search

nodejs / release-keys

Node.js release signing keys.
MIT License
12 stars 11 forks source link

v18 and v19 are signed by a public key not captured in this keyring #21

Closed sp3nx0r closed 1 year ago

sp3nx0r commented 1 year ago

Noticed that NodeJS v18 and v19 fail when validating signatures using the public key keyring in this repo:

$ RUN gpgv --keyring nodejs-release-keys/gpg/pubring.kbx SHASUMS256.txt.sig SHASUMS256.txt &&     /usr/bin/sha256sum -c --ignore-missing SHASUMS256.txt &&     mkdir ./nodejs && tar -xvf node-v19.4.0-linux-x64.tar.gz -C ./nodejs
gpgv: Signature made Fri Jan  6 13:15:00 2023 UTC
gpgv:                using RSA key 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4
gpgv: Can't check signature: No public key

v18 is using RSA key 61FC681DFB92A079F1685E77973F295594EC4689

Could we get those keys added into this repo for signature verification? Thanks

sp3nx0r commented 1 year ago

Still an issue with v18.15.0, any update on when those keys will get added to support signature verification?

BethGriggs commented 1 year ago

Hey, @sp3nx0r. Looking into this.

v18.15.0 signing key 4ED778F539E3634C779C87C6D7062848A1AB005C (mine) seems to be present in the keyring:

$ wget https://nodejs.org/dist/v18.15.0/SHASUMS256.txt.sig
$ wget https://nodejs.org/dist/v18.15.0/SHASUMS256.txt    
$  GNUPGHOME=~/release-keys/gpg gpg --verify SHASUMS256.txt.sig SHASUMS256.txt   
gpg: Signature made Tue  7 Mar 20:01:57 2023 GMT
gpg:                using RSA key 4ED778F539E3634C779C87C6D7062848A1AB005C
gpg: Good signature from "Beth Griggs <bgriggs@redhat.com>" [unknown]
gpg:                 aka "Beth Griggs <Bethany.Griggs@uk.ibm.com>" [unknown]
...

But, v19.5.0 signing key 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 appears not:

$ wget https://nodejs.org/dist/v19.4.0/SHASUMS256.txt     
$ wget https://nodejs.org/dist/v19.4.0/SHASUMS256.txt.sig 
$ GNUPGHOME=~/release-keys/gpg gpg --verify SHASUMS256.txt.sig SHASUMS256.txt
gpg: Signature made Fri  6 Jan 13:15:00 2023 GMT
gpg:                using RSA key 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4
gpg: Can't check signature: No public key

@RafaelGSS it looks like we missed adding your key 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 to the keyring after #16 and #19.

@juanarbol's old key 61FC681DFB92A079F1685E77973F295594EC4689 is similarly not in the keyring.

ruyadorno commented 1 year ago

I'd appreciate if anyone can confirm that the signature validation is working after https://github.com/nodejs/release-keys/pull/24 landed.

sp3nx0r commented 1 year ago

Can confirm this is now working as intended for 18, 19, 20 versions. Thanks for addressing