docs(references): GPG verification in image builds#38
Conversation
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
gnupg 2.4 leaves a stale keybox lock in the layer that imported keys - the next RUN's gpg --verify times out. Document the same-RUN cleanup, and the better pattern: gpgv --keyring against binary key files (no import, no ~/.gnupg state, signer set = the files passed), plus the scratch keys-image pattern replacing build-time keyserver fetches. From NRS-4496 (support/gpg-keys). Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
66f18dd to
281aecd
Compare
There was a problem hiding this comment.
Code Review
This pull request adds a new reference document (gpg-verification.md) outlining best practices for GPG signature verification in Docker image builds, specifically covering issues with stale keybox locks, the benefits of using gpgv, and shipping keys via scratch images. It also updates SKILL.md to link to this new reference. The review feedback suggests improving the cleanup example by replacing the hardcoded /root/.gnupg path with ~/.gnupg to ensure it works correctly when running under non-root users or customized home directories.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
gpgconf --list-dirs homedir instead of hardcoded /root/.gnupg - correct under a non-root USER or a custom GNUPGHOME. Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
|



New reference from a retro of the NRS-4496 session (central release-key image for PHP/nginx builds):
gpg --importin oneRUNbakespublic-keys.d/*.lockinto the layer; the nextRUN'sgpg --verifytimes out (waiting for lock (held by 9)). Broke a real build; fix is same-RUNgpgconf --kill all+ lock removal.gpgv --keyring <key>.gpg— no import, no~/.gnupgstate, accepted signer set is exactly the key files passed.SKILL.md: one reference-table line added; two existing lines trimmed to stay within the 500-word budget (now 500 words).