confidential-containers · fitzthum · Jan 13, 2026 · Jan 8, 2026 · Jan 8, 2026
@@ -13,12 +13,15 @@ WORKDIR /usr/src/attestation-service
 COPY . .
 
 # Install TPM Build Dependencies
-RUN apt-get update && apt-get install -y protobuf-compiler clang libtss2-dev cmake
+RUN apt-get update && apt-get install --no-install-recommends -y protobuf-compiler clang libtss2-dev cmake
 
 # Install TDX Build Dependencies
+ARG DCAP_VERSION=1_24_100
 RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg && \
-    echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
-    apt-get update && apt-get install -y libsgx-dcap-quote-verify-dev; fi
+    curl -sSLf https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/99dcap_${DCAP_VERSION}_noble_custom_version.cfg | \
+    tee -a /etc/apt/preferences.d/99dcap && \
+    echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu noble main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
+    apt-get update && apt-get install --no-install-recommends -y libsgx-dcap-quote-verify-dev; fi
 
 # Build and Install gRPC attestation-service
 RUN if [ "$(uname -m)" != "${ARCH}" ]; then \
@@ -46,12 +49,15 @@ RUN apt-get update && apt-get install openssl -y && \
     rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*
 
 # Install TDX Runtime Dependencies
+ARG DCAP_VERSION=1_24_100
 RUN if [ "${ARCH}" = "x86_64" ] && ( [ "${VERIFIER}" = "all-verifier" ] || [ "${VERIFIER}" = "tdx-verifier" ] ); \
     then apt-get update && apt-get install curl gnupg -y && \
     curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg && \
-    echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
+    curl -sSLf https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/99dcap_${DCAP_VERSION}_noble_custom_version.cfg | \
+    tee -a /etc/apt/preferences.d/99dcap && \
+    echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu noble main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
     apt-get update && \
-    apt-get install -y libsgx-dcap-default-qpl libsgx-dcap-quote-verify && \
+    apt-get install --no-install-recommends -y libsgx-dcap-default-qpl libsgx-dcap-quote-verify && \
     apt-get remove curl gnupg -y && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*; fi

@@ -16,9 +16,12 @@ COPY . .
 RUN apt-get update && apt-get install -y protobuf-compiler clang libtss2-dev cmake
 
 # Install TDX Build Dependencies
+ARG DCAP_VERSION=1_24_100
 RUN if [ "${ARCH}" = "x86_64" ]; then curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg && \
-    echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
-    apt-get update && apt-get install -y libsgx-dcap-quote-verify-dev; fi
+    curl -sSLf https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/99dcap_${DCAP_VERSION}_noble_custom_version.cfg | \
+    tee -a /etc/apt/preferences.d/99dcap && \
+    echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu noble main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
+    apt-get update && apt-get install --no-install-recommends -y libsgx-dcap-quote-verify-dev; fi
 
 # Build and Install RESTful attestation-service
 RUN if [ "$(uname -m)" != "${ARCH}" ]; then \
@@ -47,12 +50,15 @@ RUN apt-get update && apt-get install openssl -y && \
     rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*
 
 # Install TDX Runtime Dependencies
+ARG DCAP_VERSION=1_24_100
 RUN if [ "${ARCH}" = "x86_64" ] && ( [ "${VERIFIER}" = "all-verifier" ] || [ "${VERIFIER}" = "tdx-verifier" ] ); \
     then apt-get update && apt-get install curl gnupg -y && \
     curl -L https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg && \
-    echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
+    curl -sSLf https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/99dcap_${DCAP_VERSION}_noble_custom_version.cfg | \
+    tee -a /etc/apt/preferences.d/99dcap && \
+    echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu noble main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
     apt-get update && \
-    apt-get install -y libsgx-dcap-default-qpl libsgx-dcap-quote-verify && \
+    apt-get install --no-install-recommends -y libsgx-dcap-default-qpl libsgx-dcap-quote-verify && \
     apt-get remove curl gnupg -y && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/{apt,dpkg,cache,log} /tmp/* /var/tmp/*; fi

@@ -17,9 +17,12 @@ RUN apt-get update && \
 
 RUN if [ "${ARCH}" = "aarch64" ]; then apt-get install -y libc-bin; fi
 
+ARG DCAP_VERSION=1_24_100
 RUN if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | \
     gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg && \
-    echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | \
+    curl -sSLf https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/99dcap_${DCAP_VERSION}_noble_custom_version.cfg | \
+    tee -a /etc/apt/preferences.d/99dcap && \
+    echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu noble main' | \
     tee /etc/apt/sources.list.d/intel-sgx.list; fi && \
     apt-get update && \
     apt-get install -y --no-install-recommends \
@@ -50,14 +53,17 @@ ARG ARCH=x86_64
 
 WORKDIR /tmp
 
+ARG DCAP_VERSION=1_24_100
 RUN apt-get update && \
     apt-get install -y \
     curl \
     gnupg \
     gnupg-agent && \
     if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | \
     gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg && \
-    echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
+    curl -sSLf https://download.01.org/intel-sgx/sgx_repo/ubuntu/apt_preference_files/99dcap_${DCAP_VERSION}_noble_custom_version.cfg | \
+    tee -a /etc/apt/preferences.d/99dcap && \
+    echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu noble main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
     apt-get update && \
     apt-get install -y --no-install-recommends \
     libsgx-dcap-default-qpl \

@@ -17,12 +17,7 @@ RUN apt-get update && \
 
 RUN if [ "${ARCH}" = "aarch64" ]; then apt-get install -y libc-bin; fi
 
-RUN if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | \
-    gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg && \
-    echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | \
-    tee /etc/apt/sources.list.d/intel-sgx.list; fi && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
+RUN apt-get install -y --no-install-recommends \
     libclang-dev \
     libprotobuf-dev \
     libssl-dev \
@@ -32,10 +27,7 @@ RUN if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-s
     protobuf-compiler \
     wget \
     clang \
-    cmake \
-    libtss2-dev && \
-    if [ "${ARCH}" = "x86_64" ]; then apt-get install -y --no-install-recommends \
-    libsgx-dcap-quote-verify-dev; fi
+    cmake
 
 # Build and Install trustee-cli
 WORKDIR /usr/src/trustee
@@ -45,26 +37,5 @@ RUN cd tools/trustee-cli && make ARCH=${ARCH} && make ARCH=${ARCH} install
 
 # ubuntu:24.04
 FROM ubuntu@sha256:7c06e91f61fa88c08cc74f7e1b7c69ae24910d745357e0dfe1d2c0322aaf20f9
-ARG ARCH=x86_64
-
-WORKDIR /tmp
-
-RUN apt-get update && \
-    apt-get install -y \
-    curl \
-    gnupg \
-    gnupg-agent && \
-    if [ "${ARCH}" = "x86_64" ]; then curl -fsSL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | \
-    gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg && \
-    echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | tee /etc/apt/sources.list.d/intel-sgx.list && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
-    libsgx-dcap-default-qpl \
-    libsgx-dcap-quote-verify \
-    libtss2-tctildr0 \
-    libtss2-esys-3.0.2-0 ; \
-    fi && \
-    apt clean all && \
-    rm -rf /tmp/*
 
 COPY --from=builder /usr/local/bin/trustee /usr/local/bin/trustee