Skip to content

docs(references): GPG verification in image builds#38

Merged
CybotTM merged 2 commits into
mainfrom
retro/nrs-4496-gpg-verification
Jul 9, 2026
Merged

docs(references): GPG verification in image builds#38
CybotTM merged 2 commits into
mainfrom
retro/nrs-4496-gpg-verification

Conversation

@CybotTM

@CybotTM CybotTM commented Jul 9, 2026

Copy link
Copy Markdown
Member

New reference from a retro of the NRS-4496 session (central release-key image for PHP/nginx builds):

  • Stale keybox lock pitfall: gnupg 2.4's gpg --import in one RUN bakes public-keys.d/*.lock into the layer; the next RUN's gpg --verify times out (waiting for lock (held by 9)). Broke a real build; fix is same-RUN gpgconf --kill all + lock removal.
  • Preferred pattern: gpgv --keyring <key>.gpg — no import, no ~/.gnupg state, accepted signer set is exactly the key files passed.
  • Keys-as-scratch-image pattern replacing flaky build-time keyserver fetches, with immutable digest tagging.

SKILL.md: one reference-table line added; two existing lines trimmed to stay within the 500-word budget (now 500 words).

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

gnupg 2.4 leaves a stale keybox lock in the layer that imported keys -
the next RUN's gpg --verify times out. Document the same-RUN cleanup,
and the better pattern: gpgv --keyring against binary key files (no
import, no ~/.gnupg state, signer set = the files passed), plus the
scratch keys-image pattern replacing build-time keyserver fetches.
From NRS-4496 (support/gpg-keys).

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
@CybotTM CybotTM force-pushed the retro/nrs-4496-gpg-verification branch from 66f18dd to 281aecd Compare July 9, 2026 10:39

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request adds a new reference document (gpg-verification.md) outlining best practices for GPG signature verification in Docker image builds, specifically covering issues with stale keybox locks, the benefits of using gpgv, and shipping keys via scratch images. It also updates SKILL.md to link to this new reference. The review feedback suggests improving the cleanup example by replacing the hardcoded /root/.gnupg path with ~/.gnupg to ensure it works correctly when running under non-root users or customized home directories.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread skills/docker-development/references/gpg-verification.md Outdated
gpgconf --list-dirs homedir instead of hardcoded /root/.gnupg - correct
under a non-root USER or a custom GNUPGHOME.

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
@sonarqubecloud

sonarqubecloud Bot commented Jul 9, 2026

Copy link
Copy Markdown

@CybotTM CybotTM merged commit 950264d into main Jul 9, 2026
17 checks passed
@CybotTM CybotTM deleted the retro/nrs-4496-gpg-verification branch July 9, 2026 11:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant