Migrate to Node.js verification using keyring source

[MikeMcC399]

Problem

This repo is no longer aligned with recommendations from node > README > Verifying binaries which now specifies using https://github.com/nodejs/release-keys/raw/HEAD/gpg/pubring.kbx

Disadvantages of current method:

• Individual keys need to be maintained in this repo
• Both hkps://keys.openpgp.org and keyserver.ubuntu.com key servers needs to be polled
• Previous keys in hkps://keys.openpgp.org where the key signer has moved to a new key, are effectively disabled if the same e-mail address is used (see Can I verify more than one key for some email address?)

Solution

Migrate from current Node.js image verification with locally stored individual PGP keys to instead use a keyring from https://github.com/nodejs/release-keys.

Depending on the need for reproducibility, the keyring could either be copied and stored, or the online version on https://github.com/nodejs/release-keys could be used.

Alternatives to Consider

• No change. In that case keys still need to be manually maintained here.

[MikeMcC399]

Withdrawing this enhancement suggestion, as there was no response.

Keys for signers of Node.js releases will need to be manually maintained as before. The set of keys does however not often change.

[tianon]

I'm going to mirror the relevant part of my comment from nodejs/node#58904 (comment) over here (since it describes what someone trying to pick this work up will need to grapple with): 👍

Also, it's worth noting that it's a little bit annoying in GnuPG specifically to consume key data in a safe/verified way from a raw URL or file -- you can't (that I'm aware of) verify the key by fingerprint before importing/trusting it without doing something like setting up a whole separate GNUPGHOME/keyring, importing the file into there, and then doing a gpg --batch --export with the full fingerprint if you want to make sure that the file you import contains one and only one key, and reference that key by the full (validated) key fingerprint.

See https://github.com/docker-library/tomcat/blob/b63e91319c234d5378a4bea81be915a56e30746b/11.0/jdk21/temurin-noble/Dockerfile#L57-L72 for a relevant example of the "dancing" required to make that work in a reasonably safe way that validates the full fingerprints before trusting them for signing.

[MikeMcC399]

I re-opened this issue due to @richardlau's nodejs/node#61022 (comment) which said:

This has affected unofficial-builds and will probably also affect https://github.com/nodejs/docker-node.

As it turned out, the https://github.com/nodejs/docker-node repo (this one) had no issue with the keys once the build on https://github.com/nodejs/unofficial-builds was fixed, so I jumped the gun a bit.

[MikeMcC399]

It seems that PR #2415 would implement this suggestion

[MikeMcC399]

This proposal appears to conflict with the requirements for Docker Official Images.

In the Security section of their README it gives examples with differing levels of security. In all examples with acceptable levels of security there is either a key or a checksum embedded in the Dockerfile.

I'm going to close this issue and leave further discussion for PR #2415