Skip to content
This repository has been archived by the owner on Jun 29, 2020. It is now read-only.

Replace sks-keyservers.net #113

Closed
pstrh opened this issue Sep 6, 2019 · 9 comments · Fixed by #121
Closed

Replace sks-keyservers.net #113

pstrh opened this issue Sep 6, 2019 · 9 comments · Fixed by #121

Comments

@pstrh
Copy link

pstrh commented Sep 6, 2019

Today it seems that the sks-keyservers pool was temporarily unavailable which broke my docker build 😟 In fact the sks-keyservers should no longer be used - see amongst others https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f

Alternatives:

  1. Use the keys.openpgp.org server - unfortunately the keys of the Jetty committers are currently not available there.
  2. Put the public keys of the jetty committers into this repository and import them via gpg --import directly without remote access.

I would suggest to use the public keys directly as it makes the build independent from any keyservers.
@joakime
Copy link

joakime commented Sep 6, 2019

I can ask the jetty committers to publish their keys to there, got any documentation we can follow?

@tianon
Copy link
Contributor

tianon commented Sep 6, 2019
edited
Loading

The easiest method IMO is https://keys.openpgp.org/about/usage#gnupg-upload

gpg --export your_address@example.net | curl -T - https://keys.openpgp.org

@joakime
Copy link

joakime commented Sep 6, 2019

@tianon thanks!

@gregw
Copy link
Contributor

gregw commented Sep 9, 2019

I've loaded my key into keys.openpgp.org, but I'm also inclined to import them directly to make the build independent of a keyserver... but will follow the examples of other projects. @md5 your thoughts?

@md5
Copy link
Member

md5 commented Sep 9, 2019

Making the build independent of a keyserver does seem desirable, given how much effort goes into making key fetching more reliable. Given that the key IDs are enumerated anyways, it's not like keeping the keys themselves out of the build gains any flexibility.

@olamy
Copy link

olamy commented Sep 9, 2019

a solution I have in mind to share the keys and avoid too many copies is to have an image containing the keys (maybe called jetty:keys) such so we can do something as

COPY --from=jetty:keys /keys/* /tmp/
using gpg --import to import the keys
then gpg --batch --verify

@tianon
Copy link
Contributor

tianon commented Sep 9, 2019

There are some relevant notes in https://github.com/docker-library/faq#openpgp--gnupg-keys-and-verification too.

@olamy olamy mentioned this issue Sep 11, 2019
Closed
@olamy
Copy link

olamy commented Sep 11, 2019

The fix with pr #114 is to use the image https://github.com/jetty-project/jetty-keys which contains a KEYS file with all the keys so we do not download everything again and again

gregw added a commit to jetty-project/docker-jetty that referenced this issue Nov 24, 2019
@gregw
Issue appropriate#113
d32c229 
Fix appropriate#113 by creating multistage builds that first download keys.
Also took opportunity to reorder Dockerfiles to reduce complexity and size.

Signed-off-by: Greg Wilkins <gregw@webtide.com>
@gregw gregw mentioned this issue Nov 24, 2019
Merged
gregw added a commit to jetty-project/docker-jetty that referenced this issue Nov 24, 2019
@gregw
Issue appropriate#113 and appropriate#103
1aa7db4 
Cleaned up jetty-home usage
Tested the approach for slim JDKs by adding another multi stage to do the validation, since
gpg is not available in slim builds

Signed-off-by: Greg Wilkins <gregw@webtide.com>
gregw added a commit to jetty-project/docker-jetty that referenced this issue Nov 27, 2019
@gregw
alternate approach for appropriate#113 to use a base image for 9.4
d5a72e0 
Signed-off-by: Greg Wilkins <gregw@webtide.com>
@gregw gregw mentioned this issue Nov 27, 2019
Closed
@gregw
Copy link
Contributor

gregw commented Dec 19, 2019

docker-library/official-images#7134

@gregw gregw mentioned this issue Dec 22, 2019
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
6 participants
@olamy @gregw @md5 @tianon @joakime @pstrh