search

nodejs / release-keys

Node.js release signing keys.
MIT License
12 stars 11 forks source link

Latest key addition didn't include updating included keyring release-keys/gpg/pubring.kbx #18

Closed sp3nx0r closed 1 year ago

sp3nx0r commented 1 year ago

Error excerpt from Dockerfile performing signature validation:

Step 11/23 : RUN gpgv --keyring nodejs-release-keys/gpg/pubring.kbx SHASUMS256.txt.sig SHASUMS256.txt &&     /usr/bin/sha256sum -c --ignore-missing SHASUMS256.txt &&     mkdir ./nodejs && tar -xvf node-v16.18.0-linux-x64.tar.gz -C ./nodejs
 ---> Running in 378ab3472bc1
gpgv: Signature made Wed Oct 12 14:48:44 2022 UTC
gpgv:                using RSA key 61FC681DFB92A079F1685E77973F295594EC4689
gpgv: Can't check signature: No public key

https://github.com/nodejs/release-keys/pull/15 didn't include an update to the keyring release-keys/gpg/pubring.kbx and so anyone relying on that to perform a gpgv check won't work for release 16.18.0.

Would someone please update the public keyring with Juan's key?

RafaelGSS commented 1 year ago

cc @juanarbol

sp3nx0r commented 1 year ago

Bump on this. Any way to push this @juanarbol ?

sp3nx0r commented 1 year ago

Looks like #20 took care of this, confirmed that our CI validation now succeeds