Redundant key server pools (#504)

* Redundant key server pools Using just "pool.sks-keyservers.net" as recommended by RVM documentation seems to be too unreliable for CI setup. It works fine for singular installations, but when deployed to CircleCI pool-selected servers are often unavailable, time out, and break our builds. Instead of using a single server try multiple ones for each key that we wish to request. * Mention source for key IDs and key servers This makes it easier to verify key IDs and update them as necessary if importing the keys or the signature checks that follow start failing.
cossacklabs · Jul 22, 2019 · b99a2d7 · b99a2d7
1 parent 914d799
commit b99a2d7
Showing 1 changed file with 26 additions and 2 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -55,7 +55,19 @@ jobs:
       - run:
           name: Install RVM
           command: |
-            gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
+            # Import keys used by RVM maintainers from recommended key server pools
+            # See https://rvm.io/rvm/security
+            for key in 409B6B1796C275462A1703113804BB82D39DC0E3 \
+                       7D2BAF1CF37B13E2069D6956105BD0E739499BDB
+            do
+                for server in pgp.mit.edu keyserver.pgp.com ha.pool.sks-keyservers.net
+                do
+                    if gpg --keyserver $server --recv-keys $key
+                    then
+                        break
+                    fi
+                done
+            done
             curl -sSL https://get.rvm.io | bash -s stable
             source ~/.rvm/scripts/rvm
             rvm use system
@@ -184,7 +196,19 @@ jobs:
       - run:
           name: Install RVM
           command: |
-            gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
+            # Import keys used by RVM maintainers from recommended key server pools
+            # See https://rvm.io/rvm/security
+            for key in 409B6B1796C275462A1703113804BB82D39DC0E3 \
+                       7D2BAF1CF37B13E2069D6956105BD0E739499BDB
+            do
+                for server in pgp.mit.edu keyserver.pgp.com ha.pool.sks-keyservers.net
+                do
+                    if gpg --keyserver $server --recv-keys $key
+                    then
+                        break
+                    fi
+                done
+            done
             curl -sSL https://get.rvm.io | bash -s stable
             source ~/.rvm/scripts/rvm
             rvm use system