Use correct public key to verify CMake binary signature

docker/clang/Dockerfile

@@ -37,15 +37,24 @@ RUN apt-get update && apt-get install -y \
 
 # Install newer CMake manually
 ARG CMAKE_VERSION=3.23.2
-ARG build_dir=/tmp/build
 
 ENV CMAKE_DIR=/opt/cmake
-RUN CMAKE_SCRIPT=cmake-${CMAKE_VERSION}-linux-x86_64.sh && \
-    mkdir -p ${build_dir} && mkdir -p ${CMAKE_DIR} \
-    cd ${build_dir} && \
-    wget https://github.com/Kitware/CMake/releases/download/v${CMAKE_VERSION}/${CMAKE_SCRIPT} && \
+RUN CMAKE_URL=https://github.com/Kitware/CMake/releases/download/v${CMAKE_VERSION} && \
+    CMAKE_SCRIPT=cmake-${CMAKE_VERSION}-linux-x86_64.sh && \
+    CMAKE_SHA256=cmake-${CMAKE_VERSION}-SHA-256.txt && \
+    CMAKE_SIGNATURE=cmake-${CMAKE_VERSION}-SHA-256.txt.asc && \
+    PUBLIC_KEY_ID=CBA23971357C2E6590D9EFD3EC8FEF3A7BFB4EDA && \
+    PUBLIC_KEY_URL=https://keys.openpgp.org/vks/v1/by-fingerprint/${PUBLIC_KEY_ID} && \
+    wget --quiet ${CMAKE_URL}/${CMAKE_SHA256} && \
+    wget --quiet ${CMAKE_URL}/${CMAKE_SIGNATURE} && \
+    wget --quiet ${CMAKE_URL}/${CMAKE_SCRIPT} && \
+    wget --quiet ${PUBLIC_KEY_URL} && \
+    gpg --import ${PUBLIC_KEY_ID} && \
+    gpg --verify ${CMAKE_SIGNATURE} ${CMAKE_SHA256} && \
+    grep -i ${CMAKE_SCRIPT} ${CMAKE_SHA256} | sha256sum --check && \
+    mkdir -p ${CMAKE_DIR} && \
     sh ${CMAKE_SCRIPT} --skip-license --prefix=${CMAKE_DIR} && \
-    cd ${HOME} && rm -rf ${build_dir}
+    rm cmake* ${PUBLIC_KEY_ID}
 ENV PATH=${CMAKE_DIR}/bin:$PATH
 
 # Set Clang 19 as the default Clang and Clang++