Replace sks-keyservers.net

appropriate / docker-jetty

Formerly the location of the Docker official image for Jetty

https://registry.hub.docker.com/_/jetty/

46 stars 46 forks source link

Replace sks-keyservers.net #113

Closed pstrh closed 4 years ago

pstrh commented 5 years ago

Today it seems that the sks-keyservers pool was temporarily unavailable which broke my docker build 😟 In fact the sks-keyservers should no longer be used - see amongst others https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f

Alternatives:

Use the keys.openpgp.org server - unfortunately the keys of the Jetty committers are currently not available there.
Put the public keys of the jetty committers into this repository and import them via gpg --import directly without remote access.

I would suggest to use the public keys directly as it makes the build independent from any keyservers.

joakime commented 5 years ago

I can ask the jetty committers to publish their keys to there, got any documentation we can follow?

tianon commented 5 years ago

The easiest method IMO is https://keys.openpgp.org/about/usage#gnupg-upload

gpg --export your_address@example.net | curl -T - https://keys.openpgp.org

joakime commented 5 years ago

@tianon thanks!

gregw commented 5 years ago

I've loaded my key into keys.openpgp.org, but I'm also inclined to import them directly to make the build independent of a keyserver... but will follow the examples of other projects. @md5 your thoughts?

md5 commented 5 years ago

Making the build independent of a keyserver does seem desirable, given how much effort goes into making key fetching more reliable. Given that the key IDs are enumerated anyways, it's not like keeping the keys themselves out of the build gains any flexibility.

olamy commented 5 years ago

a solution I have in mind to share the keys and avoid too many copies is to have an image containing the keys (maybe called jetty:keys) such so we can do something as

COPY --from=jetty:keys /keys/* /tmp/
using gpg --import to import the keys
then gpg --batch --verify

tianon commented 5 years ago

There are some relevant notes in https://github.com/docker-library/faq#openpgp--gnupg-keys-and-verification too.

olamy commented 4 years ago

The fix with pr #114 is to use the image https://github.com/jetty-project/jetty-keys which contains a KEYS file with all the keys so we do not download everything again and again

gregw commented 4 years ago

https://github.com/docker-library/official-images/pull/7134