Description
👋
The Docker images built fine at release just last week, but when rebuilding after a Debian base image update yesterday, they fail to build because the full signing key cannot be fetched from keys.openpgp.org. The key seems to be unverified on keys.openpgp.org now. The Docker image does have a fallback to keyserver.ubuntu.com but that only works if no key data is received. Since the key exists but is no longer verified, the identity information is not returned with the key and gpg just skips it.
https://github.com/docker-library/meta/actions/runs/16004521711/job/45147777945
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys C0D6248439F1D5604AAFFB4021D900FFDB233756
gpg: keybox '/tmp/tmp.MSCDRxLzBW/pubring.kbx' created
gpg: key 21D900FFDB233756: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1
[...]
+ curl -fsSLO --compressed https://nodejs.org/dist/v22.17.0/node-v22.17.0-linux-x64.tar.xz
+ curl -fsSLO --compressed https://nodejs.org/dist/v22.17.0/SHASUMS256.txt.asc
+ gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc
gpg: Signature made Wed Jun 25 00:12:40 2025 UTC
gpg: using RSA key C0D6248439F1D5604AAFFB4021D900FFDB233756
gpg: Can't check signature: No public keyThe Docker image could be changed to download from Ubuntu's keyserver first but it seems that openpgpg.org is the recommend server:
gpg --keyserver hkps://keys.openpgp.org --recv-keys C0D6248439F1D5604AAFFB4021D900FFDB233756 # Antoine du Hamel
This is because the email address associated with C0D6248439F1D5604AAFFB4021D900FFDB233756 has been verified with a different key on keys.openpgp.org (5BE8A3F6C8A5C01D106C0AD820B1A390B168D356). See https://keys.openpgp.org/about/faq#verify-multiple:
An email address can only be associated with a single key
@aduh95, could you reverify an identity for the C0D6248439F1D5604AAFFB4021D900FFDB233756 key on keys.openpgp.org?
Thanks!