From b29e913efedcd54860ba47948d2776fa88d0e8cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=8B=8F=E6=95=8F=E7=AB=A50668001043?= Date: Tue, 3 Mar 2026 09:46:06 +0800 Subject: [PATCH] fix(docker): correct awk quoting in Docker GPG fingerprint check (#32153) --- Dockerfile | 2 +- src/dockerfile.test.ts | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 40a5fbc2d..b314ca328 100644 --- a/Dockerfile +++ b/Dockerfile @@ -72,7 +72,7 @@ RUN if [ -n "$OPENCLAW_INSTALL_DOCKER_CLI" ]; then \ # Update OPENCLAW_DOCKER_GPG_FINGERPRINT when Docker rotates release keys. curl -fsSL https://download.docker.com/linux/debian/gpg -o /tmp/docker.gpg.asc && \ expected_fingerprint="$(printf '%s' "$OPENCLAW_DOCKER_GPG_FINGERPRINT" | tr '[:lower:]' '[:upper:]' | tr -d '[:space:]')" && \ - actual_fingerprint="$(gpg --batch --show-keys --with-colons /tmp/docker.gpg.asc | awk -F: '$1 == \"fpr\" { print toupper($10); exit }')" && \ + actual_fingerprint="$(gpg --batch --show-keys --with-colons /tmp/docker.gpg.asc | awk -F: '$1 == "fpr" { print toupper($10); exit }')" && \ if [ -z "$actual_fingerprint" ] || [ "$actual_fingerprint" != "$expected_fingerprint" ]; then \ echo "ERROR: Docker apt key fingerprint mismatch (expected $expected_fingerprint, got ${actual_fingerprint:-})" >&2; \ exit 1; \ diff --git a/src/dockerfile.test.ts b/src/dockerfile.test.ts index 325987e2b..4600e446a 100644 --- a/src/dockerfile.test.ts +++ b/src/dockerfile.test.ts @@ -27,4 +27,10 @@ describe("Dockerfile", () => { expect(dockerfile).toContain('find "$dir" -type d -exec chmod 755 {} +'); expect(dockerfile).toContain('find "$dir" -type f -exec chmod 644 {} +'); }); + + it("Docker GPG fingerprint awk uses correct quoting for OPENCLAW_SANDBOX=1 build", async () => { + const dockerfile = await readFile(dockerfilePath, "utf8"); + expect(dockerfile).toContain('== "fpr" {'); + expect(dockerfile).not.toContain('\\"fpr\\"'); + }); });