👋
The Docker images built fine at release just last week, but when rebuilding after a Debian base image update yesterday, they fail to build because the full signing key cannot be fetched from keys.openpgp.org. The key seems to be unverified on keys.openpgp.org now. The Docker image does have a fallback to keyserver.ubuntu.com but that only works if no key data is received. Since the key exists but is no longer verified, the identity information is not returned with the key and gpg just skips it.
https://github.com/docker-library/meta/actions/runs/16004521711/job/45147777945
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys C0D6248439F1D5604AAFFB4021D900FFDB233756
gpg: keybox '/tmp/tmp.MSCDRxLzBW/pubring.kbx' created
gpg: key 21D900FFDB233756: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg: w/o user IDs: 1
[...]
+ curl -fsSLO --compressed https://nodejs.org/dist/v22.17.0/node-v22.17.0-linux-x64.tar.xz
+ curl -fsSLO --compressed https://nodejs.org/dist/v22.17.0/SHASUMS256.txt.asc
+ gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc
gpg: Signature made Wed Jun 25 00:12:40 2025 UTC
gpg: using RSA key C0D6248439F1D5604AAFFB4021D900FFDB233756
gpg: Can't check signature: No public key
The Docker image could be changed to download from Ubuntu's keyserver first but it seems that openpgpg.org is the recommend server:
gpg --keyserver hkps://keys.openpgp.org --recv-keys C0D6248439F1D5604AAFFB4021D900FFDB233756 # Antoine du Hamel
This is because the email address associated with C0D6248439F1D5604AAFFB4021D900FFDB233756 has been verified with a different key on keys.openpgp.org (5BE8A3F6C8A5C01D106C0AD820B1A390B168D356). See https://keys.openpgp.org/about/faq#verify-multiple:
An email address can only be associated with a single key
@aduh95, could you reverify an identity for the C0D6248439F1D5604AAFFB4021D900FFDB233756 key on keys.openpgp.org?
Thanks!
👋
The Docker images built fine at release just last week, but when rebuilding after a Debian base image update yesterday, they fail to build because the full signing key cannot be fetched from
keys.openpgp.org. The key seems to be unverified onkeys.openpgp.orgnow. The Docker image does have a fallback tokeyserver.ubuntu.combut that only works if no key data is received. Since the key exists but is no longer verified, the identity information is not returned with the key andgpgjust skips it.https://github.com/docker-library/meta/actions/runs/16004521711/job/45147777945
The Docker image could be changed to download from Ubuntu's keyserver first but it seems that openpgpg.org is the recommend server:
This is because the email address associated with
C0D6248439F1D5604AAFFB4021D900FFDB233756has been verified with a different key onkeys.openpgp.org(5BE8A3F6C8A5C01D106C0AD820B1A390B168D356). See https://keys.openpgp.org/about/faq#verify-multiple:@aduh95, could you reverify an identity for the
C0D6248439F1D5604AAFFB4021D900FFDB233756key onkeys.openpgp.org?Thanks!