chore: switch to official release-keys repo to verify Node.js artefacts#2415
chore: switch to official release-keys repo to verify Node.js artefacts#2415
release-keys repo to verify Node.js artefacts#2415Conversation
release-keys repo to verify Node.jsrelease-keys repo to verify Node.js artefacts
Dockerfile-alpine.template
Outdated
| { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; \ | ||
| done \ | ||
| && export PUBRING="$(mktemp)" \ | ||
| && curl -fsSLo "$PUBRING" --compressed https://github.com/nodejs/release-keys/raw/HEAD/gpg-only-active-keys/pubring.kbx \ |
There was a problem hiding this comment.
Just like any file downloaded in the Dockerfile, this would need to be verified by a sha256sum embedded in the Dockerfile (at a minimum) in order to be acceptable to Docker Official Images. See https://github.com/docker-library/official-images/tree/3b4779967d1c2e369aeae1c8533d12f5a9b4df81#image-build.
In many instances, we also recommend checking that only the expected keys exist in the keyring (or maybe that was only when adding them to an apt keyring). cc @tianon
There was a problem hiding this comment.
The content of the keyring is validated in https://github.com/nodejs/release-keys/actions/runs/20075780501/workflow#L64, do you know if that's good enough?
There was a problem hiding this comment.
I've added a step that checks the pubring only contains the expected keys, PTAL
I think you might be referring to #1509 (comment) |
|
Maybe there is a way in the middle, where the script grabs and parses the keyring, but the image keeps the valid/current keys embedded in the Dockerfile we send upstream |
That's the one that's most directly pertinent to docker-node -- see also nodejs/node#58979 (comment), nodejs/node#58904 (comment), nodejs/node#39227 (comment) 😅 |
This comment was marked as outdated.
This comment was marked as outdated.
To quote nodejs/node#58979 (comment):
And nodejs/node#39227 (comment):
See also https://github.com/docker-library/faq#how-can-i-use-a-keys-file-for-verifying-pgp-signatures |
There was a problem hiding this comment.
Pull request overview
Updates the Node.js artifact verification flow in this repo’s generated Dockerfiles to use the official nodejs/release-keys keyring (downloaded + SHA256-pinned) and gpgv, replacing the prior per-key keyserver fetch approach.
Changes:
- Replace Node.js keyserver-based key fetching with a pinned
pubring.kbxkeyring download + SHA256 verification, and verifySHASUMS256.txt.ascwithgpgv. - Update the key update workflow to persist the resolved keyring URL and its SHA256 to
keys/. - Remove the legacy
keys/node.keyslist and update Dockerfile generation accordingly.
Reviewed changes
Copilot reviewed 40 out of 40 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| update.sh | Stops injecting NODE_KEYS and instead injects Yarn keys plus Node.js keyring URL/hash into generated Dockerfiles. |
| update-keys.sh | Updates the workflow to resolve the official Node.js keyring URL and store its SHA256 for pinning. |
| keys/nodejs.url | Stores the resolved/pinned release-keys raw URL for pubring.kbx. |
| keys/nodejs.shasum | Stores the SHA256 checksum line used to validate the downloaded pubring.kbx. |
| keys/node.keys | Removes the legacy list of individual Node.js release key fingerprints. |
| Dockerfile-slim.template | Switches Node verification to gpgv + keyring download/sha256 validation. |
| Dockerfile-debian.template | Switches Node verification to gpgv + keyring download/sha256 validation. |
| Dockerfile-alpine.template | Switches Node verification to gpgv + keyring download/sha256 validation (source-build path). |
| 25/trixie/Dockerfile | Applies the new gpgv + keyring verification flow for Node 25 on trixie. |
| 25/trixie-slim/Dockerfile | Applies the new gpgv + keyring verification flow for Node 25 slim on trixie. |
| 25/bullseye/Dockerfile | Applies the new gpgv + keyring verification flow for Node 25 on bullseye. |
| 25/bullseye-slim/Dockerfile | Applies the new gpgv + keyring verification flow for Node 25 slim on bullseye. |
| 25/bookworm/Dockerfile | Applies the new gpgv + keyring verification flow for Node 25 on bookworm. |
| 25/bookworm-slim/Dockerfile | Applies the new gpgv + keyring verification flow for Node 25 slim on bookworm. |
| 25/alpine3.23/Dockerfile | Applies the new gpgv + keyring verification flow for Node 25 on alpine3.23 (source-build path). |
| 25/alpine3.22/Dockerfile | Applies the new gpgv + keyring verification flow for Node 25 on alpine3.22 (source-build path). |
| 24/trixie/Dockerfile | Applies the new gpgv + keyring verification flow for Node 24 on trixie. |
| 24/trixie-slim/Dockerfile | Applies the new gpgv + keyring verification flow for Node 24 slim on trixie. |
| 24/bullseye/Dockerfile | Applies the new gpgv + keyring verification flow for Node 24 on bullseye. |
| 24/bullseye-slim/Dockerfile | Applies the new gpgv + keyring verification flow for Node 24 slim on bullseye. |
| 24/bookworm/Dockerfile | Applies the new gpgv + keyring verification flow for Node 24 on bookworm. |
| 24/bookworm-slim/Dockerfile | Applies the new gpgv + keyring verification flow for Node 24 slim on bookworm. |
| 24/alpine3.23/Dockerfile | Applies the new gpgv + keyring verification flow for Node 24 on alpine3.23 (source-build path). |
| 24/alpine3.22/Dockerfile | Applies the new gpgv + keyring verification flow for Node 24 on alpine3.22 (source-build path). |
| 22/trixie/Dockerfile | Applies the new gpgv + keyring verification flow for Node 22 on trixie. |
| 22/trixie-slim/Dockerfile | Applies the new gpgv + keyring verification flow for Node 22 slim on trixie. |
| 22/bullseye/Dockerfile | Applies the new gpgv + keyring verification flow for Node 22 on bullseye. |
| 22/bullseye-slim/Dockerfile | Applies the new gpgv + keyring verification flow for Node 22 slim on bullseye. |
| 22/bookworm/Dockerfile | Applies the new gpgv + keyring verification flow for Node 22 on bookworm. |
| 22/bookworm-slim/Dockerfile | Applies the new gpgv + keyring verification flow for Node 22 slim on bookworm. |
| 22/alpine3.23/Dockerfile | Applies the new gpgv + keyring verification flow for Node 22 on alpine3.23 (source-build path). |
| 22/alpine3.22/Dockerfile | Applies the new gpgv + keyring verification flow for Node 22 on alpine3.22 (source-build path). |
| 20/trixie/Dockerfile | Applies the new gpgv + keyring verification flow for Node 20 on trixie. |
| 20/trixie-slim/Dockerfile | Applies the new gpgv + keyring verification flow for Node 20 slim on trixie. |
| 20/bullseye/Dockerfile | Applies the new gpgv + keyring verification flow for Node 20 on bullseye. |
| 20/bullseye-slim/Dockerfile | Applies the new gpgv + keyring verification flow for Node 20 slim on bullseye. |
| 20/bookworm/Dockerfile | Applies the new gpgv + keyring verification flow for Node 20 on bookworm. |
| 20/bookworm-slim/Dockerfile | Applies the new gpgv + keyring verification flow for Node 20 slim on bookworm. |
| 20/alpine3.23/Dockerfile | Applies the new gpgv + keyring verification flow for Node 20 on alpine3.23 (source-build path). |
| 20/alpine3.22/Dockerfile | Applies the new gpgv + keyring verification flow for Node 20 on alpine3.22 (source-build path). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Description
Instead of maintaining a separate list of keys and expect to find them on public servers, let's switch to the official keyring and use the smaller
gpgvtool.Motivation and Context
https://github.com/nodejs/node?tab=readme-ov-file#verifying-binaries
nodejs/unofficial-builds#216
Testing Details
Example Output(if appropriate)
Types of changes
Checklist