move WAR and GPG verification to the intermediate image

Author: lemeurherve

alpine/hotspot/Dockerfile

@@ -1,6 +1,6 @@
 ARG ALPINE_TAG=3.23.2
 
-FROM alpine:"${ALPINE_TAG}" AS jre-build
+FROM alpine:"${ALPINE_TAG}" AS jre-and-war
 
 ARG JAVA_VERSION=17.0.17_10
 
@@ -11,6 +11,7 @@ COPY jdk-download.sh /usr/bin/jdk-download.sh
 
 RUN apk add --no-cache \
     ca-certificates \
+    gnupg \
     jq \
     curl \
     && rm -fr /var/cache/apk/* \
@@ -40,6 +41,20 @@ RUN java_major_version="$(jlink --version 2>&1 | cut -c1-2)"; \
         --output /javaruntime; \
     fi
 
+# Jenkins version being bundled in this docker image
+ARG JENKINS_VERSION=2.547
+# Can be used to customize where jenkins.war get downloaded from
+ARG WAR_URL=https://get.jenkins.io/war/${JENKINS_VERSION}/jenkins.war
+
+COPY jenkins.io-2026.key /war/jenkins-key.pub
+
+# Not using ADD as it does not check Last-Modified header
+# see https://github.com/docker/docker/issues/8331
+RUN curl -fsSL "${WAR_URL}" -o /war/jenkins.war \
+  && curl -fsSL "${WAR_URL}.asc" -o /war/jenkins.war.asc \
+  && gpg --import /war/jenkins-key.pub \
+  && gpg --verify --trust-model direct /war/jenkins.war.asc /war/jenkins.war
+
 FROM alpine:"${ALPINE_TAG}" AS controller
 
 RUN apk add --no-cache \
@@ -48,7 +63,6 @@ RUN apk add --no-cache \
     curl \
     git \
     git-lfs \
-    gnupg \
     musl-locales \
     musl-locales-lang \
     openssh-client \
@@ -93,22 +107,6 @@ VOLUME $JENKINS_HOME
 # or config file with your custom jenkins Docker image.
 RUN mkdir -p ${REF}/init.groovy.d
 
-# jenkins version being bundled in this docker image
-ARG JENKINS_VERSION
-ENV JENKINS_VERSION=${JENKINS_VERSION:-2.547}
-
-# Can be used to customize where jenkins.war get downloaded from
-ARG WAR_URL=https://get.jenkins.io/war/${JENKINS_VERSION}/jenkins.war
-COPY jenkins.io-2026.key /tmp/jenkins-key.pub
-
-# could use ADD but this one does not check Last-Modified header
-# see https://github.com/docker/docker/issues/8331
-RUN curl -fsSL "${WAR_URL}" -o /usr/share/jenkins/jenkins.war \
-  && curl -fsSL "${WAR_URL}.asc" -o /tmp/jenkins.war.asc \
-  && gpg --import /tmp/jenkins-key.pub \
-  && gpg --verify --trust-model direct /tmp/jenkins.war.asc /usr/share/jenkins/jenkins.war \
-  && rm -f /tmp/*
-
 ENV JENKINS_UC=https://updates.jenkins.io
 ENV JENKINS_UC_EXPERIMENTAL=https://updates.jenkins.io/experimental
 ENV JENKINS_INCREMENTALS_REPO_MIRROR=https://repo.jenkins-ci.org/incrementals
@@ -131,14 +129,17 @@ ENV COPY_REFERENCE_FILE_LOG=$JENKINS_HOME/copy_reference_file.log
 
 ENV JAVA_HOME=/opt/java/openjdk
 ENV PATH="${JAVA_HOME}/bin:${PATH}"
-COPY --from=jre-build /javaruntime $JAVA_HOME
+COPY --from=jre-and-war /javaruntime $JAVA_HOME
+COPY --from=jre-and-war /war/jenkins.war /usr/share/jenkins/jenkins.war
 
 USER ${user}
 
 COPY jenkins-support /usr/local/bin/jenkins-support
 COPY jenkins.sh /usr/local/bin/jenkins.sh
 COPY jenkins-plugin-cli.sh /bin/jenkins-plugin-cli
 
+ARG JENKINS_VERSION=2.547
+
 ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/jenkins.sh"]
 
 # metadata labels

debian/Dockerfile

@@ -3,7 +3,7 @@ ARG TRIXIE_TAG=20251103
 ARG DEBIAN_RELEASE_LINE=trixie
 ARG DEBIAN_VERSION=20251117
 ARG DEBIAN_VARIANT="-slim"
-FROM debian:"${DEBIAN_RELEASE_LINE}-${DEBIAN_VERSION}${DEBIAN_VARIANT}" AS jre-build
+FROM debian:"${DEBIAN_RELEASE_LINE}-${DEBIAN_VERSION}${DEBIAN_VARIANT}" AS jre-and-war
 
 ARG JAVA_VERSION=17.0.17_10
 
@@ -16,6 +16,7 @@ RUN apt-get update \
   && apt-get install --no-install-recommends -y \
     ca-certificates \
     curl \
+    gnupg \
     jq \
   && rm -rf /var/lib/apt/lists/* \
   && /usr/bin/jdk-download.sh
@@ -44,15 +45,27 @@ RUN java_major_version="$(jlink --version 2>&1 | cut -c1-2)"; \
         --output /javaruntime; \
     fi
 
+# Jenkins version being bundled in this docker image
+ARG JENKINS_VERSION=2.547
+# Can be used to customize where jenkins.war get downloaded from
+ARG WAR_URL=https://get.jenkins.io/war/${JENKINS_VERSION}/jenkins.war
+
+COPY jenkins.io-2026.key /war/jenkins-key.pub
+
+# Not using ADD as it does not check Last-Modified header
+# see https://github.com/docker/docker/issues/8331
+RUN curl -fsSL "${WAR_URL}" -o /war/jenkins.war \
+  && curl -fsSL "${WAR_URL}.asc" -o /war/jenkins.war.asc \
+  && gpg --import /war/jenkins-key.pub \
+  && gpg --verify --trust-model direct /war/jenkins.war.asc /war/jenkins.war
+
 FROM debian:"${DEBIAN_RELEASE_LINE}-${DEBIAN_VERSION}${DEBIAN_VARIANT}" AS controller
 
 RUN apt-get update \
   && apt-get install -y --no-install-recommends \
     ca-certificates \
     curl \
     git \
-    gnupg \
-    gpg \
     libfontconfig1 \
     libfreetype6 \
     procps \
@@ -107,22 +120,6 @@ VOLUME $JENKINS_HOME
 # or config file with your custom jenkins Docker image.
 RUN mkdir -p ${REF}/init.groovy.d
 
-# jenkins version being bundled in this docker image
-ARG JENKINS_VERSION
-ENV JENKINS_VERSION=${JENKINS_VERSION:-2.547}
-
-# Can be used to customize where jenkins.war get downloaded from
-ARG WAR_URL=https://get.jenkins.io/war/${JENKINS_VERSION}/jenkins.war
-COPY jenkins.io-2026.key /tmp/jenkins-key.pub
-
-# could use ADD but this one does not check Last-Modified header
-# see https://github.com/docker/docker/issues/8331
-RUN curl -fsSL "${WAR_URL}" -o /usr/share/jenkins/jenkins.war \
-  && curl -fsSL "${WAR_URL}.asc" -o /tmp/jenkins.war.asc \
-  && gpg --import /tmp/jenkins-key.pub \
-  && gpg --verify --trust-model direct /tmp/jenkins.war.asc /usr/share/jenkins/jenkins.war \
-  && rm -f /tmp/*
-
 ENV JENKINS_UC=https://updates.jenkins.io
 ENV JENKINS_UC_EXPERIMENTAL=https://updates.jenkins.io/experimental
 ENV JENKINS_INCREMENTALS_REPO_MIRROR=https://repo.jenkins-ci.org/incrementals
@@ -145,14 +142,17 @@ ENV COPY_REFERENCE_FILE_LOG=$JENKINS_HOME/copy_reference_file.log
 
 ENV JAVA_HOME=/opt/java/openjdk
 ENV PATH="${JAVA_HOME}/bin:${PATH}"
-COPY --from=jre-build /javaruntime $JAVA_HOME
+COPY --from=jre-and-war /javaruntime $JAVA_HOME
+COPY --from=jre-and-war /war/jenkins.war /usr/share/jenkins/jenkins.war
 
 USER ${user}
 
 COPY jenkins-support /usr/local/bin/jenkins-support
 COPY jenkins.sh /usr/local/bin/jenkins.sh
 COPY jenkins-plugin-cli.sh /bin/jenkins-plugin-cli
 
+ARG JENKINS_VERSION=2.547
+
 ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/jenkins.sh"]
 
 # metadata labels

rhel/Dockerfile

@@ -1,6 +1,6 @@
 ARG RHEL_TAG=9.7-1768785530
 ARG RHEL_RELEASE_LINE=ubi9
-FROM registry.access.redhat.com/${RHEL_RELEASE_LINE}/ubi:${RHEL_TAG} AS jre-build
+FROM registry.access.redhat.com/${RHEL_RELEASE_LINE}/ubi:${RHEL_TAG} AS jre-and-war
 
 ARG JAVA_VERSION=17.0.17_10
 
@@ -40,6 +40,20 @@ RUN java_major_version="$(jlink --version 2>&1 | cut -c1-2)"; \
         --output /javaruntime; \
     fi
 
+# Jenkins version being bundled in this docker image
+ARG JENKINS_VERSION=2.547
+# Can be used to customize where jenkins.war get downloaded from
+ARG WAR_URL=https://get.jenkins.io/war/${JENKINS_VERSION}/jenkins.war
+
+COPY jenkins.io-2026.key /war/jenkins-key.pub
+
+# Not using ADD as it does not check Last-Modified header
+# see https://github.com/docker/docker/issues/8331
+RUN curl -fsSL "${WAR_URL}" -o /war/jenkins.war \
+  && curl -fsSL "${WAR_URL}.asc" -o /war/jenkins.war.asc \
+  && gpg --import /war/jenkins-key.pub \
+  && gpg --verify --trust-model direct /war/jenkins.war.asc /war/jenkins.war
+
 FROM registry.access.redhat.com/${RHEL_RELEASE_LINE}/ubi:${RHEL_TAG} AS controller
 
 ENV LANG=C.UTF-8
@@ -97,27 +111,6 @@ RUN curl -fsSL "https://github.com/krallin/tini/releases/download/${TINI_VERSION
   && rm -rf /sbin/tini.asc /root/.gnupg \
   && chmod +x /sbin/tini
 
-# jenkins version being bundled in this docker image
-ARG JENKINS_VERSION
-ENV JENKINS_VERSION=${JENKINS_VERSION:-2.547}
-
-# Can be used to customize where jenkins.war get downloaded from
-ARG WAR_URL=https://get.jenkins.io/war/${JENKINS_VERSION}/jenkins.war
-COPY jenkins.io-2026.key /tmp/jenkins-key.pub
-
-# could use ADD but this one does not check Last-Modified header
-# see https://github.com/docker/docker/issues/8331
-RUN curl -fsSL "${WAR_URL}" -o /usr/share/jenkins/jenkins.war \
-  && curl -fsSL "${WAR_URL}.asc" -o /tmp/jenkins.war.asc \
-  && gpg --import /tmp/jenkins-key.pub \
-  && gpg --verify --trust-model direct /tmp/jenkins.war.asc /usr/share/jenkins/jenkins.war \
-  && rm -f /tmp/*
-
-ENV JENKINS_UC=https://updates.jenkins.io
-ENV JENKINS_UC_EXPERIMENTAL=https://updates.jenkins.io/experimental
-ENV JENKINS_INCREMENTALS_REPO_MIRROR=https://repo.jenkins-ci.org/incrementals
-RUN chown -R ${user} "$JENKINS_HOME" "$REF"
-
 ARG PLUGIN_CLI_VERSION=2.13.2
 ARG PLUGIN_CLI_URL=https://github.com/jenkinsci/plugin-installation-manager-tool/releases/download/${PLUGIN_CLI_VERSION}/jenkins-plugin-manager-${PLUGIN_CLI_VERSION}.jar
 RUN curl -fsSL ${PLUGIN_CLI_URL} -o /opt/jenkins-plugin-manager.jar \
@@ -135,14 +128,17 @@ ENV COPY_REFERENCE_FILE_LOG=$JENKINS_HOME/copy_reference_file.log
 
 ENV JAVA_HOME=/opt/java/openjdk
 ENV PATH="${JAVA_HOME}/bin:${PATH}"
-COPY --from=jre-build /javaruntime $JAVA_HOME
+COPY --from=jre-and-war /javaruntime $JAVA_HOME
+COPY --from=jre-and-war /war/jenkins.war /usr/share/jenkins/jenkins.war
 
 USER ${user}
 
 COPY jenkins-support /usr/local/bin/jenkins-support
 COPY jenkins.sh /usr/local/bin/jenkins.sh
 COPY jenkins-plugin-cli.sh /bin/jenkins-plugin-cli
 
+ARG JENKINS_VERSION=2.547
+
 ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/jenkins.sh"]
 
 # metadata labels

windows/windowsservercore/hotspot/Dockerfile

@@ -4,7 +4,7 @@
 ARG JAVA_VERSION=17.0.17_10
 ARG WINDOWS_VERSION=ltsc2022
 
-FROM mcr.microsoft.com/windows/servercore:"${WINDOWS_VERSION}" AS jre-build
+FROM mcr.microsoft.com/windows/servercore:"${WINDOWS_VERSION}" AS jre-and-war
 
 # $ProgressPreference: https://github.com/PowerShell/PowerShell/issues/2138#issuecomment-251261324
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
@@ -53,16 +53,14 @@ RUN New-Item -ItemType Directory -Path C:/temp | Out-Null ; `
     Start-Process -FilePath C:/temp/gnupg.exe -ArgumentList '/S' -Wait ; `
     Remove-Item -Path C:\temp -Recurse | Out-Null
 
-# jenkins version being bundled in this docker image
-ARG JENKINS_VERSION
-ENV JENKINS_VERSION=${JENKINS_VERSION:-2.547}
-
+# Jenkins version being bundled in this docker image
+ARG JENKINS_VERSION=2.547
 # Can be used to customize where jenkins.war get downloaded from
 ARG WAR_URL=https://get.jenkins.io/war/${JENKINS_VERSION}/jenkins.war
 ENV WAR_URL=${WAR_URL}
 ENV WAR_ASC_URL=${WAR_URL}.asc
 
-# could use ADD but this one does not check Last-Modified header
+# Not using ADD as it does not check Last-Modified header
 # # see https://github.com/docker/docker/issues/8331
 RUN New-Item -ItemType Directory -Path C:/war | Out-Null ; `
     Write-Host $env:WAR_URL; Invoke-WebRequest -Uri "$env:WAR_URL" -OutFile C:/war/jenkins.war ; `
@@ -79,8 +77,8 @@ FROM mcr.microsoft.com/windows/servercore:"${WINDOWS_VERSION}" AS controller
 ARG JAVA_HOME="C:/openjdk-17"
 ENV JAVA_HOME=${JAVA_HOME}
 
-COPY --from=jre-build /javaruntime $JAVA_HOME
-COPY --from=jre-build /war/jenkins.war C:/ProgramData/Jenkins/jenkins.war
+COPY --from=jre-and-war /javaruntime $JAVA_HOME
+COPY --from=jre-and-war /war/jenkins.war C:/ProgramData/Jenkins/jenkins.war
 
 SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]
 
@@ -125,10 +123,6 @@ USER ${user}
 # hadolint ignore=DL4006
 RUN New-Item -ItemType Directory -Force -Path C:/ProgramData/Jenkins/Reference/init.groovy.d | Out-Null
 
-# jenkins version being bundled in this docker image
-ARG JENKINS_VERSION
-ENV JENKINS_VERSION=${JENKINS_VERSION:-2.547}
-
 ENV JENKINS_UC=https://updates.jenkins.io
 ENV JENKINS_UC_EXPERIMENTAL=https://updates.jenkins.io/experimental
 ENV JENKINS_INCREMENTALS_REPO_MIRROR=https://repo.jenkins-ci.org/incrementals
@@ -152,6 +146,8 @@ COPY jenkins.ps1 C:/ProgramData/Jenkins
 # See https://github.com/jenkinsci/plugin-installation-manager-tool#cli-options for information on parameters for jenkins-plugin-cli.ps1 for installing plugins into the docker image
 COPY jenkins-plugin-cli.ps1 C:/ProgramData/Jenkins
 
+ARG JENKINS_VERSION=2.547
+
 ENTRYPOINT ["powershell.exe", "-f", "C:/ProgramData/Jenkins/jenkins.ps1"]
 
 # metadata labels