Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

php:7.4 apt-get update fails for invalid signature (expired Yarn keys) #494

Closed
mmghv opened this issue Mar 15, 2023 · 4 comments
Closed

php:7.4 apt-get update fails for invalid signature (expired Yarn keys) #494

mmghv opened this issue Mar 15, 2023 · 4 comments

Comments

@mmghv
Copy link

mmghv commented Mar 15, 2023

Dockerfile:

FROM mcr.microsoft.com/devcontainers/php:7.4
RUN apt-get update

Running the devcontainer fails with this error :

...
 > [dev_container_auto_added_stage_label 2/4] RUN apt-get update:
#0 0.724 Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
#0 0.815 Get:2 https://dl.yarnpkg.com/debian stable InRelease [17.1 kB]
#0 0.912 Get:3 http://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]
#0 1.069 Get:4 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
#0 1.133 Err:2 https://dl.yarnpkg.com/debian stable InRelease
#0 1.133   The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <[email protected]>
#0 1.229 Get:5 http://deb.debian.org/debian bullseye/main amd64 Packages [8183 kB]
#0 3.806 Get:6 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [236 kB]
#0 4.054 Get:7 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [14.6 kB]
#0 5.526 Reading package lists...
#0 6.467 W: GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <[email protected]>
#0 6.467 E: The repository 'https://dl.yarnpkg.com/debian stable InRelease' is not signed.
...

This doesn't happen with newer versions (e.g. php:8)

Adding the following command before apt-get update fixes the problem :

RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor > /usr/share/keyrings/yarn-archive-keyring.gpg

Related to #370
Yarn issue : yarnpkg/yarn#7866
@tjwaterman99
Copy link

I'm having a similar issue.

$ docker run mcr.microsoft.com/vscode/devcontainers/python:0-3.9 apt-get update 

Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:4 https://dl.yarnpkg.com/debian stable InRelease [17.1 kB]
Err:1 http://deb.debian.org/debian bullseye InRelease
  At least one invalid signature was encountered.
Err:2 http://deb.debian.org/debian-security bullseye-security InRelease
  At least one invalid signature was encountered.
Err:3 http://deb.debian.org/debian bullseye-updates InRelease
  At least one invalid signature was encountered.
Err:4 https://dl.yarnpkg.com/debian stable InRelease
  At least one invalid signature was encountered.
Reading package lists...
W: GPG error: http://deb.debian.org/debian bullseye InRelease: At least one invalid signature was encountered.
E: The repository 'http://deb.debian.org/debian bullseye InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian-security bullseye-security InRelease: At least one invalid signature was encountered.
E: The repository 'http://deb.debian.org/debian-security bullseye-security InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian bullseye-updates InRelease: At least one invalid signature was encountered.
E: The repository 'http://deb.debian.org/debian bullseye-updates InRelease' is not signed.
W: GPG error: https://dl.yarnpkg.com/debian stable InRelease: At least one invalid signature was encountered.
E: The repository 'https://dl.yarnpkg.com/debian stable InRelease' is not signed.

@jhunax
Copy link

jhunax commented Mar 16, 2023

Having the same issue with expired keys

Err:3 https://dl.yarnpkg.com/debian stable InRelease
The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging [email protected]

@samruddhikhandale
Copy link
Member

Hi 👋

mcr.microsoft.com/devcontainers/php:7.4

#90 tracks the image support which aligns with the upstream release cycle. From https://www.php.net/supported-versions.php, as PHP 7.4 has reached End of Life, even we have stopped supporting it since Nov 2022. @mmghv We'd recommend upgrading as soon as possible to avoid security vulnerabilities.

mcr.microsoft.com/vscode/devcontainers/python:0-3.9

We are actively supporting this image, and the latest versions of this image has a patch for the yarn key issue. I wonder if you have a stale image in your cache. @tjwaterman99 can you remove this image from your docker cache and re-pull/rebuild?

Having the same issue with expired keys

@jhunax can you let me know which image has this issue? I wonder if the reasoning of the problem lies in either of my above explanations.

@mmghv
Copy link
Author

mmghv commented Mar 24, 2023

Unfortunately upgrading is not always an option for legacy projects that just need minimal support, IMO dev-containers should give me the ability to quickly setup a dev environment for such projects, it's not a production environment after all so security vulnerabilities are not that important.

That's just my opinion, feel free to close this issue.

@samruddhikhandale samruddhikhandale closed this as not planned Won't fix, can't repro, duplicate, stale Apr 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jhunax @mmghv @tjwaterman99 @samruddhikhandale and others