Skip to content

Docs: Missing instructions for importing previous release keys #58979

New issue
New issue
Open
Open
Docs: Missing instructions for importing previous release keys#58979
@MikeMcC399

Description

@MikeMcC399
MikeMcC399
opened on Jul 7, 2025

Situation

In the README section Release keys there is a folded section "Other keys used to sign some previous releases". For these keys there are no instructions about how to import these keys. The keys are:

Assessment

Category A

Some keys can be imported from hkps://keys.openpgp.org, the same as the primary PGP keys:

gpg --keyserver hkps://keys.openpgp.org --recv-keys 4ED778F539E3634C779C87C6D7062848A1AB005C # Beth Griggs
gpg --keyserver hkps://keys.openpgp.org --recv-keys 141F07595B7B3FFE74309A937405533BE57C7D57 # Bryan English
gpg --keyserver hkps://keys.openpgp.org --recv-keys 94AE36675C464D64BAFA68DD7434390BDBE9B9C5 # Colin Ihrig
gpg --keyserver hkps://keys.openpgp.org --recv-keys 74F12602B6F1C4E913FAA37AD3A89613643B6201 # Danielle Adams
gpg --keyserver hkps://keys.openpgp.org --recv-keys B9AE9905FFD7803F25714661B63B535A4C206CA9 # Evan Lucas
gpg --keyserver hkps://keys.openpgp.org --recv-keys C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 # Myles Borins
gpg --keyserver hkps://keys.openpgp.org --recv-keys DD8F2338BAE7501E3DD5AC78C273792F7D83545D # Rod Vagg
gpg --keyserver hkps://keys.openpgp.org --recv-keys B9E2F5981AA6E0CD28160D9FF13993A75599653C # Shelley Vohr

Category B

Keys available in hkps://keys.openpgp.org but stripped of identity (see https://keys.openpgp.org/about/faq#verify-multiple) because a new key has been submitted re-using the identity. In this case, if an attempt is made to import them from hkps://keys.openpgp.org they report "new key but contains no user ID - skipped", skipping import and returning a success code. They can be imported instead from keyserver.ubuntu.com

gpg --keyserver keyserver.ubuntu.com --recv-keys 61FC681DFB92A079F1685E77973F295594EC4689 # Juan José Arboleda

The key C0D6248439F1D5604AAFFB4021D900FFDB233756, currently shown in the "Primary GPG" list has also joined this category. See issue #58904

gpg --keyserver keyserver.ubuntu.com --recv-keys C0D6248439F1D5604AAFFB4021D900FFDB233756 # Antoine du Hamel

Category C

Keys not available in hkps://keys.openpgp.org and available in keyserver.ubuntu.com

gpg --keyserver keyserver.ubuntu.com --recv-keys 9554F04D7259F04124DE6B476D5A82AC7E37093B # Chris Dickinson
gpg --keyserver keyserver.ubuntu.com --recv-keys 77984A986EBC2AA786BC0F66B01FBB92821C587A # Gibson Fahnestock
gpg --keyserver keyserver.ubuntu.com --recv-keys 93C7E9E91B49E432C2F75674B0A78B0A6C481CF6 # Isaac Z. Schlueter
gpg --keyserver keyserver.ubuntu.com --recv-keys 56730D5401028683275BD23C23EFEFE93C4CFFFE # Italo A. Casas
gpg --keyserver keyserver.ubuntu.com --recv-keys 71DCFD284A79C3B38668286BC97EC7A07EDE3FC1 # James M Snell
gpg --keyserver keyserver.ubuntu.com --recv-keys FD3A5288F042B6850C66B31F09FE44734EB7990E # Jeremiah Senkpiel
gpg --keyserver keyserver.ubuntu.com --recv-keys 114F43EE0176B71C7BC219DD50A3051F888C628D # Julien Gilli
gpg --keyserver keyserver.ubuntu.com --recv-keys A48C2BEE680E841632CD4E44F07496B3EB3C1762 # Ruben Bridgewater
gpg --keyserver keyserver.ubuntu.com --recv-keys 7937DFD2AB06298B2293C3187D33FF9D0246406D # Timothy J Fontaine

Category D

Keys not available in hkps://keys.openpgp.org or in keyserver.ubuntu.com

curl -s https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/1C050899334244A8AF75E53792EF661D867B9DFA.asc | gpg --import # Danielle Adams

Suggestion

Add information to the Release keys on how to import keys from the "Other keys used to sign some previous releases" section.

PoC

From the above assessment, the following shows how all keys can be imported on a key-for-key basis, including those in the current "Primary PGP" category.

Discussions in issue #58904 are proposing to not rely on keyservers. This shows how keyservers can be used with minimal change to current usage and processes.

docker run -it --rm debian

Then at bash prompt execute:

apt-get update && apt-get install -y gnupg ca-certificates curl
# Primary PGP keys
gpg --keyserver hkps://keys.openpgp.org --recv-keys DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 # Juan José Arboleda
gpg --keyserver hkps://keys.openpgp.org --recv-keys CC68F5A3106FF448322E48ED27F5E38D5B0A215F # Marco Ippolito
gpg --keyserver hkps://keys.openpgp.org --recv-keys 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 # Michaël Zasso
gpg --keyserver hkps://keys.openpgp.org --recv-keys 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 # Rafael Gonzaga
gpg --keyserver hkps://keys.openpgp.org --recv-keys C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C # Richard Lau
gpg --keyserver hkps://keys.openpgp.org --recv-keys 108F52B48DB57BB0CC439B2997B01419BD92F80A # Ruy Adorno
gpg --keyserver hkps://keys.openpgp.org --recv-keys A363A499291CBBC940DD62E41F10027AF002F8B0 # Ulises Gascón
# Other keys
# Category A
gpg --keyserver hkps://keys.openpgp.org --recv-keys 4ED778F539E3634C779C87C6D7062848A1AB005C # Beth Griggs
gpg --keyserver hkps://keys.openpgp.org --recv-keys 141F07595B7B3FFE74309A937405533BE57C7D57 # Bryan English
gpg --keyserver hkps://keys.openpgp.org --recv-keys 94AE36675C464D64BAFA68DD7434390BDBE9B9C5 # Colin Ihrig
gpg --keyserver hkps://keys.openpgp.org --recv-keys 74F12602B6F1C4E913FAA37AD3A89613643B6201 # Danielle Adams
gpg --keyserver hkps://keys.openpgp.org --recv-keys B9AE9905FFD7803F25714661B63B535A4C206CA9 # Evan Lucas
gpg --keyserver hkps://keys.openpgp.org --recv-keys C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8 # Myles Borins
gpg --keyserver hkps://keys.openpgp.org --recv-keys DD8F2338BAE7501E3DD5AC78C273792F7D83545D # Rod Vagg
gpg --keyserver hkps://keys.openpgp.org --recv-keys B9E2F5981AA6E0CD28160D9FF13993A75599653C # Shelley Vohr
# Category B
gpg --keyserver keyserver.ubuntu.com --recv-keys C0D6248439F1D5604AAFFB4021D900FFDB233756 # Antoine du Hamel
gpg --keyserver keyserver.ubuntu.com --recv-keys 61FC681DFB92A079F1685E77973F295594EC4689 # Juan José Arboleda
# Category C
gpg --keyserver keyserver.ubuntu.com --recv-keys 9554F04D7259F04124DE6B476D5A82AC7E37093B # Chris Dickinson
gpg --keyserver keyserver.ubuntu.com --recv-keys 77984A986EBC2AA786BC0F66B01FBB92821C587A # Gibson Fahnestock
gpg --keyserver keyserver.ubuntu.com --recv-keys 93C7E9E91B49E432C2F75674B0A78B0A6C481CF6 # Isaac Z. Schlueter
gpg --keyserver keyserver.ubuntu.com --recv-keys 56730D5401028683275BD23C23EFEFE93C4CFFFE # Italo A. Casas
gpg --keyserver keyserver.ubuntu.com --recv-keys 71DCFD284A79C3B38668286BC97EC7A07EDE3FC1 # James M Snell
gpg --keyserver keyserver.ubuntu.com --recv-keys FD3A5288F042B6850C66B31F09FE44734EB7990E # Jeremiah Senkpiel
gpg --keyserver keyserver.ubuntu.com --recv-keys 114F43EE0176B71C7BC219DD50A3051F888C628D # Julien Gilli
gpg --keyserver keyserver.ubuntu.com --recv-keys A48C2BEE680E841632CD4E44F07496B3EB3C1762 # Ruben Bridgewater
gpg --keyserver keyserver.ubuntu.com --recv-keys 7937DFD2AB06298B2293C3187D33FF9D0246406D # Timothy J Fontaine
# Category D
curl -s https://raw.githubusercontent.com/nodejs/release-keys/HEAD/keys/1C050899334244A8AF75E53792EF661D867B9DFA.asc | gpg --import # Danielle Adams
# Summary
echo pgp public key count $(gpg --list-keys | grep ^pub | wc -l)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions