search

mhart / alpine-node

Minimal Node.js Docker Images built on Alpine Linux
MIT License
2.45k stars 303 forks source link

Some of the imported PGP keys have expired #159

Open csillag opened 3 years ago

csillag commented 3 years ago

As part of the build process, the script tries to import a bunch of PGP pubic keys from various key servers. Unfortunately, some of those keys have expired, and therefore can no longer be found.

So the build dies like this:

Step 4/7 : RUN for server in ipv4.pool.sks-keyservers.net keyserver.pgp.com ha.pool.sks-keyservers.net; do     gpg --keyserver $server --recv-keys       4ED778F539E3634C779C87C6D7062848A1AB005C       94AE36675C464D64BAFA68DD7434390BDBE9B9C5       74F12602B6F1C4E913FAA37AD3A89613643B6201       71DCFD284A79C3B38668286BC97EC7A07EDE3FC1       8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600       C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8       C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C       DD8F2338BAE7501E3DD5AC78C273792F7D83545D       A48C2BEE680E841632CD4E44F07496B3EB3C1762       108F52B48DB57BB0CC439B2997B01419BD92F80A       B9E2F5981AA6E0CD28160D9FF13993A75599653C && break;   done
 ---> Running in 1cd297c9e0ac
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created                                                                         
gpg: keyserver receive failed: No name                                                                                 
gpg: keyserver receive failed: Operation timed out                                                                     
gpg: keyserver receive failed: No name                                                                                 
The command '/bin/sh -c for server in ipv4.pool.sks-keyservers.net keyserver.pgp.com ha.pool.sks-keyservers.net; do     gpg --keyserver $server --recv-keys       4ED778F539E3634C779C87C6D7062848A1AB005C       94AE36675C464D64BAFA68DD7434390BDBE9B9C5       74F12602B6F1C4E913FAA37AD3A89613643B6201       71DCFD284A79C3B38668286BC97EC7A07EDE3FC1       8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600       C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8       C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C       DD8F2338BAE7501E3DD5AC78C273792F7D83545D       A48C2BEE680E841632CD4E44F07496B3EB3C1762       108F52B48DB57BB0CC439B2997B01419BD92F80A       B9E2F5981AA6E0CD28160D9FF13993A75599653C && break;   done' returned a non-zero code: 2
make: *** [Makefile:28: .docker-image] Error 2

I guess the key ids listed here need to be updated...

csillag commented 3 years ago

Btw this broke at some point between the 17th of the 22th of June.

csillag commented 3 years ago

The missing key seems to be the one in this line: 4ED778F539E3634C779C87C6D7062848A1AB005C

... which is required to verify the signature on https://nodejs.org/dist/v12.18.4/SHASUMS256.txt.asc , but is no longer available at https://keyserver.pgp.com (or anywhere else, as far as I can see).

csillag commented 3 years ago

Upon further inspection, I see that basically all those keys have been withdrawn... which is kind of strange, since they are even used for signing some of the latest versions.

For example https://nodejs.org/dist/latest-v12.x/SHASUMS256.txt.asc is signed by C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C, which is also no longer available... I am stumped here.

csillag commented 3 years ago

Or maybe those PGP keys haven't been withdrawn, but are not published at a different location? That should be the case, since even v16-latest is signed by a key which is not available at keyserver.pgp.com ....

csillag commented 3 years ago

This is how they handled this in the official node docker image: https://github.com/nodejs/docker-node/issues/1500