php:7.4 apt-get update fails for invalid signature (expired Yarn keys)

[mmghv]

Dockerfile:

FROM mcr.microsoft.com/devcontainers/php:7.4
RUN apt-get update

Running the devcontainer fails with this error :

...
 > [dev_container_auto_added_stage_label 2/4] RUN apt-get update:
#0 0.724 Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
#0 0.815 Get:2 https://dl.yarnpkg.com/debian stable InRelease [17.1 kB]
#0 0.912 Get:3 http://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]
#0 1.069 Get:4 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
#0 1.133 Err:2 https://dl.yarnpkg.com/debian stable InRelease
#0 1.133   The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <yarn@dan.cx>
#0 1.229 Get:5 http://deb.debian.org/debian bullseye/main amd64 Packages [8183 kB]
#0 3.806 Get:6 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [236 kB]
#0 4.054 Get:7 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [14.6 kB]
#0 5.526 Reading package lists...
#0 6.467 W: GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <yarn@dan.cx>
#0 6.467 E: The repository 'https://dl.yarnpkg.com/debian stable InRelease' is not signed.
...

This doesn't happen with newer versions (e.g. php:8)

Adding the following command before apt-get update fixes the problem :

RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor > /usr/share/keyrings/yarn-archive-keyring.gpg

Related to #370
Yarn issue : yarnpkg/yarn#7866

[tjwaterman99]

I'm having a similar issue.

$ docker run mcr.microsoft.com/vscode/devcontainers/python:0-3.9 apt-get update 

Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:4 https://dl.yarnpkg.com/debian stable InRelease [17.1 kB]
Err:1 http://deb.debian.org/debian bullseye InRelease
  At least one invalid signature was encountered.
Err:2 http://deb.debian.org/debian-security bullseye-security InRelease
  At least one invalid signature was encountered.
Err:3 http://deb.debian.org/debian bullseye-updates InRelease
  At least one invalid signature was encountered.
Err:4 https://dl.yarnpkg.com/debian stable InRelease
  At least one invalid signature was encountered.
Reading package lists...
W: GPG error: http://deb.debian.org/debian bullseye InRelease: At least one invalid signature was encountered.
E: The repository 'http://deb.debian.org/debian bullseye InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian-security bullseye-security InRelease: At least one invalid signature was encountered.
E: The repository 'http://deb.debian.org/debian-security bullseye-security InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian bullseye-updates InRelease: At least one invalid signature was encountered.
E: The repository 'http://deb.debian.org/debian bullseye-updates InRelease' is not signed.
W: GPG error: https://dl.yarnpkg.com/debian stable InRelease: At least one invalid signature was encountered.
E: The repository 'https://dl.yarnpkg.com/debian stable InRelease' is not signed.

[jhunax]

Having the same issue with expired keys

Err:3 https://dl.yarnpkg.com/debian stable InRelease
The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging yarn@dan.cx

[samruddhikhandale]

Hi 👋

mcr.microsoft.com/devcontainers/php:7.4

#90 tracks the image support which aligns with the upstream release cycle. From https://www.php.net/supported-versions.php, as PHP 7.4 has reached End of Life, even we have stopped supporting it since Nov 2022. @mmghv We'd recommend upgrading as soon as possible to avoid security vulnerabilities.

mcr.microsoft.com/vscode/devcontainers/python:0-3.9

We are actively supporting this image, and the latest versions of this image has a patch for the yarn key issue. I wonder if you have a stale image in your cache. @tjwaterman99 can you remove this image from your docker cache and re-pull/rebuild?

Having the same issue with expired keys

@jhunax can you let me know which image has this issue? I wonder if the reasoning of the problem lies in either of my above explanations.

[mmghv]

Unfortunately upgrading is not always an option for legacy projects that just need minimal support, IMO dev-containers should give me the ability to quickly setup a dev environment for such projects, it's not a production environment after all so security vulnerabilities are not that important.

That's just my opinion, feel free to close this issue.