Skip to content

fix: explicit check for Node.js key import #1380

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
AtofStryker merged 1 commit into from
Jul 8, 2025
Merged

fix: explicit check for Node.js key import #1380

AtofStryker merged 1 commit into from
Jul 8, 2025

Conversation

@MikeMcC399
Copy link
Collaborator

@MikeMcC399 MikeMcC399 commented Jul 4, 2025
edited
Loading

Situation

PR #1377 implemented an emergency workaround to unblock building a Cypress Docker image based on Node.js 22.17.0 (Active LTS version) and signed with the key C0D6248439F1D5604AAFFB4021D900FFDB233756.

The original issue was that the keyserver hkps://keys.openpgp.org recognized the key C0D6248439F1D5604AAFFB4021D900FFDB233756 and then skipped importing it. The user ID [email protected] had been moved to the newly created key 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 and was no longer available for the older key. This left the cypress/factory process unable to verify the Node.js 22.17.0 package and so the build failed. (#1376 contains slightly more background information about the issue.)

In the meantime, the nodejs/docker-node repo has faced the same issue and has implemented a more robust solution which checks the presence of the key after attempting to import, and thus does not rely on the misleading "success" return code if a key import is skipped.

Change

Add a check to list an imported key. If the key has not been imported, then an explicit error code is generated. In the case of the problematic key, this will then fallback to an attempt on the second keyserver.

gpg --batch --fingerprint "$key"

The original priority of keyservers:

  1. hkps://keys.openpgp.org
  2. keyserver.ubuntu.com

is also restored.

FACTORY_VERSION becomes 5.11.3

Verification

git clone https://github.com/cypress-io/cypress-docker-images
cd cypress-docker-images
cd factory
docker compose build factory
docker compose --progress plain build base --no-cache

Confirm that key is imported

#6 7.310 + gpg --batch --fingerprint C0D6248439F1D5604AAFFB4021D900FFDB233756
#6 7.318 pub   rsa4096 2022-01-25 [SC]
#6 7.318       C0D6 2484 39F1 D560 4AAF  FB40 21D9 00FF DB23 3756
#6 7.318 uid           [ unknown] Antoine du Hamel <[email protected]>
#6 7.318 sub   rsa4096 2022-01-25 [E]

@cypress-app-bot
Copy link

cypress-app-bot commented Jul 4, 2025

@MikeMcC399 MikeMcC399 force-pushed the check-node-key-import branch 3 times, most recently from 33e9df5 to db97d8d Compare July 4, 2025 19:33
@MikeMcC399 MikeMcC399 self-assigned this Jul 4, 2025
@MikeMcC399 MikeMcC399 marked this pull request as ready for review July 4, 2025 19:50
@MikeMcC399 MikeMcC399 mentioned this pull request Jul 6, 2025
Merged
@MikeMcC399 MikeMcC399 force-pushed the check-node-key-import branch from 23794a7 to 4ef0d1f Compare July 7, 2025 15:13
@AtofStryker AtofStryker merged commit f768990 into cypress-io:master Jul 8, 2025
49 checks passed
@MikeMcC399 MikeMcC399 deleted the check-node-key-import branch July 8, 2025 16:50
This was referenced Jul 18, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AtofStryker AtofStryker AtofStryker approved these changes

@jennifer-shehane jennifer-shehane Awaiting requested review from jennifer-shehane

Assignees

@MikeMcC399 MikeMcC399

Labels

topic: build process type: enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MikeMcC399 @cypress-app-bot @AtofStryker