gpg: keyserver receive failed: No keyserver available since sks-keyservers.net no longer publishes DNS addresses

[gabegorelick]

Environment

• Platform: debian
• Docker Version: 20.10.6
• Node.js Version: 12, 14, 16
• Image Tag: n/a

Expected Behavior

Building image succeeds.

Current Behavior

Building fails due to failure to fetch GPG keys. The errors look like this:

gpg --batch --keyserver hkp://ipv4.pool.sks-keyservers.net --recv-keys 94AE36675C464D64BAFA68DD7434390BDBE9B9C5
gpg: keyserver receive failed: No name

And then later on you get a gpg: keyserver receive failed: No keyserver available.

Some keys succeed if they're mirrored at pgp.mit.edu, but all keys that are only hosted on sks-keyservers.net will fail to download. https://sks-keyservers.net explains why:

Update 2021-06-21: Due to even more GDPR takedown requests, the DNS records for the pool will no longer be provided at all.

Possible Solution

• Use a specific keyserver directly instead of pool address
• Get Node releasers to permit their user IDs be hosted on keys.openpgp.org (otherwise the key can't be received by gpg)

Steps to Reproduce

docker build 16/buster-slim, but I assume this affects all Dockerfiles.

Additional Information

Fixing Nodejs release key distribution is tracked in nodejs/admin#456 and its linked issues.

[gabegorelick]

Also reported as #1499.

[karanpratapsingh]

Thank you for the context. Is there something we can do to help? Do you have an time estimate on the fix? @gabegorelick

[gabegorelick]

I'm not a maintainer, but to workaround this you can add a keyserver from https://sks-keyservers.net/status/ (pick whichever one works for you).

[tianon]

Looks like it's time to push harder for https://keys.openpgp.org/ among the Node release team? 😬

[nschonni]

Ping @nodejs/releasers

[tianon]

Another sane option would be to switch to a reasonably reliable single keyserver like keyserver.ubuntu.com

[targos]

FWIW I uploaded my key to https://keys.openpgp.org/

[karanpratapsingh]

These two seem to work for now @targos

      gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys "$key" || \
      gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" ; \

[gabegorelick]

Progress is finally being made on https://github.com/nodejs/release-keys. Seems like that can probably be used instead of a keyserver.

[johanneswuerbach]

I've taken a stab #1507 at building the node images using https://github.com/nodejs/release-keys, but the key used for 16.4.0 seems not to be included in the keys repository yet.

[gabegorelick]

the key used for 16.4.0 seems not to be included in the keys repository yet

That may be nodejs/release-keys#5 and/or nodejs/release-keys#6.

[tianon]

These two seem to work for now @targos

      gpg --batch --keyserver hkps://keyserver.ubuntu.com --recv-keys "$key" || \
      gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" ; \

I'd suggest swapping those and dropping hkps from Ubuntu's (since the official build infra will hijack the connection to be able to spread it across more keyservers, which is also why the full fingerprint is used so the key can be verified after being fetched regardless of where it comes from):

gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" || \
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \

[gabegorelick]

Does some kind of fix need to be incorporated ahead of tomorrow's security release? #1503

I expect a lot of people, myself included, will be eager to pull down new images.

[yosifkit]

Does some kind of fix need to be incorporated ahead of tomorrow's security release?

For it to build here by GitHub actions, yes; for it to build by official-images, not necessarily. The official-images build infra will hijack the connection to spread it across more keyservers and so requests to sks-keyservers urls will just be resolved by a different working keyserver (see https://github.com/docker-library/faq/#openpgp--gnupg-keys-and-verification and https://github.com/tianon/pgp-happy-eyeballs).