Realign Node.js signing keys

[MikeMcC399]

Situation

Node.js signing keys are hard-coded in

cypress-docker-images/factory/installScripts/node/default.sh

Lines 25 to 37 in f768990

	4ED778F539E3634C779C87C6D7062848A1AB005C \
	141F07595B7B3FFE74309A937405533BE57C7D57 \
	74F12602B6F1C4E913FAA37AD3A89613643B6201 \
	DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \
	61FC681DFB92A079F1685E77973F295594EC4689 \
	CC68F5A3106FF448322E48ED27F5E38D5B0A215F \
	8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \
	C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 \
	890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \
	C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \
	108F52B48DB57BB0CC439B2997B01419BD92F80A \
	A363A499291CBBC940DD62E41F10027AF002F8B0 \
	C0D6248439F1D5604AAFFB4021D900FFDB233756 \

The official public list of these keys is in the Node.js README > Release keys document section, including both "Primary GPG keys" and "Other keys used to sign some previous releases"

Assessment

Key	Section	Releaser
4ED778F539E3634C779C87C6D7062848A1AB005C	previous	Beth Griggs
141F07595B7B3FFE74309A937405533BE57C7D57	previous	Bryan English
74F12602B6F1C4E913FAA37AD3A89613643B6201	previous	Danielle Adams
DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7	primary	Juan José Arboleda
61FC681DFB92A079F1685E77973F295594EC4689	previous	Juan José Arboleda
CC68F5A3106FF448322E48ED27F5E38D5B0A215F	primary	Marco Ippolito
8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600	primary	Michaël Zasso
C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8	previous	Myles Borins
890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4	primary	Rafael Gonzaga
C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C	primary	Richard Lau
108F52B48DB57BB0CC439B2997B01419BD92F80A	primary	Ruy Adorno
A363A499291CBBC940DD62E41F10027AF002F8B0	primary	Ulises Gascón
C0D6248439F1D5604AAFFB4021D900FFDB233756	primary	Antoine du Hamel

All keys from the Primary GPG section are included in the list. Only a few of the keys from the previous release list are included.

The keys are mainly sorted by full name.

Suggestion

For better future maintenance, re-order the list to use the same order of keys used in the Node.js README > Release keys document section, which is to separate primary and previous key lists and to order them by name.

Delay this change until the next key change from the Node.js organization. This should be soon, as the following key is planned for demotion

C0D6248439F1D5604AAFFB4021D900FFDB233756 Antoine du Hamel

with replacement being

5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 Antoine du Hamel

(As a policy, don't add more keys from the "Other keys used to sign some previous releases" section, unless they are actually needed. This will be the case for C0D6248439F1D5604AAFFB4021D900FFDB233756 which will be needed after it is demoted, as it was used to sign Node.js 22.17.0 for example.)

[MikeMcC399]

Status

Jul 16, 2025

This issue is waiting for an update to Node.js README > Release keys before proceeding to implementation in a PR

[cjmaria]

Hi @MikeMcC399, it looks like the replacement of Antoine du Hamel's key is currently impacting the images tagged 5.11.4 & latest

68.67 + for key in 4ED778F539E3634C779C87C6D7062848A1AB005C 141F07595B7B3FFE74309A937405533BE57C7D57 74F12602B6F1C4E913FAA37AD3A89613643B6201 DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 61FC681DFB92A079F1685E77973F295594EC4689 CC68F5A3106FF448322E48ED27F5E38D5B0A215F 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C 108F52B48DB57BB0CC439B2997B01419BD92F80A A363A499291CBBC940DD62E41F10027AF002F8B0 C0D6248439F1D5604AAFFB4021D900FFDB233756
68.67 + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys C0D6248439F1D5604AAFFB4021D900FFDB233756
69.11 gpg: key 21D900FFDB233756: new key but contains no user ID - skipped
69.11 gpg: Total number processed: 1
69.11 gpg:           w/o user IDs: 1
69.11 + gpg --batch --fingerprint C0D6248439F1D5604AAFFB4021D900FFDB233756
69.11 gpg: error reading key: No public key
69.11 + gpg --batch --keyserver keyserver.ubuntu.com --recv-keys C0D6248439F1D5604AAFFB4021D900FFDB233756
129.2 gpg: keyserver receive failed: Connection timed out

[MikeMcC399]

@cjmaria

69.11 + gpg --batch --keyserver keyserver.ubuntu.com --recv-keys C0D6248439F1D5604AAFFB4021D900FFDB233756
129.2 gpg: keyserver receive failed: Connection timed out

This is a network issue with the connection to keyserver.ubuntu.com

Please open a separate issue if this problem continues. I cannot reproduce it here, so it may be a temporary issue.

[cjmaria]

Thank you, my apologies, I see now the issues are intermittent. I had assumed it was related since it happens to fail on the key fingerprint mentioned here.

[MikeMcC399]

@cjmaria

Thank you, my apologies, I see now the issues are intermittent. I had assumed it was related since it happens to fail on the key fingerprint mentioned here.

That is probably coincidence, because the key 61FC681DFB92A079F1685E77973F295594EC4689 also relies on being able to access keyserver.ubuntu.com

When there is a network connection issue to keyserver.ubuntu.com the logs report the last key on the list, so if you don't look at the full log then it can be misleading.

[shazaddad]

I have made the change to my docker file :

ARG NODE_VERSION='22.17.1'

ARG FACTORY_VERSION='5.11.4'

but my build still fails:
gpg: error reading key: No public key

  | gpg --batch --keyserver keyserver.ubuntu.com --recv-keys C0D6248439F1D5604AAFFB4021D900FFDB233756
  | gpg: keyserver receive failed: Connection timed out

[MikeMcC399]

@shazaddad

Please open a new issue. This issue is only about changing the order of the keys and this will not help with your problem.

[MikeMcC399]

@cjmaria / @shazaddad

If either of you are still experiencing this problem, you are welcome to open a new issue. I've submitted PR #1385 which should fix this issue. In the meantime you can use cypress/factory:5.11.2.
Note that if you have connectivity issues to keyserver.ubuntu.com you will not be able to build with Node.js 22.17.0 whichever cypress/factory version you use, however this may no longer be a problem because the Active LTS version is now Node.js 22.17.1

[MikeMcC399]

• Build issues caused by network connectivity problems to keyserver.ubuntu.com are separately logged to issue I have update my docker to include the lastest keyserver changes in node but get an error from keyserver.ubuntu.com #1386. This is remediated through PR fix: skip individual failed Node.js key imports #1385 resulting in a new Docker image:

docker pull cypress/factory:5.11.5

[MikeMcC399]

The issue here regarding realigning the signing keys remains open. There are two related open issues on the Node.js side:

• Can no longer validate signatures on NodeJS binaries due to needing approval on keyserver nodejs/node#58904
• Docs: Missing instructions for importing previous release keys nodejs/node#58979

[MikeMcC399]

The following PR proposes to change significantly how to verify Node.js releases :

• PR doc: update the instruction on how to verify releases nodejs/node#59113

It involves importing a keyring directly from https://raw.githubusercontent.com/nodejs/release-keys/main/gpg/pubring.kbx instead of importing individual keys from keyservers.

The PR should be monitored.

Additionally, if any new release is signed with the new key:

gpg --keyserver hkps://keys.openpgp.org --recv-keys 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 # Antoine du Hamel

from https://github.com/nodejs/node/blob/main/README.md#release-keys then action will be necessary.

At this time it can't be predicted which event (PR merge / new release with new key) will happen first.