feat: import nodejs/release-keys GitHub pgp keyring (#1388)

* feat: import nodejs/release-keys GitHub pgp keyring

* use github raw content url for keyring source

Author: MikeMcC399

factory/.env

@@ -18,7 +18,7 @@ NODE_VERSION="${FACTORY_DEFAULT_NODE_VERSION}"
 
 # Update the FACTORY_VERSION to deploy cypress/factory if you make changes to
 # BASE_IMAGE, FACTORY_DEFAULT_NODE_VERSION, YARN_VERSION, factory.Dockerfile or installScripts
-FACTORY_VERSION='5.11.6'
+FACTORY_VERSION='5.12.0'
 
 # Chrome versions: https://www.ubuntuupdates.org/package/google_chrome/stable/main/base/google-chrome-stable
 # Linux/amd64 only

factory/CHANGELOG.md

@@ -1,8 +1,12 @@
 # Change log
 
+## 5.12.0
+
+- Import all PGP keys for Node.js from `pgp` keyring in https://github.com/nodejs/release-keys repo. Addressed in [#1388](https://github.com/cypress-io/cypress-docker-images/issues/1388).
+
 ## 5.11.6
 
-- Failed installs of Cypress no longer get cached as a docker layer. Addressed in [#1390](https://github.com/cypress-io/cypress-docker-images/pull/1390)
+- Failed installs of Cypress no longer get cached as a docker layer. Addressed in [#1390](https://github.com/cypress-io/cypress-docker-images/pull/1390).
 
 ## 5.11.5
 

factory/installScripts/node/default.sh

@@ -20,32 +20,15 @@ ARCH= && dpkgArch="$(dpkg --print-architecture)" \
     && savedAptMark="$(apt-mark showmanual)" \
     && apt-get update && apt-get install -y curl wget gnupg dirmngr xz-utils libatomic1 --no-install-recommends \
     && rm -rf /var/lib/apt/lists/* \
-    && keyserverOptions=$( [[ -n $HTTP_PROXY ]] && echo "--keyserver-options http-proxy=$HTTP_PROXY" || echo "" ) \
-    && for key in \
-      4ED778F539E3634C779C87C6D7062848A1AB005C \
-      141F07595B7B3FFE74309A937405533BE57C7D57 \
-      74F12602B6F1C4E913FAA37AD3A89613643B6201 \
-      DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 \
-      61FC681DFB92A079F1685E77973F295594EC4689 \
-      CC68F5A3106FF448322E48ED27F5E38D5B0A215F \
-      8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 \
-      C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 \
-      890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 \
-      C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C \
-      108F52B48DB57BB0CC439B2997B01419BD92F80A \
-      A363A499291CBBC940DD62E41F10027AF002F8B0 \
-      C0D6248439F1D5604AAFFB4021D900FFDB233756 \
-    ; do \
-      { gpg --batch --keyserver hkps://keys.openpgp.org $keyserverOptions --recv-keys "$key" && gpg --batch --fingerprint "$key" ; } ||
-      { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key" ; } ||
-      { echo failed to import Node.js release key "$key" ; } ; \
-    done \
+    && curl -fsSLO https://github.com/nodejs/release-keys/raw/refs/heads/main/gpg/pubring.kbx \
+    && gpg --no-default-keyring --keyring ./pubring.kbx --export | gpg --import \
     && curl -fsSLO --compressed "https://nodejs.org/dist/v$1/node-v$1-linux-$ARCH.tar.xz" \
     && curl -fsSLO --compressed "https://nodejs.org/dist/v$1/SHASUMS256.txt.asc" \
     && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc \
     && grep " node-v$1-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - \
     && tar -xJf "node-v$1-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner \
-    && rm "node-v$1-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt \
+    && rm "node-v$1-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt pubring.kbx \
+    && rm -rf ~/.gnupg \
     && apt-mark auto '.*' > /dev/null \
     && { [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; } \
     && find /usr/local -type f -executable -exec ldd '{}' ';' \