From 22731a19dd6de28089d32bf5adc2b8f303c3da9b Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Sun, 12 Jul 2026 11:45:11 +0200 Subject: [PATCH 1/3] docs(gpg-verification): gpgv is a separate package on debian gnupg does not pull in gpgv on debian/ubuntu; a job verifying with gpgv must install it explicitly or every call fails with a silent 'command not found'. Alpine's gnupg bundles it. Host-testing hides the gap. From NRS-4496 (a scheduled check-version-signers job failed only in the debian CI image). Signed-off-by: Sebastian Mendel --- .../references/gpg-verification.md | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/skills/docker-development/references/gpg-verification.md b/skills/docker-development/references/gpg-verification.md index 93d6de7..a6c7bcb 100644 --- a/skills/docker-development/references/gpg-verification.md +++ b/skills/docker-development/references/gpg-verification.md @@ -28,8 +28,7 @@ RUN gpg --no-tty --batch --import /tmp/keys.asc \ ## Prefer gpgv: verify without any keyring state -`gpgv` (part of gnupg, also busybox-compatible environments via the gnupg -package) reads **binary** keyring files directly — no import, no `~/.gnupg`, +`gpgv` reads **binary** keyring files directly — no import, no `~/.gnupg`, no agent, no locks, and the accepted signer set is exactly the key files you pass: @@ -46,6 +45,20 @@ RUN set -eux; \ Convert armored keys once with `gpg --dearmor` (or ship binary exports); `--keyring` may be repeated per key file. +### `gpgv` is not always in the `gnupg` package + +Install `gpgv` explicitly for the base you build on: + +- **Debian/Ubuntu**: `gpgv` is a **separate package** — `apt-get install gnupg` + does NOT provide it. A job that verifies with `gpgv` must + `apt-get install ... gpgv`, or every call dies with a silent + `gpgv: command not found` (which inside `if gpgv …; then` reads as a + verification *failure*, not a missing binary). +- **Alpine**: the `gnupg` package *does* bundle `gpgv`, so `apk add gnupg` is enough. + +Testing on your host (which usually has `gpgv`) hides the Debian gap — run the +verification inside the actual build image before trusting it. + ## Ship keys as a scratch image, not from keyservers Public keyservers (`keyserver.ubuntu.com`, `keys.openpgp.org`) time out under From e4b850a88f59e741d77464169a210827b67b6e37 Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Sun, 12 Jul 2026 11:57:38 +0200 Subject: [PATCH 2/3] docs(gpg-verification): drop internal references (public repo) Remove the NRS-* Jira key and git.netresearch.de hostname - this repo is public. Keep the generic technical content. Signed-off-by: Sebastian Mendel --- skills/docker-development/references/gpg-verification.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/skills/docker-development/references/gpg-verification.md b/skills/docker-development/references/gpg-verification.md index a6c7bcb..d66172f 100644 --- a/skills/docker-development/references/gpg-verification.md +++ b/skills/docker-development/references/gpg-verification.md @@ -2,7 +2,7 @@ Patterns for verifying downloaded release tarballs against GPG keys inside multi-stage builds — and the layer pitfall that breaks the naive approach. -Distilled from NRS-4496 (central release-key image for PHP/nginx builds). +Distilled from building a central release-key image for PHP/nginx/Node builds. ## Pitfall: gpg import bakes a stale keybox lock into the layer @@ -76,6 +76,6 @@ FROM registry.example.com/support/gpg-keys:latest@sha256: AS release-key `php.net/distributions/php-keyring.gpg`, `nginx.org/keys/*.key`), never to a keyserver fetch at build time. -Reference implementation: `support/gpg-keys` on git.netresearch.de — including -`verify-release`/`get-verified-release` helper scripts shipped *in* the image -(POSIX sh, executed by the consumer's shell; a `scratch` image runs nothing). +A robust shape: a central keys image that also ships `verify-release` / +`get-verified-release` helper scripts *in* the image (POSIX sh, executed by the +consumer's shell; a `scratch` image runs nothing itself). From 9e5710f5c3176775555b54b8a3fa1993d2f307a8 Mon Sep 17 00:00:00 2001 From: Sebastian Mendel Date: Sun, 12 Jul 2026 13:16:25 +0200 Subject: [PATCH 3/3] docs(gpg-verification): ASCII ... instead of Unicode ellipsis in code snippet Addresses review: avoid non-ASCII in a copy-pasteable code fragment. Signed-off-by: Sebastian Mendel --- skills/docker-development/references/gpg-verification.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/skills/docker-development/references/gpg-verification.md b/skills/docker-development/references/gpg-verification.md index d66172f..187fc29 100644 --- a/skills/docker-development/references/gpg-verification.md +++ b/skills/docker-development/references/gpg-verification.md @@ -52,7 +52,7 @@ Install `gpgv` explicitly for the base you build on: - **Debian/Ubuntu**: `gpgv` is a **separate package** — `apt-get install gnupg` does NOT provide it. A job that verifies with `gpgv` must `apt-get install ... gpgv`, or every call dies with a silent - `gpgv: command not found` (which inside `if gpgv …; then` reads as a + `gpgv: command not found` (which inside `if gpgv ...; then` reads as a verification *failure*, not a missing binary). - **Alpine**: the `gnupg` package *does* bundle `gpgv`, so `apk add gnupg` is enough.