Update ProtonMail Bridge to v3.25.0

revert Update ProtonMail Bridge to v3.22.0

.gitea/workflows/prod-docker-images.yml

@@ -3,6 +3,7 @@ on:
   push:
     branches:
       - main
+  workflow_dispatch:
 
 jobs:
   build-and-push:
@@ -29,12 +30,14 @@ jobs:
       - name: Convert repository owner to lowercase
         run: echo "REPO_OWNER_LC=$(echo '${{ gitea.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
 
-      - name: Build and push Docker image for latest tag
+      - name: Build and push Docker image
         uses: docker/build-push-action@v7
         with:
-          context: ./build
+          context: .
           push: true
-          tags: ${{ vars.DOCKER_REGISTRY_URL }}/${{ env.REPO_OWNER_LC }}/protonmail-bridge:latest
+          tags: |
+            ${{ vars.DOCKER_REGISTRY_URL }}/${{ env.REPO_OWNER_LC }}/protonmail-bridge:latest
+            ${{ vars.DOCKER_REGISTRY_URL }}/${{ env.REPO_OWNER_LC }}/protonmail-bridge:${{ env.VERSION }}
           platforms: linux/amd64
           build-args: |
             VERSION=${{ env.VERSION }}

Dockerfile

@@ -0,0 +1,43 @@
+FROM golang:trixie AS build
+
+ARG VERSION
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    build-essential \
+    libsecret-1-dev \
+    libfido2-dev \
+    libcbor-dev \
+    pass \
+    && rm -rf /var/lib/apt/lists/*
+
+# Build
+ADD https://github.com/ProtonMail/proton-bridge.git#${VERSION} /build/proton-bridge/
+WORKDIR /build/proton-bridge/
+RUN sed -i 's/127.0.0.1/0.0.0.0/g' internal/constants/constants.go
+RUN make build-nogui vault-editor
+
+FROM debian:trixie-slim
+
+EXPOSE 1025/tcp
+EXPOSE 1143/tcp
+
+# Install dependencies and protonmail bridge
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    gnupg \
+    pass \
+    libsecret-1-0 \
+    libfido2-1 \
+    ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy bash scripts
+COPY gpgparams entrypoint.sh /protonmail/
+COPY scripts/generate_new_certs.sh /root/generate_new_certs.sh
+WORKDIR /protonmail/
+
+# Copy protonmail
+COPY --from=build /build/proton-bridge/bridge /usr/bin/
+COPY --from=build /build/proton-bridge/proton-bridge /usr/bin/
+COPY --from=build /build/proton-bridge/vault-editor /usr/bin/
+
+ENTRYPOINT ["bash", "/protonmail/entrypoint.sh"]

VERSION

@@ -1 +1 @@
-v3.22.0
+v3.25.0

build/Dockerfile

@@ -1,38 +0,0 @@
-FROM golang:1.26 AS build
-
-ARG VERSION
-
-# Install dependencies
-RUN apt-get update && apt-get install -y \
-    build-essential \
-    libsecret-1-dev \
-    libfido2-dev \
-    libcbor-dev
-
-# Build
-ADD https://github.com/ProtonMail/proton-bridge.git#${VERSION} /build/
-WORKDIR /build/
-RUN make build-nogui vault-editor
-
-COPY build.sh /build/
-RUN bash build.sh
-
-FROM ubuntu:latest
-LABEL maintainer="Xiaonan Shen <s@sxn.dev>"
-
-EXPOSE 25/tcp
-EXPOSE 143/tcp
-
-# Install dependencies and protonmail bridge
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends socat pass libsecret-1-0 ca-certificates libfido2-1 \
-    && rm -rf /var/lib/apt/lists/*
-
-# Copy bash scripts
-COPY gpgparams entrypoint.sh /protonmail/
-
-# Copy protonmail
-COPY --from=build /build/bridge /protonmail/
-COPY --from=build /build/proton-bridge /protonmail/
-
-ENTRYPOINT ["bash", "/protonmail/entrypoint.sh"]

build/build.sh

@@ -1,19 +0,0 @@
-#!/bin/bash
-
-set -ex
-
-# Clone new code
-sed -i 's/127.0.0.1/0.0.0.0/g' internal/constants/constants.go
-
-ARCH=$(uname -m)
-if [[ $ARCH == "armv7l" ]] ; then
-	# This is expected to fail, and we use the following patch to fix
-	make build-nogui || true
-	# For 32bit architectures, there was a overflow error on the parser
-	# This is a workaround for this problem found at:
-	#   https://github.com/antlr/antlr4/issues/2433#issuecomment-774514106
-	find $(go env GOPATH)/pkg/mod/github.com/\!proton\!mail/go-rfc5322*/ -type f -exec sed -i.bak 's/(1<</(int64(1)<</g' {} +
-fi
-
-# Build
-make build-nogui

build/entrypoint.sh

@@ -1,35 +0,0 @@
-#!/bin/bash
-
-set -ex
-
-# Initialize
-if [[ $1 == init ]]; then
-
-    # Initialize pass
-    gpg --generate-key --batch /protonmail/gpgparams
-    pass init pass-key
-    
-    # Kill the other instance as only one can be running at a time.
-    # This allows users to run entrypoint init inside a running conainter
-    # which is useful in a k8s environment.
-    # || true to make sure this would not fail in case there is no running instance.
-    pkill protonmail-bridge || true
-
-    # Login
-    /protonmail/proton-bridge --cli $@
-
-else
-
-    # socat will make the conn appear to come from 127.0.0.1
-    # ProtonMail Bridge currently expects that.
-    # It also allows us to bind to the real ports :)
-    socat TCP-LISTEN:25,fork TCP:127.0.0.1:1025 &
-    socat TCP-LISTEN:143,fork TCP:127.0.0.1:1143 &
-
-    # Start protonmail
-    # Fake a terminal, so it does not quit because of EOF...
-    rm -f faketty
-    mkfifo faketty
-    cat faketty | /protonmail/proton-bridge --cli $@
-
-fi

entrypoint.sh

@@ -0,0 +1,37 @@
+#!/bin/sh
+set -e
+
+mkdir -p /root/.gnupg
+chmod 700 /root/.gnupg
+
+# Initialize pass store if missing
+if [ ! -d "/root/.password-store" ]; then
+  echo "Initializing password store..."
+
+  # Generate GPG key
+  gpg --batch --gen-key /protonmail/gpgparams
+
+  # Extract fingerprint
+  KEY=$(gpg --list-secret-keys --with-colons | awk -F: '/^sec:/ {print $5; exit}')
+
+  # Initialize pass
+  pass init "$KEY"
+fi
+
+# Initialize
+if [[ "$1" == "init" ]]; then
+  # Kill the other instance as only one can be running at a time.
+  # This allows users to run entrypoint init inside a running conainter
+  # which is useful in a k8s environment.
+  # || true to make sure this would not fail in case there is no running instance.
+  pkill protonmail-bridge || true
+
+  # Run any ProtonMail Bridge Command - Login
+  proton-bridge --cli "$@"
+else
+  # Start ProtonMail Bridge
+  # Fake a terminal, so it does not quit because of EOF...
+  rm -f faketty
+  mkfifo faketty
+  cat faketty | proton-bridge --cli "$@"
+fi

gpgparams

@@ -1,8 +1,8 @@
 %no-protection
-%echo Generating a basic OpenPGP key
 Key-Type: RSA
 Key-Length: 2048
-Name-Real: pass-key
+Subkey-Type: RSA
+Name-Real: Proton Bridge
+Name-Email: bridge@local
 Expire-Date: 0
 %commit
-%echo done

scripts/generate_new_certs.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+if [ -z "$1" ]; then
+  echo "Please add the hostname of the Docker Container Name where the Container Should Create a Cert for"
+  echo "like: $0 protonmail-bridge"
+  exit 1
+fi
+
+# 1. choose the hostname(s) you will actually type into your mail client
+HOSTS="$1,localhost,127.0.0.1"
+
+# 2. build the openssl SAN string automatically
+SAN=$(echo "$HOSTS" | tr ',' '\n' \
+  | sed -e 's/^[0-9.]*$/IP:&/' -e 's/^[^0-9.]*$/DNS:&/' \
+  | paste -sd,)
+
+# 3. generate key + cert in one shot
+openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 3650 \
+  -out cert.pem -subj '/CN=protonmail-bridge' \
+  -addext "subjectAltName=$SAN"
+
+# 4. quick sanity-check
+openssl x509 -in cert.pem -text -noout | grep -A1 "Subject Alternative"