Updated nginx debian images to pick up key fixes.

[thresheek]

We've introduced two new keys back in 2024 to be able to migrate off the older key. Last week we actually started using one of the newer keys to sign the packages and metadata, however a bug in the key export logic, meant that only the first key was exported to the keyring, breaking the Dockerfile build.

With
nginx/docker-nginx@0b49b8b now merged, let's update the references to the fixed base Dockerfiles.

[github-actions]

Diff for 1b4b346:

diff --git a/_bashbrew-cat b/_bashbrew-cat
index 48207a4..e5b976d 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -3,7 +3,7 @@ GitRepo: https://github.com/nginx/docker-nginx.git
 
 Tags: 1.28.0, stable, 1.28, 1.28.0-bookworm, stable-bookworm, 1.28-bookworm
 Architectures: amd64, arm32v5, arm32v7, arm64v8, i386, mips64le, ppc64le, s390x
-GitCommit: 7f1d49f6f222f7e588a9066fd53a0ce43c3466a5
+GitCommit: b2faad22d5d15d966e46922033681639b2a6d6fa
 Directory: stable/debian
 
 Tags: 1.28.0-alpine, stable-alpine, 1.28-alpine, 1.28.0-alpine3.21, stable-alpine3.21, 1.28-alpine3.21
@@ -38,7 +38,7 @@ Directory: stable/debian-perl
 
 Tags: 1.29.0, mainline, 1, 1.29, latest, 1.29.0-bookworm, mainline-bookworm, 1-bookworm, 1.29-bookworm, bookworm
 Architectures: amd64, arm32v5, arm32v7, arm64v8, i386, mips64le, ppc64le, s390x
-GitCommit: 7895505c41013f66d3841cd2613b436229c1fe0e
+GitCommit: b2faad22d5d15d966e46922033681639b2a6d6fa
 Directory: mainline/debian
 
 Tags: 1.29.0-alpine, mainline-alpine, 1-alpine, 1.29-alpine, alpine, 1.29.0-alpine3.22, mainline-alpine3.22, 1-alpine3.22, 1.29-alpine3.22, alpine3.22
diff --git a/nginx_1.28-bookworm/Dockerfile b/nginx_1.28-bookworm/Dockerfile
index d0b7cf6..447f10e 100644
--- a/nginx_1.28-bookworm/Dockerfile
+++ b/nginx_1.28-bookworm/Dockerfile
@@ -34,7 +34,7 @@ RUN set -x \
     done; \
     test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
     done; \
-    gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
+    gpg1 --export $NGINX_GPGKEYS > "$NGINX_GPGKEY_PATH" ; \
     rm -rf "$GNUPGHOME"; \
     apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
     && dpkgArch="$(dpkg --print-architecture)" \
diff --git a/nginx_bookworm/Dockerfile b/nginx_bookworm/Dockerfile
index 9e9f0ce..84b47ae 100644
--- a/nginx_bookworm/Dockerfile
+++ b/nginx_bookworm/Dockerfile
@@ -34,7 +34,7 @@ RUN set -x \
     done; \
     test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
     done; \
-    gpg1 --export "$NGINX_GPGKEYS" > "$NGINX_GPGKEY_PATH" ; \
+    gpg1 --export $NGINX_GPGKEYS > "$NGINX_GPGKEY_PATH" ; \
     rm -rf "$GNUPGHOME"; \
     apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
     && dpkgArch="$(dpkg --print-architecture)" \

Relevant Maintainers:

• nginx: @nginx

[tianon]

Oh, on the topic, I'd suggest adding --batch to all gpg invocations (the --batch flag puts it into "API mode" for lack of a better explanation). I don't think we need to block this on that addition though, unless you really want to. 👍

[thresheek]

Thanks! Let's keep the --batch change for the future.