From c09ca961535abcc1ab2ba5a4b4fd71dce97047ba Mon Sep 17 00:00:00 2001
From: Yossi Eliaz <yossi.eliaz@incredibuild.com>
Date: Wed, 29 Apr 2026 13:16:45 +0300
Subject: [PATCH] test(dockerfile): assert Docker apt GPG single-primary-key
 guard order

Locks in Codex/Greptile review criteria: pub count runs before fingerprint
compare and gpg --dearmor for issue #74234.

Made-with: Cursor
---
 src/dockerfile.test.ts | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/dockerfile.test.ts b/src/dockerfile.test.ts
index 751d29303f0..66fc85ecce3 100644
--- a/src/dockerfile.test.ts
+++ b/src/dockerfile.test.ts
@@ -141,6 +141,24 @@ describe("Dockerfile", () => {
     expect(dockerfile).not.toContain('\\"fpr\\"');
   });
 
+  it("counts primary pub keys before Docker apt fingerprint compare and dearmor", async () => {
+    const dockerfile = collapseDockerContinuations(await readFile(dockerfilePath, "utf8"));
+    const anchor = dockerfile.indexOf(
+      "curl -fsSL https://download.docker.com/linux/debian/gpg -o /tmp/docker.gpg.asc",
+    );
+    expect(anchor).toBeGreaterThan(-1);
+    const slice = dockerfile.slice(anchor);
+    expect(slice).toContain("docker_gpg_pub_count=");
+    expect(slice).toContain('$1 == "pub"');
+    expect(slice).not.toContain('\\"pub\\"');
+    const pubCountIdx = slice.indexOf("docker_gpg_pub_count=");
+    const fpIdx = slice.indexOf("actual_fingerprint=");
+    const dearmorIdx = slice.indexOf("gpg --dearmor");
+    expect(pubCountIdx).toBeLessThan(fpIdx);
+    expect(fpIdx).toBeLessThan(dearmorIdx);
+    expect(slice).toContain('[ "$docker_gpg_pub_count" != "1" ]');
+  });
+
   it("keeps runtime pnpm available", async () => {
     const dockerfile = await readFile(dockerfilePath, "utf8");
     expect(dockerfile).toContain("ENV COREPACK_HOME=/usr/local/share/corepack");