fixup! chore: switch to official release-keys repo to verify Node.js

aduh95 · aduh95 · commit 48c743adf4d2 · 2026-03-09T23:43:17.000+01:00
diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template
@@ -37,13 +37,14 @@ RUN addgroup -g 1000 node \
         make \
         python3 \
         py-setuptools \
-    && export PUBRING="$(mktemp)" \
-    && curl -fsSLo "$PUBRING" --compressed https://github.com/nodejs/release-keys/raw/HEAD/gpg-only-active-keys/pubring.kbx \
+    && export GNUPGHOME="$(mktemp -d)" \
+    && (cd "$GNUPGHOME" && curl -fsSLO --compressed "${NODEJS_KEYRING_URL}" && echo "${NODEJS_KEYRING_HASH}" | sha256sum -c) \
     && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" \
     && curl -fsSL --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \
-    | gpgv --keyring="$PUBRING" --output - \
+    | gpgv --keyring="$GNUPGHOME/pubring.kbx" --output - \
     | grep " node-v$NODE_VERSION.tar.xz\$"
     | sha256sum -c - \
+    && rm -rf "$GNUPGHOME" \
     && tar -xJf "node-v$NODE_VERSION.tar.xz" \
     && cd "node-v$NODE_VERSION" \
     && ./configure \
@@ -52,7 +53,7 @@ RUN addgroup -g 1000 node \
     && apk del .build-deps-full \
     && cd .. \
     && rm -Rf "node-v$NODE_VERSION" \
-    && rm "$PUBRING" "node-v$NODE_VERSION.tar.xz"; \
+    && rm "node-v$NODE_VERSION.tar.xz"; \
   fi \
   && rm -f "node-v$NODE_VERSION-linux-$ARCH-musl.tar.xz" \
   # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451
diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template
@@ -15,16 +15,17 @@ RUN ARCH= && dpkgArch="$(dpkg --print-architecture)" \
     i386) ARCH='x86';; \
     *) echo "unsupported architecture"; exit 1 ;; \
   esac \
-  && export PUBRING="$(mktemp)" \
+  && export GNUPGHOME="$(mktemp -d)" \
   && set -exo pipefail \
-  && curl -fsSLo "$PUBRING" --compressed https://github.com/nodejs/release-keys/raw/HEAD/gpg-only-active-keys/pubring.kbx \
+  && (cd "$GNUPGHOME" && curl -fsSLO --compressed "${NODEJS_KEYRING_URL}" && echo "${NODEJS_KEYRING_HASH}" | sha256sum -c) \
   && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" \
   && curl -fsSL --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \
-  | gpgv --keyring="$PUBRING" --output - \
+  | gpgv --keyring="$GNUPGHOME/pubring.kbx" --output - \
   | grep " node-v$NODE_VERSION.tar.xz\$"
   | sha256sum -c - \
+  && rm -rf "$GNUPGHOME" \
   && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \
-  && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" "$PUBRING" \
+  && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \
   && ln -s /usr/local/bin/node /usr/local/bin/nodejs \
   # smoke tests
   && node --version \
diff --git a/Dockerfile-slim.template b/Dockerfile-slim.template
@@ -19,16 +19,17 @@ RUN ARCH= OPENSSL_ARCH= && dpkgArch="$(dpkg --print-architecture)" \
     # libatomic1 for arm
     && apt-get update && apt-get install -y ca-certificates curl wget gpgv dirmngr xz-utils libatomic1 --no-install-recommends \
     && rm -rf /var/lib/apt/lists/* \
-    && export PUBRING="$(mktemp)" \
+    && export GNUPGHOME="$(mktemp -d)" \
     && set -exo pipefail \
-    && curl -fsSLo "$PUBRING" --compressed https://github.com/nodejs/release-keys/raw/HEAD/gpg-only-active-keys/pubring.kbx \
+    && (cd "$GNUPGHOME" && curl -fsSLO --compressed "${NODEJS_KEYRING_URL}" && echo "${NODEJS_KEYRING_HASH}" | sha256sum -c) \
     && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION.tar.xz" \
     && curl -fsSL --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" \
-    | gpgv --keyring="$PUBRING" --output - \
+    | gpgv --keyring="$GNUPGHOME/pubring.kbx" --output - \
     | grep " node-v$NODE_VERSION.tar.xz\$"
     | sha256sum -c - \
+    && rm -rf "$GNUPGHOME" \
     && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \
-    && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" "$PUBRING" \
+    && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" \
     # Remove unused OpenSSL headers to save ~34MB. See this NodeJS issue: https://github.com/nodejs/node/issues/46451
     && find /usr/local/include/node/openssl/archs -mindepth 1 -maxdepth 1 ! -name "$OPENSSL_ARCH" -exec rm -rf {} \; \
     && apt-mark auto '.*' > /dev/null \
diff --git a/update-keys.sh b/update-keys.sh
@@ -0,0 +1,7 @@
+#!/bin/sh -ex
+
+KEYRING_URL=$(curl -fsIo /dev/null -w '%header{Location}' https://github.com/nodejs/release-keys/raw/HEAD/gpg-only-active-keys/pubring.kbx)
+TMP_DIR=$(mktemp -d)
+(cd "$TMP_DIR" && curl -fsSO "$KEYRING_URL" && sha256sum pubring.kbx) > keys/nodejs.shasum
+echo "$KEYRING_URL" > keys/nodejs.url
+rm -r "$TMP_DIR"
diff --git a/update.sh b/update.sh
@@ -139,13 +139,15 @@ function update_node_version() {
 '
 
     # Add GPG keys
-    for key_type in "yarn"; do
-      while read -r line; do
-        pattern='"\$\{'$(echo "${key_type}" | tr '[:lower:]' '[:upper:]')'_KEYS\[@\]\}"'
-        sed -Ei -e "s/([ \\t]*)(${pattern})/\\1${line}${new_line}\\1\\2/" "${dockerfile}-tmp"
-      done < "keys/${key_type}.keys"
-      sed -Ei -e "/${pattern}/d" "${dockerfile}-tmp"
-    done
+    key_type="yarn"
+    while read -r line; do
+      pattern='"\$\{'$(echo "${key_type}" | tr '[:lower:]' '[:upper:]')'_KEYS\[@\]\}"'
+      sed -Ei -e "s/([ \\t]*)(${pattern})/\\1${line}${new_line}\\1\\2/" "${dockerfile}-tmp"
+    done < "keys/${key_type}.keys"
+    sed -Ei -e "/${pattern}/d" "${dockerfile}-tmp"
+
+    # Add Node.js keyring URL and hash
+    sed -i -e "s#\${NODEJS_KEYRING_URL}#$(< keys/nodejs.url)#" -e "s/\${NODEJS_KEYRING_HASH}/$(< keys/nodejs.shasum)/" "${dockerfile}-tmp"
 
     if is_alpine "${variant}"; then
       alpine_version="${variant#*alpine}"
