Correct attempt to build CA Chains for PDF Validation

Waiting https://github.com/Stirling-Tools/Stirling-PDF/issues/4662 Signed-off-by: Leonardo Amaral <contato@leonardoamaral.com.br>
2025-10-13 11:23:55 -03:00
parent e3a5b00a2c
commit 9edfb9b035
3 changed files with 131 additions and 5 deletions
--- a/114
+++ b/114
@@ -1,6 +1,114 @@
+FROM --platform=$BUILDPLATFORM docker.io/library/debian:stable-slim as debian-base
+RUN apt update \
+ && apt -y install curl ca-certificates libnss3-tools unzip git-core
+
+FROM --platform=$BUILDPLATFORM debian-base as certdata.txt
+RUN curl -sSL https://gist.githubusercontent.com/antoniordo/0038eb6830e4e4dafd413b61481a812b/raw/ac3dca8eeee718cb1c3398fbaad8e99ed01b4c1f/instalar-certificados-ac-icp-brasil.sh | sed -e 's,ACcompactado.zip,ACcompactadox.zip,g'| bash - \
+ && truncate -s 0 /certdata.txt \
+ && bash -c 'for file in /etc/ssl/certs/*.pem; do echo "Processando arquivo ${file}" ; name=$(basename $file | xargs basename -s .pem) ; openssl x509 -outform der -in ${file} -out - | nss-addbuiltin -n ${name} -t "C,C,C" >> /certdata.txt ; done'
+
+FROM --platform=$BUILDPLATFORM debian-base as git-fetch
 ARG TAG

-FROM docker.stirlingpdf.com/stirlingtools/stirling-pdf:$TAG
+RUN git clone --single-branch --branch v${TAG} https://github.com/Stirling-Tools/Stirling-PDF.git /stirling-pdf-src
+COPY --from=certdata.txt /certdata.txt /stirling-pdf-src/app/core/src/main/resources/certdata.txt

-# Faz sentido ter as chaves expiradas também? Acho que sim.
-RUN curl -sSL https://gist.githubusercontent.com/antoniordo/0038eb6830e4e4dafd413b61481a812b/raw/ac3dca8eeee718cb1c3398fbaad8e99ed01b4c1f/instalar-certificados-ac-icp-brasil.sh | sed -e 's,ACcompactado.zip,ACcompactadox.zip,g'| bash -
+FROM --platform=$BUILDPLATFORM docker.io/library/gradle:8.14-jdk21-ubi AS build
+COPY --from=git-fetch /stirling-pdf-src /app
+WORKDIR /app
+
+RUN DISABLE_ADDITIONAL_FEATURES=false \
+    STIRLING_PDF_DESKTOP_UI=false \
+    ./gradlew clean build -x spotlessApply -x spotlessCheck -x test -x sonarqube
+
+# From now on, almost directly from https://github.com/Stirling-Tools/Stirling-PDF/blob/main/Dockerfile.fat
+
+# Main stage
+FROM --platform=$TARGETPLATFORM docker.io/library/alpine:3
+ARG TAG
+
+# Copy necessary files
+COPY --from=git-fetch /stirling-pdf-src/scripts /scripts
+COPY --from=git-fetch /stirling-pdf-src/app/core/src/main/resources/static/fonts/*.ttf /usr/share/fonts/opentype/noto/
+# first /app directory is for the build stage, second is for the final image
+COPY --from=build /app/app/core/build/libs/*.jar app.jar
+
+# Set Environment Variables
+ENV DISABLE_ADDITIONAL_FEATURES=true \
+    VERSION_TAG=v$TAG \
+    JAVA_BASE_OPTS="-XX:+UnlockExperimentalVMOptions -XX:MaxRAMPercentage=75 -XX:InitiatingHeapOccupancyPercent=20 -XX:+G1PeriodicGCInvokesConcurrent -XX:G1PeriodicGCInterval=10000 -XX:+UseStringDeduplication -XX:G1PeriodicGCSystemLoadThreshold=70" \
+    JAVA_CUSTOM_OPTS="" \
+    HOME=/home/stirlingpdfuser \
+    PUID=1000 \
+    PGID=1000 \
+    UMASK=022 \
+    FAT_DOCKER=true \
+    INSTALL_BOOK_AND_ADVANCED_HTML_OPS=false \
+    PYTHONPATH=/usr/lib/libreoffice/program:/opt/venv/lib/python3.12/site-packages \
+    UNO_PATH=/usr/lib/libreoffice/program \
+    URE_BOOTSTRAP=file:///usr/lib/libreoffice/program/fundamentalrc \
+    PATH=$PATH:/opt/venv/bin \
+    STIRLING_TEMPFILES_DIRECTORY=/tmp/stirling-pdf \
+    TMPDIR=/tmp/stirling-pdf \
+    TEMP=/tmp/stirling-pdf \
+    TMP=/tmp/stirling-pdf
+
+# JDK for app
+RUN echo "@main https://dl-cdn.alpinelinux.org/alpine/edge/main" | tee -a /etc/apk/repositories && \
+    echo "@community https://dl-cdn.alpinelinux.org/alpine/edge/community" | tee -a /etc/apk/repositories && \
+    echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" | tee -a /etc/apk/repositories && \
+    apk upgrade --no-cache -a && \
+    apk add --no-cache \
+    ca-certificates \
+    tzdata \
+    catatonit \
+    bash \
+    curl \
+    shadow \
+    su-exec \
+    openssl \
+    openssl-dev \
+    openjdk21-jre \
+    # Doc conversion
+    gcompat \
+    libc6-compat \
+    libreoffice \
+    # pdftohtml
+    poppler-utils \
+    # OCR MY PDF (unpaper for descew and other advanced featues)
+    tesseract-ocr-data-eng \
+    tesseract-ocr-data-chi_sim \
+	tesseract-ocr-data-deu \
+	tesseract-ocr-data-fra \
+	tesseract-ocr-data-por \
+    unpaper \
+    font-terminus font-dejavu font-noto font-noto-cjk font-awesome font-noto-extra font-liberation font-linux-libertine font-urw-base35 \
+    # CV
+    py3-opencv \
+    python3 \
+    ocrmypdf \
+    py3-pip \
+    py3-pillow@testing \
+    py3-pdf2image@testing && \
+    python3 -m venv /opt/venv && \
+    /opt/venv/bin/pip install --no-cache-dir --upgrade pip setuptools && \
+    /opt/venv/bin/pip install --no-cache-dir --upgrade unoserver weasyprint && \
+    ln -s /usr/lib/libreoffice/program/uno.py /opt/venv/lib/python3.12/site-packages/ && \
+    ln -s /usr/lib/libreoffice/program/unohelper.py /opt/venv/lib/python3.12/site-packages/ && \
+    ln -s /usr/lib/libreoffice/program /opt/venv/lib/python3.12/site-packages/LibreOffice && \
+    mv /usr/share/tessdata /usr/share/tessdata-original && \
+    mkdir -p $HOME /configs /logs /customFiles /pipeline/watchedFolders /pipeline/finishedFolders /tmp/stirling-pdf && \
+    # Configure URW Base 35 fonts
+    ln -s /usr/share/fontconfig/conf.avail/69-urw-*.conf /etc/fonts/conf.d/ && \
+    fc-cache -f -v && \
+    chmod +x /scripts/* && \
+    # User permissions
+    addgroup -S stirlingpdfgroup && adduser -S stirlingpdfuser -G stirlingpdfgroup && \
+    chown -R stirlingpdfuser:stirlingpdfgroup $HOME /scripts /usr/share/fonts/opentype/noto /configs /customFiles /pipeline /tmp/stirling-pdf && \
+    chown stirlingpdfuser:stirlingpdfgroup /app.jar
+
+EXPOSE 8080/tcp
+# Set user and run command
+USER stirlingpdfuser
+ENTRYPOINT ["/usr/bin/catatonit", "-g", "--", "/scripts/init.sh"]
+CMD ["sh", "-c", "java -Dfile.encoding=UTF-8 -Djava.io.tmpdir=/tmp/stirling-pdf -jar /app.jar & /opt/venv/bin/unoserver --port 2003 --interface 127.0.0.1"]
--- a/4
+++ b/4
@@ -6,5 +6,5 @@ TAG := $(shell curl -sSL https://raw.githubusercontent.com/Stirling-Tools/Stirli
 all: build

 build:
-	podman build --build-arg TAG=$(TAG) --platform=linux/amd64,linux/arm64 -t git.leonardoamaral.com.br/zenithtecnologia/stirling-pdf-icp-brasil:$(TAG) .
-	podman push git.leonardoamaral.com.br/zenithtecnologia/stirling-pdf-icp-brasil:$(TAG)
+	podman build --build-arg TAG=$(TAG) --platform=linux/amd64,linux/arm64 --manifest git.leonardoamaral.com.br/zenithtecnologia/stirling-pdf-icp-brasil:$(TAG) .
+	podman manifest push git.leonardoamaral.com.br/zenithtecnologia/stirling-pdf-icp-brasil:$(TAG)
--- a/update-java-cacerts.sh
+++ b/update-java-cacerts.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+# Source: https://gist.github.com/socheatsok78/2d895a17c04d568f6e207dd4d51b7faa
+
+JKS_STOREPASS="${JKS_STOREPASS:-changeit}"
+cd /etc/ssl/certs
+for cert in ca-*.pem; do
+	ca_alias=${cert//ca-cert-}
+	ca_alias=${ca_alias//.pem}
+	echo "Importing certificate $ca_alias... "
+	echo -n " => "
+	keytool -cacerts -trustcacerts \
+		-storepass ${JKS_STOREPASS} \
+		-importcert \
+		-alias "${ca_alias}" \
+		-file /etc/ssl/certs/${cert} \
+		-noprompt
+done