fix: pin Google Linux signing key#755
Conversation
|
Codex review: found issues before merge. Reviewed July 1, 2026, 7:45 AM ET / 11:45 UTC. Summary Reproducibility: yes. for source-level reproduction: current main still downloads and trusts Google Chrome APT key material without a reviewed digest or fingerprint check in both affected paths. I did not run the privileged bootstrap locally during this read-only review. Review metrics: 2 noteworthy metrics.
Root-cause cluster Members:
Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything. Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Risk before merge
Maintainer options:
Next step before merge
Security Review findings
Review detailsBest possible solution: Land a narrow Google Chrome trust fix after maintainer security approval of the fail-closed primary-fingerprint contract, remove the release-owned changelog edit, and leave NodeSource/Docker pinning to #687. Do we have a high-confidence way to reproduce the issue? Yes for source-level reproduction: current main still downloads and trusts Google Chrome APT key material without a reviewed digest or fingerprint check in both affected paths. I did not run the privileged bootstrap locally during this read-only review. Is this the best way to solve the issue? Yes in shape, pending maintainer approval: primary-fingerprint pinning plus signed-by scoping is a narrow repair for the linked issue. The release-owned CHANGELOG.md entry should be removed before merge. Full review comments:
Overall correctness: patch is correct AGENTS.md: found, but no applicable review policy affected this item. Codex review notes: model internal, reasoning high; reviewed against c99a6dc66f94. Label changesLabel changes:
Label justifications:
Evidence reviewedWhat I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: b8ef7b80b0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
Merged as 9c041eb from exact head 23620a9. Proof:
Issue #719 auto-closed. Issue #687 remains open for NodeSource and Docker trust hardening. |
Summary
signed-by=/etc/apt/keyrings/google-linux.gpg.Closes #719.
Security contract
Expected primary fingerprint:
EB4C 1BFD 4F04 2F6D DDCC EC91 7721 F63B D38B 4796, matching Google's current Linux repository signing-key page. Signing-subkey rotation remains supported because the primary key is pinned. A primary-key mismatch never updates the keyring or source list and never falls back to unpinned Google trust.Verification
bash -n scripts/install-linux-developer-tools.shshellcheck scripts/install-linux-developer-tools.shnode --test scripts/install-linux-developer-tools.test.js— 2/2npm test --prefix worker -- test/bootstrap.test.ts— 17/17go build -trimpath -o /tmp/crabbox ./cmd/crabboxgo vet ./...Google Chrome 150.0.7871.46from a scoped pre-install source, confirmed no legacy global trust file, rejected a wrong primary fingerprint, and preserved the prior keyring bytesScope
This resolves the Google Chrome trust portion of #687. NodeSource and Docker trust hardening remain separate work.