcdb42ae330087ada30c732981f00b356f9c2f08fac4dc1
-
-RUN Invoke-WebRequest $('https://www.gnupg.org/ftp/gcrypt/binary/gnupg-w32-{0}.exe' -f $env:GPG_VERSION) -OutFile 'gpg-installer.exe'; \
-    if ((Get-FileHash gpg-installer.exe -Algorithm sha256).Hash -ne $env:GPG_CHECKSUM) { Write-Error 'GPG checksum mismatch' }; \
-    Start-Process -FilePath 'gpg-installer.exe' -ArgumentList '/S' -Wait; \
-    gpg --version;
-
-RUN @( \
-      '4ED778F539E3634C779C87C6D7062848A1AB005C', \
-      '141F07595B7B3FFE74309A937405533BE57C7D57', \
-      '74F12602B6F1C4E913FAA37AD3A89613643B6201', \
-      'DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7', \
-      '61FC681DFB92A079F1685E77973F295594EC4689', \
-      '8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600', \
-      'C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8', \
-      '890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4', \
-      'C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C', \
-      '108F52B48DB57BB0CC439B2997B01419BD92F80A', \
-      'A363A499291CBBC940DD62E41F10027AF002F8B0', \
-      'CC68F5A3106FF448322E48ED27F5E38D5B0A215F' \
-    ) | foreach { \
-      gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys $_ ; \
-      if (-not $?) { \
-        gpg --batch --keyserver keyserver.ubuntu.com --recv-keys $_ ; \
-      } \
-    } ; \
-    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; \
-    Invoke-WebRequest $('https://nodejs.org/dist/v{0}/SHASUMS256.txt.asc' -f $env:NODE_VERSION) -OutFile 'SHASUMS256.txt.asc' -UseBasicParsing ; \
-    gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc ; \
+RUN [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; \
     Invoke-WebRequest $('https://nodejs.org/dist/v{0}/node-v{0}-win-x64.zip' -f $env:NODE_VERSION) -OutFile 'node.zip' -UseBasicParsing ; \
-    $sum = $(cat SHASUMS256.txt.asc | sls $('  node-v{0}-win-x64.zip' -f $env:NODE_VERSION)) -Split ' ' ; \
-    if ((Get-FileHash node.zip -Algorithm sha256).Hash -ne $sum[0]) { Write-Error 'SHA256 mismatch' } ; \
+    if ((Get-FileHash node.zip -Algorithm sha256).Hash -ne $env:NODE_CHECKSUM) { Write-Error 'SHA256 mismatch' } ; \
     Expand-Archive node.zip -DestinationPath C:\ ; \
-    Rename-Item -Path $('C:\node-v{0}-win-x64' -f $env:NODE_VERSION) -NewName 'C:\nodejs'
-
-FROM mcr.microsoft.com/windows/servercore:ltsc2022 as runner
-
-SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
-
-COPY --from=installer C:/nodejs C:/nodejs
-COPY docker-entrypoint.ps1 C:/docker-entrypoint.ps1
-
-RUN $newPath = ('C:\nodejs;{0}' -f $env:PATH); \
-    Write-Host ('Updating PATH: {0}' -f $newPath); \
-    [Environment]::SetEnvironmentVariable('PATH', $newPath, [EnvironmentVariableTarget]::Machine); \
-    # Because we need to use it in the current session
-    $env:PATH = $newPath; \
+    Rename-Item -Path $('C:\node-v{0}-win-x64' -f $env:NODE_VERSION) -NewName 'C:\nodejs' ; \
+    Remove-Item node.zip -Force ; \
     node --version; \
     npm --version;
 
-ENTRYPOINT [ "powershell.exe" , "C:/docker-entrypoint.ps1" ]
-
 CMD [ "node.exe" ]
diff --git a/22/windowsservercore-ltsc2022/docker-entrypoint.ps1 b/22/windowsservercore-ltsc2022/docker-entrypoint.ps1
deleted file mode 100644
index 016d737b7..000000000
--- a/22/windowsservercore-ltsc2022/docker-entrypoint.ps1
+++ /dev/null
@@ -1,16 +0,0 @@
-# Ensure script stops on any error
-$ErrorActionPreference = 'Stop'
-
-# Check if the first argument:
-# 1. Contains a "-"
-# 2. Is NOT a recognized command
-# 3. Is a file that's NOT executable
-if (($args[0] -like '*-') -or
-    (!(Get-Command $args[0] -ErrorAction SilentlyContinue)) -or
-    (((Test-Path $args[0] -PathType Leaf)) -and -not ((Get-Item $args[0]).Attributes -band 'ReadOnly'))) {
-    # Prepend 'node' to the argument list
-    $args = @('node') + $args
-}
-
-# Execute the (potentially modified) command
-& $args[0] $args[1..($args.Length-1)]
diff --git a/Dockerfile-windows.template b/Dockerfile-windows.template
index c99ee905c..97b174e23 100644
--- a/Dockerfile-windows.template
+++ b/Dockerfile-windows.template
@@ -3,55 +3,20 @@ FROM mcr.microsoft.com/windows/servercore:version as installer
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
 # PATH isn't actually set in the Docker image, so we have to set it from within the container
-RUN $newPath = ('C:\Program Files (x86)\GnuPG\bin;{0}' -f $env:PATH); \
-    Write-Host ('Updating PATH: {0}' -f $newPath); \
+RUN $newPath = ('C:\nodejs;{0};{0}' -f $env:PATH); \
     [Environment]::SetEnvironmentVariable('PATH', $newPath, [EnvironmentVariableTarget]::Machine)
 # doing this first to share cache across versions more aggressively
 
 ENV NODE_VERSION 0.0.0
 ENV NODE_CHECKSUM CHECKSUM_x64
 
-# Version and checksum of the GPG installer (Source: https://www.gnupg.org/download/integrity_check.html)
-ENV GPG_VERSION 2.4.5_20240307
-ENV GPG_CHECKSUM d2ac821ceacf9409ebcdb42ae330087ada30c732981f00b356f9c2f08fac4dc1
-
-RUN Invoke-WebRequest $('https://www.gnupg.org/ftp/gcrypt/binary/gnupg-w32-{0}.exe' -f $env:GPG_VERSION) -OutFile 'gpg-installer.exe'; \
-    if ((Get-FileHash gpg-installer.exe -Algorithm sha256).Hash -ne $env:GPG_CHECKSUM) { Write-Error 'GPG checksum mismatch' }; \
-    Start-Process -FilePath 'gpg-installer.exe' -ArgumentList '/S' -Wait; \
-    gpg --version;
-
-RUN @( \
-      "${NODE_KEYS[@]}"
-    ) | foreach { \
-      gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys $_ ; \
-      if (-not $?) { \
-        gpg --batch --keyserver keyserver.ubuntu.com --recv-keys $_ ; \
-      } \
-    } ; \
-    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; \
-    Invoke-WebRequest $('https://nodejs.org/dist/v{0}/SHASUMS256.txt.asc' -f $env:NODE_VERSION) -OutFile 'SHASUMS256.txt.asc' -UseBasicParsing ; \
-    gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc ; \
+RUN [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 ; \
     Invoke-WebRequest $('https://nodejs.org/dist/v{0}/node-v{0}-win-x64.zip' -f $env:NODE_VERSION) -OutFile 'node.zip' -UseBasicParsing ; \
-    $sum = $(cat SHASUMS256.txt.asc | sls $('  node-v{0}-win-x64.zip' -f $env:NODE_VERSION)) -Split ' ' ; \
-    if ((Get-FileHash node.zip -Algorithm sha256).Hash -ne $sum[0]) { Write-Error 'SHA256 mismatch' } ; \
+    if ((Get-FileHash node.zip -Algorithm sha256).Hash -ne $env:NODE_CHECKSUM) { Write-Error 'SHA256 mismatch' } ; \
     Expand-Archive node.zip -DestinationPath C:\ ; \
-    Rename-Item -Path $('C:\node-v{0}-win-x64' -f $env:NODE_VERSION) -NewName 'C:\nodejs'
-
-FROM mcr.microsoft.com/windows/servercore:version as runner
-
-SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
-
-COPY --from=installer C:/nodejs C:/nodejs
-COPY docker-entrypoint.ps1 C:/docker-entrypoint.ps1
-
-RUN $newPath = ('C:\nodejs;{0}' -f $env:PATH); \
-    Write-Host ('Updating PATH: {0}' -f $newPath); \
-    [Environment]::SetEnvironmentVariable('PATH', $newPath, [EnvironmentVariableTarget]::Machine); \
-    # Because we need to use it in the current session
-    $env:PATH = $newPath; \
+    Rename-Item -Path $('C:\node-v{0}-win-x64' -f $env:NODE_VERSION) -NewName 'C:\nodejs' ; \
+    Remove-Item node.zip -Force ; \
     node --version; \
     npm --version;
 
-ENTRYPOINT [ "powershell.exe" , "C:/docker-entrypoint.ps1" ]
-
 CMD [ "node.exe" ]
diff --git a/docker-entrypoint.ps1 b/docker-entrypoint.ps1
deleted file mode 100644
index 016d737b7..000000000
--- a/docker-entrypoint.ps1
+++ /dev/null
@@ -1,16 +0,0 @@
-# Ensure script stops on any error
-$ErrorActionPreference = 'Stop'
-
-# Check if the first argument:
-# 1. Contains a "-"
-# 2. Is NOT a recognized command
-# 3. Is a file that's NOT executable
-if (($args[0] -like '*-') -or
-    (!(Get-Command $args[0] -ErrorAction SilentlyContinue)) -or
-    (((Test-Path $args[0] -PathType Leaf)) -and -not ((Get-Item $args[0]).Attributes -band 'ReadOnly'))) {
-    # Prepend 'node' to the argument list
-    $args = @('node') + $args
-}
-
-# Execute the (potentially modified) command
-& $args[0] $args[1..($args.Length-1)]
diff --git a/update.sh b/update.sh
index ea7698827..bbdd4e34e 100755
--- a/update.sh
+++ b/update.sh
@@ -269,8 +269,6 @@ for version in "${versions[@]}"; do
     # Copy .sh only if not is_windows
     if ! is_windows "${variant}"; then
       cp "${parentpath}/docker-entrypoint.sh" "${version}/${variant}/docker-entrypoint.sh"
-    elif is_windows "${variant}"; then
-      cp "${parentpath}/docker-entrypoint.ps1" "${version}/${variant}/docker-entrypoint.ps1"
     fi
 
     if [ "${update_version}" -eq 0 ] && [ "${update_variant}" -eq 0 ]; then