Some of the imported PGP keys have expired

Question

Some of the imported PGP keys have expired

csillag opened this issue 3 years ago · comments

As part of the build process, the script tries to import a bunch of PGP pubic keys from various key servers.
Unfortunately, some of those keys have expired, and therefore can no longer be found.

So the build dies like this:

Step 4/7 : RUN for server in ipv4.pool.sks-keyservers.net keyserver.pgp.com ha.pool.sks-keyservers.net; do     gpg --keyserver $server --recv-keys       4ED778F539E3634C779C87C6D7062848A1AB005C       94AE36675C464D64BAFA68DD7434390BDBE9B9C5       74F12602B6F1C4E913FAA37AD3A89613643B6201       71DCFD284A79C3B38668286BC97EC7A07EDE3FC1       8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600       C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8       C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C       DD8F2338BAE7501E3DD5AC78C273792F7D83545D       A48C2BEE680E841632CD4E44F07496B3EB3C1762       108F52B48DB57BB0CC439B2997B01419BD92F80A       B9E2F5981AA6E0CD28160D9FF13993A75599653C && break;   done
 ---> Running in 1cd297c9e0ac
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created                                                                         
gpg: keyserver receive failed: No name                                                                                 
gpg: keyserver receive failed: Operation timed out                                                                     
gpg: keyserver receive failed: No name                                                                                 
The command '/bin/sh -c for server in ipv4.pool.sks-keyservers.net keyserver.pgp.com ha.pool.sks-keyservers.net; do     gpg --keyserver $server --recv-keys       4ED778F539E3634C779C87C6D7062848A1AB005C       94AE36675C464D64BAFA68DD7434390BDBE9B9C5       74F12602B6F1C4E913FAA37AD3A89613643B6201       71DCFD284A79C3B38668286BC97EC7A07EDE3FC1       8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600       C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8       C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C       DD8F2338BAE7501E3DD5AC78C273792F7D83545D       A48C2BEE680E841632CD4E44F07496B3EB3C1762       108F52B48DB57BB0CC439B2997B01419BD92F80A       B9E2F5981AA6E0CD28160D9FF13993A75599653C && break;   done' returned a non-zero code: 2
make: *** [Makefile:28: .docker-image] Error 2

I guess the key ids listed here need to be updated...

Kristof Csillag · Answer 1 · Tue Jul 06 2021 03:58:03 GMT+0800 (China Standard Time)

Btw this broke at some point between the 17th of the 22th of June.

Kristof Csillag · Answer 2 · Tue Jul 06 2021 04:39:19 GMT+0800 (China Standard Time)

The missing key seems to be the one in this line: 4ED778F539E3634C779C87C6D7062848A1AB005C

... which is required to verify the signature on https://nodejs.org/dist/v12.18.4/SHASUMS256.txt.asc ,
but is no longer available at https://keyserver.pgp.com (or anywhere else, as far as I can see).

Kristof Csillag · Answer 3 · Tue Jul 06 2021 04:55:38 GMT+0800 (China Standard Time)

Upon further inspection, I see that basically all those keys have been withdrawn... which is kind of strange, since they are even used for signing some of the latest versions.

For example https://nodejs.org/dist/latest-v12.x/SHASUMS256.txt.asc is signed by C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C, which is also no longer available... I am stumped here.

Kristof Csillag · Answer 4 · Tue Jul 06 2021 05:02:32 GMT+0800 (China Standard Time)

Or maybe those PGP keys haven't been withdrawn, but are not published at a different location? That should be the case, since even v16-latest is signed by a key which is not available at keyserver.pgp.com ....

Kristof Csillag · Answer 5 · Tue Jul 06 2021 06:43:44 GMT+0800 (China Standard Time)

This is how they handled this in the official node docker image: nodejs/docker-node#1500