Error excerpt from Dockerfile performing signature validation:

Step 11/23 : RUN gpgv --keyring nodejs-release-keys/gpg/pubring.kbx SHASUMS256.txt.sig SHASUMS256.txt &&     /usr/bin/sha256sum -c --ignore-missing SHASUMS256.txt &&     mkdir ./nodejs && tar -xvf node-v16.18.0-linux-x64.tar.gz -C ./nodejs
 ---> Running in 378ab3472bc1
gpgv: Signature made Wed Oct 12 14:48:44 2022 UTC
gpgv:                using RSA key 61FC681DFB92A079F1685E77973F295594EC4689
gpgv: Can't check signature: No public key

#15 didn't include an update to the keyring release-keys/gpg/pubring.kbx and so anyone relying on that to perform a gpgv check won't work for release 16.18.0.

Would someone please update the public keyring with Juan's key?

Desired State

Whenever a new release signing key is introduced for Node.js, tools and automation should be able to verify releases signed by those keys by fetching not only the contents of the signing key based on the release's signature (from any source), but by cross-referencing that key's authorization using a trusted source.

Current State

Currently, the contents of this repo are built manually on an ad-hoc basis and reviews are requested by the members of the release signing team involved with any updates.

The script used to produce/update the GPG keyring and the raw keys within the keys directory is as follows:

GNUPGHOME=gpg gpg --keyserver pool.sks-keyservers.net --receive-keys $(xargs < keys.list)

for KEY_ID in $(xargs < keys.list); do
  if [ -n "${KEY_ID}" ]; then
    GNUPGHOME=gpg gpg --export --armor "${KEY_ID}" > "keys/${KEY_ID}.asc"
  fi
done

The script expects keys.list to be up-to-date with the latest keys. This list is derived from nodejs/node:README.md and is currently updated by hand.

The Gap

1. The process of updating this repo is manual, but should be automated.
2. The trigger for updating this repo is manual, but should be automated.

Proposed Solution

Close the gap between a change to release signing keys and the introduction of those keys into this repo. Created an automated monitor for changes to https://github.com/nodejs/node/blob/master/README.md involving a release signing key. Ideally, this monitor would alert on the opening of any Pull Request making such a change.

As a follow-up to this monitoring automation, an automated workflow should create a corresponding Pull Request in this repo which makes the necessary changes to ensure this repo is in sync.

Long-Term Plan

The canterberry/nodejs-keys repo is an unofficial source of release signing key information for the Node.js release team. There is a proposal to adopt it under management of the Node.js org and integrate it into existing processes. When that happens, this repo can be retired and this Issue is no longer relevant.

Hi there,

The latest release signing key provided through this commit is missing a self-signature.

See following command output:

gpg --keyserver hkps://keys.openpgp.org --recv-keys DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7
gpg: requesting key 0DDBF2B7 from hkps server keys.openpgp.org
gpg: key 0DDBF2B7: no valid user IDs
gpg: this may be caused by a missing self-signature
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

Can someone work on fixing this issue?

Nothing personal obviously @canterberry, but this'll need an audit by a TSC member or someone with a trust relationship to the TSC if/once it's moved, to make sure the keys are as they should be.

Flagging that now in this issue which can be closed once it's all done.

I noticed that we only have "Merge pull request" enabled for this repository, which is the opposite of what we tend to have elsewhere where we don't allow "Merge pull request" in an attempt to have linear history (i.e. no merge commits). Maybe it doesn't matter, but let's make a conscious decision either way.

FWIW this is what our current history graph looks like:

$ git log --graph --oneline
*   d7dd522 (HEAD -> main, upstream/main, upstream/HEAD) Merge pull request #10 from BethGriggs/bethkey
|\
| * 40794ab 🔑 Update key for Beth Griggs
|/
*   f2503f4 Merge pull request #9 from nodejs/move-to-main
|\
| * 1c39ab1 Replace "master" with "HEAD" in URLs
|/
*   5ca9f74 Merge pull request #7 from canterberry/migrate-urls
|\
| * 32f8762 📝 Update email addresses for Beth Griggs and Richard Lau
| * 89ea607 📝 Migrate URLs in README and CLI to nodejs/release-keys repo
* | 61d3143 Merge pull request #5 from canterberry/danielle-adams
|\|
| * 5457e01 🔑 Add old key for Danielle Adams (used to sign v15.2.0 release)
| * 669afc9 🔑 Add key for Danielle Adams
* |   085a84e Merge pull request #8 from canterberry/cli-add
|\ \
| |/
|/|
| * 62049ac 🎨 Add gitignore entry for redundant GPG backup files and improve CLI output when adding a signing key
| * d4acc64 🐞 Add missing CLI_DIR prefix when exporting key + missing usage entry
| * dbba43d ✨ Add command for release signers to easily import keys
|/
*   c980295 Merge pull request #2 from canterberry/team-key-updates
|\
| * 7a9f254 Rebuild GPG keychain and keys list from latest documented Release Keys
|/
* b67a2b9 📝 Hot-link from key IDs in the README to the raw keys

Noticed that NodeJS v18 and v19 fail when validating signatures using the public key keyring in this repo:

$ RUN gpgv --keyring nodejs-release-keys/gpg/pubring.kbx SHASUMS256.txt.sig SHASUMS256.txt &&     /usr/bin/sha256sum -c --ignore-missing SHASUMS256.txt &&     mkdir ./nodejs && tar -xvf node-v19.4.0-linux-x64.tar.gz -C ./nodejs
gpgv: Signature made Fri Jan  6 13:15:00 2023 UTC
gpgv:                using RSA key 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4
gpgv: Can't check signature: No public key

v18 is using RSA key 61FC681DFB92A079F1685E77973F295594EC4689

Could we get those keys added into this repo for signature verification? Thanks