-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gpg: keyserver receive failed: No keyserver available
since sks-keyservers.net no longer publishes DNS addresses
#1500
Comments
Also reported as #1499. |
Thank you for the context. Is there something we can do to help? Do you have an time estimate on the fix? @gabegorelick |
I'm not a maintainer, but to workaround this you can add a keyserver from https://sks-keyservers.net/status/ (pick whichever one works for you). |
Looks like it's time to push harder for https://keys.openpgp.org/
among the Node release team? 😬
|
Ping @nodejs/releasers |
Another sane option would be to switch to a reasonably reliable single
keyserver like keyserver.ubuntu.com
|
FWIW I uploaded my key to https://keys.openpgp.org/ |
These two seem to work for now @targos
|
Progress is finally being made on https://github.com/nodejs/release-keys. Seems like that can probably be used instead of a keyserver. |
I've taken a stab #1507 at building the node images using https://github.com/nodejs/release-keys, but the key used for 16.4.0 seems not to be included in the keys repository yet. |
That may be nodejs/release-keys#5 and/or nodejs/release-keys#6. |
I'd suggest swapping those and dropping gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \ |
Does some kind of fix need to be incorporated ahead of tomorrow's security release? #1503 I expect a lot of people, myself included, will be eager to pull down new images. |
For it to build here by GitHub actions, yes; for it to build by official-images, not necessarily. The official-images build infra will hijack the connection to spread it across more keyservers and so requests to sks-keyservers urls will just be resolved by a different working keyserver (see https://github.com/docker-library/faq/#openpgp--gnupg-keys-and-verification and https://github.com/tianon/pgp-happy-eyeballs). |
Dug deeper -- apparently sks-keyservers.net was deprecated. Node docs still point at it, but [this issue](nodejs/docker-node#1500) explains the problem and offers some alternative keyservers as an alternative.
Dug deeper -- apparently sks-keyservers.net was deprecated. Node docs still point at it, but [this issue](nodejs/docker-node#1500) explains the problem and offers some alternative keyservers as an alternative.
Environment
Expected Behavior
Building image succeeds.
Current Behavior
Building fails due to failure to fetch GPG keys. The errors look like this:
And then later on you get a
gpg: keyserver receive failed: No keyserver available
.Some keys succeed if they're mirrored at pgp.mit.edu, but all keys that are only hosted on sks-keyservers.net will fail to download. https://sks-keyservers.net explains why:
Possible Solution
gpg
)Steps to Reproduce
docker build 16/buster-slim
, but I assume this affects all Dockerfiles.Additional Information
Fixing Nodejs release key distribution is tracked in nodejs/admin#456 and its linked issues.
The text was updated successfully, but these errors were encountered: