Why do the official docker python images include a GPG_KEY environment variable?

Question

Why is this included? Is there any harm in unsetting it in images that inherit from this one?

Answer 1

If you are just inheriting from the image, ie FROM python:3.5 then you don't need to worry about the GPG_KEY variable.

If you are customizing the Python image's official dockerfile, then do not unset or reset these values, as it will break the building of the image.

---

It is included so that the downloaded archives for Python source can be verified as genuine.

It is normally used when building the image, so that when you tag it with a specific version, that version is downloaded and verified before being built.

The value are set in the update.sh script :

declare -A gpgKeys=(
    # gpg: key 18ADD4FF: public key "Benjamin Peterson <benjamin@python.org>" imported
    [2.7]='C01E1CAD5EA2C4F0B8E3571504C367C218ADD4FF'
    # https://www.python.org/dev/peps/pep-0373/#release-manager-and-crew

    # gpg: key F73C700D: public key "Larry Hastings <larry@hastings.org>" imported
    [3.4]='97FC712E4C024BBEA48A61ED3A5CA953F73C700D'
    # https://www.python.org/dev/peps/pep-0429/#release-manager-and-crew

    # gpg: key F73C700D: public key "Larry Hastings <larry@hastings.org>" imported
    [3.5]='97FC712E4C024BBEA48A61ED3A5CA953F73C700D'
    # https://www.python.org/dev/peps/pep-0478/#release-manager-and-crew

    # gpg: key AA65421D: public key "Ned Deily (Python release signing key) <nad@acm.org>" imported
    [3.6]='0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D'
    # https://www.python.org/dev/peps/pep-0494/#release-manager-and-crew

    # gpg: key AA65421D: public key "Ned Deily (Python release signing key) <nad@acm.org>" imported
    [3.7]='0D96DF4D4110E5C43FBFB17F2D347EA6AA65421D'
    # https://www.python.org/dev/peps/pep-0494/#release-manager-and-crew
)

This script then updates the various individual dockerfiles that in the end are used to build the actual image.