chore: curl GPG keys for Yarn and Nodejs #1509
Conversation
| gpg --batch --keyserver hkp://ipv4.pool.sks-keyservers.net --recv-keys "$key" || \ | ||
| gpg --batch --keyserver hkp://pgp.mit.edu:80 --recv-keys "$key" ; \ | ||
| done \ | ||
| && curl -s https://raw.githubusercontent.com/nodejs/release-keys/HEAD/cli.sh | bash -s import \ |
There was a problem hiding this comment.
Should HEAD instead be pinned to a commit has in the versions.json for stability? The CLI itself currently just pulls keys from the default branch, so I'm not sure if it buys much
| @@ -57,6 +52,7 @@ RUN addgroup -g 1000 node \ | |||
| && rm "node-v$NODE_VERSION.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt; \ | |||
| fi \ | |||
| && rm -f "node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz" \ | |||
| && curl -s https://raw.githubusercontent.com/nodejs/release-keys/HEAD/cli.sh | bash -s clear \ | |||
There was a problem hiding this comment.
Should the first curl of the script keep it around and then clean it up after this instead of downloading it twice?
| gpg --batch --keyserver hkp://ipv4.pool.sks-keyservers.net --recv-keys "$key" || \ | ||
| gpg --batch --keyserver hkp://pgp.mit.edu:80 --recv-keys "$key" ; \ | ||
| done \ | ||
| && curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --import \ |
There was a problem hiding this comment.
Should the Yarn key get cleaned up at the end?
Unfortunately, both this approach and #1507 are DOA from the downstream perspective (https://github.com/docker-library/official-images#image-build and/or https://github.com/docker-library/official-images#clarity) -- the way I'd prefer to see https://github.com/nodejs/release-keys used is in |
|
OK, closing in favour of #1510 |
There is some mix of the security updates in here, so opening as a draft. Can cleanup before landing