docker-node icon indicating copy to clipboard operation
docker-node copied to clipboard
verified publisher icon nodejs

Migrate to Node.js verification using keyring source

Open MikeMcC399 opened this issue 4 months ago • 3 comments

Problem

This repo is no longer aligned with recommendations from node > README > Verifying binaries which now specifies using https://github.com/nodejs/release-keys/raw/HEAD/gpg/pubring.kbx

Disadvantages of current method:

  • Individual keys need to be maintained in this repo
  • Both hkps://keys.openpgp.org and keyserver.ubuntu.com key servers needs to be polled
  • Previous keys in hkps://keys.openpgp.org where the key signer has moved to a new key, are effectively disabled if the same e-mail address is used (see Can I verify more than one key for some email address?)

Solution

Migrate from current Node.js image verification with locally stored individual PGP keys to instead use a keyring from https://github.com/nodejs/release-keys.

Depending on the need for reproducibility, the keyring could either be copied and stored, or the online version on https://github.com/nodejs/release-keys could be used.

Alternatives to Consider

  • No change. In that case keys still need to be manually maintained here.

MikeMcC399 avatar Jul 28 '25 15:07 MikeMcC399

Withdrawing this enhancement suggestion, as there was no response.

Keys for signers of Node.js releases will need to be manually maintained as before. The set of keys does however not often change.

MikeMcC399 avatar Oct 12 '25 08:10 MikeMcC399

I'm going to mirror the relevant part of my comment from https://github.com/nodejs/node/issues/58904#issuecomment-3029289637 over here (since it describes what someone trying to pick this work up will need to grapple with): :+1:

Also, it's worth noting that it's a little bit annoying in GnuPG specifically to consume key data in a safe/verified way from a raw URL or file -- you can't (that I'm aware of) verify the key by fingerprint before importing/trusting it without doing something like setting up a whole separate GNUPGHOME/keyring, importing the file into there, and then doing a gpg --batch --export with the full fingerprint if you want to make sure that the file you import contains one and only one key, and reference that key by the full (validated) key fingerprint.

See https://github.com/docker-library/tomcat/blob/b63e91319c234d5378a4bea81be915a56e30746b/11.0/jdk21/temurin-noble/Dockerfile#L57-L72 for a relevant example of the "dancing" required to make that work in a reasonably safe way that validates the full fingerprints before trusting them for signing.

tianon avatar Dec 11 '25 21:12 tianon

I re-opened this issue due to @richardlau's https://github.com/nodejs/node/issues/61022#issuecomment-3642346288 which said:

This has affected unofficial-builds and will probably also affect https://github.com/nodejs/docker-node.

As it turned out, the https://github.com/nodejs/docker-node repo (this one) had no issue with the keys once the build on https://github.com/nodejs/unofficial-builds was fixed, so I jumped the gun a bit.

MikeMcC399 avatar Dec 12 '25 10:12 MikeMcC399