Closed pstrh closed 4 years ago
I can ask the jetty committers to publish their keys to there, got any documentation we can follow?
The easiest method IMO is https://keys.openpgp.org/about/usage#gnupg-upload
gpg --export your_address@example.net | curl -T - https://keys.openpgp.org
@tianon thanks!
I've loaded my key into keys.openpgp.org, but I'm also inclined to import them directly to make the build independent of a keyserver... but will follow the examples of other projects. @md5 your thoughts?
Making the build independent of a keyserver does seem desirable, given how much effort goes into making key fetching more reliable. Given that the key IDs are enumerated anyways, it's not like keeping the keys themselves out of the build gains any flexibility.
a solution I have in mind to share the keys and avoid too many copies is to have an image containing the keys (maybe called jetty:keys) such so we can do something as
COPY --from=jetty:keys /keys/* /tmp/
using gpg --import to import the keys
then gpg --batch --verify
There are some relevant notes in https://github.com/docker-library/faq#openpgp--gnupg-keys-and-verification too.
The fix with pr #114 is to use the image https://github.com/jetty-project/jetty-keys which contains a KEYS file with all the keys so we do not download everything again and again
Today it seems that the sks-keyservers pool was temporarily unavailable which broke my docker build 😟 In fact the sks-keyservers should no longer be used - see amongst others https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
Alternatives:
gpg --import
directly without remote access.I would suggest to use the public keys directly as it makes the build independent from any keyservers.