New PGP signing key for Yarn v1 Classic

[MikeMcC399]

Problem

After an issue with key expiry for Yarn v1 Classic, the source repo yarnpkg/yarn#9218 announced a new GPG key with the statement:

During the transition period, the public key at http://dl.yarnpkg.com/debian/pubkey.gpg will contain both the old and the new key. Eventually, the old key will be revoked and only the new key will be in use.

Old key: 72ECF46A56B4AD39C907BBB71646B01B86E50310

New key: 4EF8150F4F2D7DE44F1DFF0BB42879CC6B38E118

This repo uses the key 6A010C5166006599AA17F08146C2130DFD2497F5 stored in keys/yarn.keys.

The main discussion in the Yarn repo was about using the instructions from https://classic.yarnpkg.com/en/docs/install#debian-stable:

curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | sudo tee /etc/apt/keyrings/yarn-archive-keyring.gpg > /dev/null
echo "deb [signed-by=/etc/apt/keyrings/yarn-archive-keyring.gpg] https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
sudo apt update && sudo apt install yarn

This is not the way that this repo uses to install Yarn and the key 6A010C5166006599AA17F08146C2130DFD2497F5 continues to work here, so possibly no change is needed in this repo.

Solution

Review and update keys/yarn.keys as necessary.

Alternatives to Consider

See also #2264

[nschonni]

The script be able to parse the multiple keys if you want to make a PR to add the extra 2 in addition to the one that still seems to be working. There likely will be some automated PRs that we'll need to swap with manual ones, since we probably don't want to create rebuilds of the docker hub images till they're needed for an actual Node.js release.

[MikeMcC399]

I couldn't get the "new key" 4EF8150F4F2D7DE44F1DFF0BB42879CC6B38E118 to work with https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz / .asc, although the one that Yarn has called the "old key" 72ECF46A56B4AD39C907BBB71646B01B86E50310 does work in addition to 6A010C5166006599AA17F08146C2130DFD2497F5 already used here.

Since nothing appears to be broken here at the moment, and the situation is still being discussed in the Yarn repo, I'd prefer not to propose any changes. Also I'm not a keys expert, so I'm not entirely confident about all this!

[nschonni]

yeah, I'm guessing the new key might not work till they do a new 1.23 or something that is signed with it

[MikeMcC399]

After examining the keys through https://keyserver.ubuntu.com I've come to the conclusion that no change is necessary here. The key being used

6A010C5166006599AA17F08146C2130DFD2497F5 has an expiry date of 2030-01-22T18:44:02Z

and it is a subkey of 72ecf46a56b4ad39c907bbb71646b01b86e50310

It has been effectively invalidated by 4EF8150F4F2D7DE44F1DFF0BB42879CC6B38E118 only on https://keys.openpgp.org which has the restriction of only allowing one key to be active for a given email address, in this case <yarn@dan.cx>.

docker-node/Dockerfile-debian.template

Line 50 in 4c215dc

{ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || \

with the fingerprint check, already protects against inactivation on https://keys.openpgp.org.

The new key appears only to apply to the Debian package and not the tarball used here.

I wouldn't expect any new 1.22.x release after Yarn 1.22.22, as the CI infrastructure of Yarn 1 is completely outdated and not capable of releasing anything. It would have to be a manual job, like the key change was.

Closing, as I believe I've concluded the review I requested and as far as I can tell, everything is working without change here.