Skip to content

/ docker-node

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

keys: add codebytere's gpg key #956

Merged
merged 2 commits into from Dec 18, 2018
Merged

keys: add codebytere's gpg key #956

merged 2 commits into from Dec 18, 2018

Conversation

@codebytere
Copy link
Member

codebytere commented Dec 13, 2018

Adds my GPG keys to node.keys

shelley.vohr@gmail.com
B9E2F5981AA6E0CD28160D9FF13993A75599653C

/cc @MylesBorins
@codebytere
keys: add codebytere's gpg key
Verified
This commit was signed with a verified signature.
codebytere Shelley Vohr
GPG key ID: F13993A75599653C Learn about signing commits
Loading status checks…
b9dde70
@LaurentGoderre
LaurentGoderre approved these changes Dec 13, 2018
View changes
@LaurentGoderre
Copy link
Contributor

LaurentGoderre commented Dec 13, 2018

@codebytere can you allow contributors to add commits to this PR< I will update the images before merging.
@codebytere
Copy link
Member Author

codebytere commented Dec 13, 2018

@LaurentGoderre Allow edits from maintainers was already ticked; are you unable to push commits?
@LaurentGoderre
Copy link
Contributor

LaurentGoderre commented Dec 14, 2018

I didn't try. I also didn't see anything in the UI indicating it was enabled so KI wrongly assumed it wasn't.... :S
@codebytere
Copy link
Member Author

codebytere commented Dec 14, 2018

ah gotcha, np 😁

let me know if there are any issues!
@SimenB
update templates with new gpg key
Verified
This commit was signed with a verified signature.
SimenB Simen Bekkhus
GPG key ID: E3BEC11885DC91B6 Learn about signing commits
Loading status checks…
4f84111
@SimenB SimenB merged commit 4df0614 into nodejs:master Dec 18, 2018
1 check failed
1 check failed
Travis CI - Pull Request Build Errored
Details
@ozbillwang
Copy link

ozbillwang commented Aug 21, 2019

@codebytere @LaurentGoderre

could you please nicely explain, why this official image need be inserted some personal PGP keys?

Will this be security issue for us as customers, who pull the images and used in our produciton environment?
@LaurentGoderre
Copy link
Contributor

LaurentGoderre commented Aug 21, 2019

@ozbillwang we need those keys to validate that the node package we include in the image has not been tampered with (the releases are signed by various members of the Node project).
@LaurentGoderre
Copy link
Contributor

LaurentGoderre commented Aug 21, 2019

@tianon do you think it would be worthwhile to add a step to remove the keys we add?
@yosifkit
Copy link

yosifkit commented Aug 21, 2019

Most of our images use a temporary GNUPGHOME and delete once verified, like redis. It would make sense to not pollute the root user's gpg home with keys, since users of the image might expect it to be empty.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LaurentGoderre LaurentGoderre

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants
@codebytere @LaurentGoderre @ozbillwang @yosifkit @SimenB
You can’t perform that action at this time.