Skip to content

chore: use release-keys keyring for gpg fingerprints#2459

Open
nschonni wants to merge 1 commit intonodejs:mainfrom
nschonni:parse-keyring-on-update
Open

chore: use release-keys keyring for gpg fingerprints#2459
nschonni wants to merge 1 commit intonodejs:mainfrom
nschonni:parse-keyring-on-update

Conversation

@nschonni
Copy link
Copy Markdown
Member

@nschonni nschonni commented Apr 14, 2026

Description

This doesn't change to go away from the keyservers like in #2415, but points to the upstream source, and removes the need for PRs here when onboarding new Releasers.

Motivation and Context

Testing Details

Example Output(if appropriate)

Types of changes

  • Documentation
  • Version change (Update, remove or add more Node.js versions)
  • Variant change (Update, remove or add more variants, or versions of variants)
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Other (none of the above)

Checklist

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING.md document.
  • All new and existing tests passed.

@nschonni
Copy link
Copy Markdown
Member Author

nschonni commented Apr 14, 2026

@aduh95 this doesn't replace your PR, but was what I was trying to explain in the thread. If your approach doesn't get accepted by the Docker Hub people, this at least streamlines the Releaser onboarding and revoking of old keys process.

MikeMcC399
MikeMcC399 approved these changes Apr 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@MikeMcC399 MikeMcC399 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

When ./update.sh is run, a keyring is pulled from https://github.com/nodejs/release-keys/raw/refs/heads/main/gpg-only-active-keys/pubring.kbx as advised by node > Release Keys.

There is no change to the way that keys are stored in the Dockerfile instances or to how the verification of the downloaded Node.js tarball is carried out.

https://github.com/docker-library/official-images#security describes the security requirements for official images and those requirements would continue to be satisfied.

The previous manually run update-keys.sh, which scraped the node > README.md looking for lines with --recv-keys, is replaced.

I did a spot check, removing keys from one of the Dockerfile instances before running ./update.sh. The keys were correctly and identically restored.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MikeMcC399 MikeMcC399 MikeMcC399 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nschonni @MikeMcC399