feat: import nodejs/release-keys GitHub pgp keyring

[MikeMcC399]

• closes Realign Node.js signing keys #1382

Situation

The Cypress Docker images repo currently manages a list of Node.js release signer keys in the cypress/factory install script factory/installScripts/node/default.sh. Node.js releases are signed by individuals, and additional keys or changes to the status of existing keys can cause cypress/factory builds to fail because the integrity of the downloaded Node.js package cannot be verified. To remedy the situation requires a manual update to the table of keys, delaying the ability to use a particular impacted Node.js version until the update is merged, a new cypress/factory version is published and users pick up this version.

An alternate supported source of Node.js release signer keys is available from the nodejs/release-keys repo.

Background

Until now, the Node.js project provided instructions in their README > Release keys document section to import individual "Primary GPG keys for Node.js Releasers" using the hkps://keys.openpgp.org keyserver. For keys in the category "Other keys used to sign some previous releases" no instructions were provided. Some of these keys are needed for versions of Node.js that Cypress lists as supported under Install Cypress > Node.js.

The cypress/factory install script factory/installScripts/node/default.sh did not specifically use the information in the Node.js README and instead notes in the install script that code was borrowed from https://github.com/nodejs/docker-node/blob/main/20/bookworm-slim/Dockerfile. This code took the approach of attempting to import keys first from hkps://keys.openpgp.org and then falling back to (hkp://)keyserver.ubuntu.com if that failed.

A recent change to the status of the key C0D6248439F1D5604AAFFB4021D900FFDB233756 in hkps://keys.openpgp.org caused a breaking change and meant that the script failed for what was at the time the Node.js Active LTS version 22.17.0. The problem was reported in issue #1375 and a workaround was implemented through PR #1377 in cypress/factory:5.11.2. Subsequently the nodejs/docker-node repo implemented a fix which added checks to each import step. This fix was mirrored into the cypress/factory script through PR #1380 and released in cypress/factory:5.11.3. Stricter checking in this fix became an unintentional breaking change that then led to 2 users reporting build failures in an environment / situation where they had no connectivity to the keyserver.ubuntu.com, described in issue #1386. One theory, yet to be confirmed, is that there was a firewall rule in place that blocked access to TCP port 11371, the port used by the default keyserver protocol hkp. A workaround for this side-effect was implemented through PR #1385 and released as cypress/factory:5.11.5. (See also the CHANGELOG for an overview.)

The key problem for Node.js 22.17.0 impacted also other Node.js users unrelated to Cypress and this has led to a new recommendation for verifying Node.js binaries involving importing a GPG keyring directly from the GitHub repo https://github.com/nodejs/release-keys instead of importing individual keys from hkps://keys.openpgp.org.

Change

• Import all GPG keys for Node.js releasers from the keyring pubring.kbx in the nodejs/release-keys repo instead of importing individual keys from keyservers hkps://keys.openpgp.org and keyserver.ubuntu.com.

Advantages

• The keyring import requires only https connectivity (TCP port 443). This can be assumed to be available for cypress/factory build environments, as it is required to retrieve the base Docker image, npm packages from the registry, browser packages, etc.
• The keyring is maintained by the Node.js organization. Changes in signer keys should require no change to the factory/installScripts/node/default.sh

Verification

Confirm that a cypress/base image for an example version signed by each of the "primary release signers" can be built without error. Additionally, test Node.js 22.17.0, which was signed with a key that has moved to the "previous keys" section:

cd factory
docker compose build factory
docker compose build base
NODE_VERSION=22.17.0 docker compose build base # Antoine du Hamel - old key
NODE_VERSION=20.5.0 docker compose build base # Juan José Arboleda
NODE_VERSION=18.12.1 docker compose build base # Juan José Arboleda - old key
NODE_VERSION=20.19.3 docker compose build base # Marco Ippolito
NODE_VERSION=20.18.0 docker compose build base # Michaël Zasso
NODE_VERSION=22.17.1 docker compose build base # Rafael Gonzaga
NODE_VERSION=20.9.0 docker compose build base # Richard Lau
NODE_VERSION=22.13.0 docker compose build base # Ruy Adorno
NODE_VERSION=22.15.0 docker compose build base # Ulises Gascón

[cypress-app-bot]

• Create a Draft Pull Request if your PR is not ready for review. Mark the PR as Ready for Review when you're ready for a Cypress team member to review the PR.

[MikeMcC399]

Node.js README > Verifying binaries now explicitly suggests getting a trusted keyring from the nodejs/release-keys repo.

The full keyring pubring.kbx is located in the
https://github.com/nodejs/release-keys/tree/main/gpg

Node.js recommends the raw URL as either:
https://github.com/nodejs/release-keys/raw/HEAD/gpg/pubring.kbx
https://github.com/nodejs/release-keys/raw/refs/heads/main/gpg/pubring.kbx (used by GitHub UI)

[MikeMcC399]

This PR passes the responsibility for maintaining a Node.js signer key list back to the Node.js organization, where it belongs, and frees the Cypress.io organization from having to continually update a list of Node.js signer keys stored in this repo.

Cypress Docker image builds should no longer fail because the local copy of the Node.js signer keys is out of date. There is no longer a local copy maintained.

If a new version of Node.js is released, signed with a new key, there will be no need to update cypress/factory to a new version in order to add a new Node.js signer key to the cypress/factory Docker image since the keys are retrieved dynamically.