coder · johnstcn · May 19, 2023 · May 19, 2023 · May 19, 2023 · May 19, 2023
diff --git a/dogfood/Dockerfile b/dogfood/Dockerfile
@@ -226,7 +226,7 @@ ARG CLOUD_SQL_PROXY_VERSION=2.2.0 \
 
 # cloud_sql_proxy, for connecting to cloudsql instances
 # the upstream go.mod prevents this from being installed with go install
-RUN curl --silent --show-error --location --output /usr/local/bin/cloud_sql_proxy "https://storage.googleapis.com/cloudsql-proxy/v${CLOUD_SQL_PROXY_VERSION}/cloud_sql_proxy.linux.amd64" && \
+RUN curl --silent --show-error --location --output /usr/local/bin/cloud_sql_proxy "https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy/v${CLOUD_SQL_PROXY_VERSION}/cloud-sql-proxy.linux.amd64" && \
 	chmod a=rx /usr/local/bin/cloud_sql_proxy && \
 	# dive for scanning image layer utilization metrics in CI
 	curl --silent --show-error --location "https://github.com/wagoodman/dive/releases/download/v${DIVE_VERSION}/dive_${DIVE_VERSION}_linux_amd64.tar.gz" | \
@@ -246,8 +246,7 @@ RUN curl --silent --show-error --location --output /usr/local/bin/cloud_sql_prox
 	tar --extract --gzip --directory=/usr/local/bin --file=- --strip-components=1 linux-amd64/helm && \
 	# kube-linter for linting Kubernetes objects, including those
 	# that Helm generates from our charts
-	curl --silent --show-error --location "https://github.com/stackrox/kube-linter/releases/download/${KUBE_LINTER_VERSION}/kube-linter-linux.tar.gz" | \
-	tar --extract --gzip --directory=/usr/local/bin --file=- kube-linter && \
+	curl --silent --show-error --location "https://github.com/stackrox/kube-linter/releases/download/${KUBE_LINTER_VERSION}/kube-linter-linux" --output /usr/local/bin/kube-linter && \
 	# kubens and kubectx for managing Kubernetes namespaces and contexts
 	curl --silent --show-error --location "https://github.com/ahmetb/kubectx/releases/download/v${KUBECTX_VERSION}/kubectx_v${KUBECTX_VERSION}_linux_x86_64.tar.gz" | \
 	tar --extract --gzip --directory=/usr/local/bin --file=- kubectx && \

diff --git a/dogfood/files/usr/share/keyrings/ansible.gpg b/dogfood/files/usr/share/keyrings/ansible.gpg
diff --git a/dogfood/files/usr/share/keyrings/docker.gpg b/dogfood/files/usr/share/keyrings/docker.gpg
diff --git a/dogfood/files/usr/share/keyrings/github-cli.gpg b/dogfood/files/usr/share/keyrings/github-cli.gpg
diff --git a/dogfood/files/usr/share/keyrings/google-chrome.gpg b/dogfood/files/usr/share/keyrings/google-chrome.gpg
diff --git a/dogfood/files/usr/share/keyrings/google-cloud.gpg b/dogfood/files/usr/share/keyrings/google-cloud.gpg
diff --git a/dogfood/files/usr/share/keyrings/hashicorp.gpg b/dogfood/files/usr/share/keyrings/hashicorp.gpg
diff --git a/dogfood/files/usr/share/keyrings/microsoft.gpg b/dogfood/files/usr/share/keyrings/microsoft.gpg
diff --git a/dogfood/files/usr/share/keyrings/neovim.gpg b/dogfood/files/usr/share/keyrings/neovim.gpg
diff --git a/dogfood/files/usr/share/keyrings/nodesource.gpg b/dogfood/files/usr/share/keyrings/nodesource.gpg
diff --git a/dogfood/files/usr/share/keyrings/postgresql.gpg b/dogfood/files/usr/share/keyrings/postgresql.gpg
diff --git a/dogfood/files/usr/share/keyrings/yarnpkg.gpg b/dogfood/files/usr/share/keyrings/yarnpkg.gpg
diff --git a/dogfood/update-keys.sh b/dogfood/update-keys.sh
@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+PROJECT_ROOT="$(git rev-parse --show-toplevel)"
+
+curl_flags=(
+  --silent
+  --show-error
+  --location
+)
+
+gpg_flags=(
+  --dearmor
+  --yes
+)
+
+pushd "$PROJECT_ROOT/dogfood/files/usr/share/keyrings"
+  # Upstream Docker signing key
+  curl "${curl_flags[@]}" "https://download.docker.com/linux/ubuntu/gpg" | \
+    gpg "${gpg_flags[@]}" --output="docker.gpg"
+
+  # Google Cloud signing key
+  curl "${curl_flags[@]}" "https://packages.cloud.google.com/apt/doc/apt-key.gpg" | \
+    gpg "${gpg_flags[@]}" --output="google-cloud.gpg"
+
+  # Google Linux Software repository signing key (Chrome)
+  curl "${curl_flags[@]}" "https://dl.google.com/linux/linux_signing_key.pub" | \
+    gpg "${gpg_flags[@]}" --output="google-chrome.gpg"
+
+  # Microsoft repository signing key (Edge)
+  curl "${curl_flags[@]}" "https://packages.microsoft.com/keys/microsoft.asc" | \
+    gpg "${gpg_flags[@]}" --output="microsoft.gpg"
+
+  # Upstream PostgreSQL signing key
+  curl "${curl_flags[@]}" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" | \
+    gpg "${gpg_flags[@]}" --output="postgresql.gpg"
+
+  # NodeSource signing key
+  curl "${curl_flags[@]}" "https://deb.nodesource.com/gpgkey/nodesource.gpg.key" | \
+    gpg "${gpg_flags[@]}" --output="nodesource.gpg"
+
+  # Yarnpkg signing key
+  curl "${curl_flags[@]}" "https://dl.yarnpkg.com/debian/pubkey.gpg" | \
+    gpg "${gpg_flags[@]}" --output="yarnpkg.gpg"
+
+  # Ansible PPA signing key
+  curl "${curl_flags[@]}" "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x6125e2a8c77f2818fb7bd15b93c4a3fd7bb9c367" | \
+    gpg "${gpg_flags[@]}" --output="ansible.gpg"
+
+  # Neovim signing key
+  curl "${curl_flags[@]}" "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x9dbb0be9366964f134855e2255f96fcf8231b6dd" | \
+    gpg "${gpg_flags[@]}" --output="neovim.gpg"
+
+  # Hashicorp signing key
+  curl "${curl_flags[@]}" "https://apt.releases.hashicorp.com/gpg" | \
+    gpg "${gpg_flags[@]}" --output="hashicorp.gpg"
+
+  # GitHub CLI signing key
+  curl "${curl_flags[@]}" "https://cli.github.com/packages/githubcli-archive-keyring.gpg" | \
+    gpg "${gpg_flags[@]}" --output="github-cli.gpg"
+popd