Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gpg: keyserver receive failed: No keyserver available since sks-keyservers.net no longer publishes DNS addresses #1500

Closed
gabegorelick opened this issue Jun 21, 2021 · 14 comments · Fixed by #1510

Comments

@gabegorelick
Copy link

gabegorelick commented Jun 21, 2021

Environment

  • Platform: debian
  • Docker Version: 20.10.6
  • Node.js Version: 12, 14, 16
  • Image Tag: n/a

Expected Behavior

Building image succeeds.

Current Behavior

Building fails due to failure to fetch GPG keys. The errors look like this:

gpg --batch --keyserver hkp://ipv4.pool.sks-keyservers.net --recv-keys 94AE36675C464D64BAFA68DD7434390BDBE9B9C5
gpg: keyserver receive failed: No name

And then later on you get a gpg: keyserver receive failed: No keyserver available.

Some keys succeed if they're mirrored at pgp.mit.edu, but all keys that are only hosted on sks-keyservers.net will fail to download. https://sks-keyservers.net explains why:

Update 2021-06-21: Due to even more GDPR takedown requests, the DNS records for the pool will no longer be provided at all.

Possible Solution

Steps to Reproduce

docker build 16/buster-slim, but I assume this affects all Dockerfiles.

Additional Information

Fixing Nodejs release key distribution is tracked in nodejs/admin#456 and its linked issues.

@gabegorelick
Copy link
Author

Also reported as #1499.

@karanpratapsingh
Copy link

Thank you for the context. Is there something we can do to help? Do you have an time estimate on the fix? @gabegorelick

@gabegorelick
Copy link
Author

I'm not a maintainer, but to workaround this you can add a keyserver from https://sks-keyservers.net/status/ (pick whichever one works for you).

@tianon
Copy link
Contributor

tianon commented Jun 21, 2021 via email

@nschonni
Copy link
Member

Ping @nodejs/releasers

@tianon
Copy link
Contributor

tianon commented Jun 21, 2021 via email

@targos
Copy link
Member

targos commented Jun 22, 2021

FWIW I uploaded my key to https://keys.openpgp.org/

@karanpratapsingh
Copy link

These two seem to work for now @targos

      gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys "$key" || \
      gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" ; \

@gabegorelick
Copy link
Author

Progress is finally being made on https://github.com/nodejs/release-keys. Seems like that can probably be used instead of a keyserver.

@johanneswuerbach
Copy link

johanneswuerbach commented Jun 30, 2021

I've taken a stab #1507 at building the node images using https://github.com/nodejs/release-keys, but the key used for 16.4.0 seems not to be included in the keys repository yet.

@gabegorelick
Copy link
Author

the key used for 16.4.0 seems not to be included in the keys repository yet

That may be nodejs/release-keys#5 and/or nodejs/release-keys#6.

@tianon
Copy link
Contributor

tianon commented Jun 30, 2021

These two seem to work for now @targos

      gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys "$key" || \
      gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" ; \

I'd suggest swapping those and dropping hkps from Ubuntu's (since the official build infra will hijack the connection to be able to spread it across more keyservers, which is also why the full fingerprint is used so the key can be verified after being fetched regardless of where it comes from):

gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \

@gabegorelick
Copy link
Author

Does some kind of fix need to be incorporated ahead of tomorrow's security release? #1503

I expect a lot of people, myself included, will be eager to pull down new images.

@yosifkit
Copy link
Contributor

Does some kind of fix need to be incorporated ahead of tomorrow's security release?

For it to build here by GitHub actions, yes; for it to build by official-images, not necessarily. The official-images build infra will hijack the connection to spread it across more keyservers and so requests to sks-keyservers urls will just be resolved by a different working keyserver (see https://github.com/docker-library/faq/#openpgp--gnupg-keys-and-verification and https://github.com/tianon/pgp-happy-eyeballs).

decompil3d added a commit to jcrugzz/s6-node-alpine that referenced this issue Aug 3, 2021
Dug deeper -- apparently sks-keyservers.net was deprecated. Node docs still point at it, but [this issue](nodejs/docker-node#1500) explains the problem and offers some alternative keyservers as an alternative.
jcrugzz pushed a commit to jcrugzz/s6-node-alpine that referenced this issue Aug 3, 2021
Dug deeper -- apparently sks-keyservers.net was deprecated. Node docs still point at it, but [this issue](nodejs/docker-node#1500) explains the problem and offers some alternative keyservers as an alternative.
kasparsd added a commit to xwp/wp-foo-bar that referenced this issue Sep 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants