devcontainers
Missing apt public key in some Linux distros (but not all)?
For my dev environment I need to install openOCD and gbd-multiarch on a Debian image.
I started by running the following docker file which works in bullseye, but does not work in bookworm. Since I needed versions of the package (specifically openOCD I needed at least version 0.12 or higher, but bullseye only goes up to 0.11), I changed it to bookworm. However it didn't work on bookworm, for some reason there is a missing public key. Finding it odd, I then changed distros to ubuntu and used the noble version because I didn't want to solve the public key issue (because I know it can rotate regularly). I then also found that I couldn't install it with noble either.
I am really scratching my head on this, because bullseye installs things just fine (even if they aren't the version I need). But when I try to go to these newer versions, even switching to a different distro, I'm wondering if I'm just getting really unlucky with finding images where the public key isn't installed correctly or if I'm doing something wrong.
I'm pretty sure this has to be a bug tho
FROM mcr.microsoft.com/devcontainers/base:bookworm
# Install apt packages
RUN apt-get update \
&& apt-get install -y \
# To get SWD working, need to have the following installed in the container
openocd \
gdb-multiarch
Broken output preventing me from completing the build:
> [dev_container_auto_added_stage_label 2/2] RUN apt-get update && apt-get
install -y openocd gdb-multiarch:
#6 0.594 Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
#6 0.715 Get:2 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
#6 0.773 Err:1 http://deb.debian.org/debian bookworm InRelease
#6 0.773 The following signatures couldn't be verified because the public key
is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131 NO_PUBKE
Y F8D2585B8783D481
#6 0.775 Get:3 http://deb.debian.org/debian-security bookworm-security InRelease
[48.0 kB]
#6 0.820 Err:2 http://deb.debian.org/debian bookworm-updates InRelease
#6 0.820 The following signatures couldn't be verified because the public key
is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
#6 0.867 Err:3 http://deb.debian.org/debian-security bookworm-security InRelease
#6 0.867 The following signatures couldn't be verified because the public key
is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8
#6 0.869 Reading package lists...
#6 0.880 W: GPG error: http://deb.debian.org/debian bookworm InRelease: The foll
owing signatures couldn't be verified because the public key is not available: N
O_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131 NO_PUBKEY F8D2585B8783D481
#6 0.880 E: The repository 'http://deb.debian.org/debian bookworm InRelease' is
not signed.
#6 0.880 W: GPG error: http://deb.debian.org/debian bookworm-updates InRelease:
The following signatures couldn't be verified because the public key is not avai
lable: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
#6 0.880 E: The repository 'http://deb.debian.org/debian bookworm-updates InRele
ase' is not signed.
#6 0.880 W: GPG error: http://deb.debian.org/debian-security bookworm-security I
nRelease: The following signatures couldn't be verified because the public key i
s not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8
#6 0.880 E: The repository 'http://deb.debian.org/debian-security bookworm-secur
ity InRelease' is not signed.
#6 0.880 E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cache
/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin |
| true'
#6 0.880 E: Sub-process returned an error code
Noble also doesn't work
FROM mcr.microsoft.com/devcontainers/base:noble
# Install apt packages
RUN apt-get update \
&& apt-get install -y \
# To get SWD working, need to have the following installed in the container
openocd \
gdb-multiarch
But for some reason, the bullseye image seems to have the public key 🤷♂️
FROM mcr.microsoft.com/devcontainers/base:bullseye
# Install apt packages
RUN apt-get update \
&& apt-get install -y \
# To get SWD working, need to have the following installed in the container
openocd \
gdb-multiarch
Can I please be advised what is happening here?
Some further info, I've even moved completely away from a custom docker image and I'm still unable to build the container as a bookworm environment:
my devcontainer.json
{
"name": "Debian Rust Dev Env",
"image": "mcr.microsoft.com/devcontainers/base:bookworm",
"runArgs": ["--privileged"],
"features": {
"ghcr.io/devcontainers/features/common-utils:2": {
"installZsh": true,
"configureZshAsDefaultShell": true,
"installOhMyZsh": true,
"installOhMyZshConfig": true,
"upgradePackages": true,
"username": "vscode",
"userUid": "1000",
"userGid": "1000"
},
"ghcr.io/devcontainers/features/git:1": {
"ppa": false,
"version": "latest"
},
"ghcr.io/devcontainers/features/rust:1": {
"targets": "thumbv6m-none-eabi"
}
},
"customizations": {
"vscode": {
"extensions": [
"marus25.cortex-debug",
"rust-lang.rust-analyzer",
"tamasfe.even-better-toml"
]
}
}
error logs
=> ERROR [dev_containers_target_stage 6/10] RUN chmod -R 0755 /tmp/dev- 0.9s
------
> [dev_containers_target_stage 6/10] RUN chmod -R 0755 /tmp/dev-container-feat
ures/common-utils_0 && cd /tmp/dev-container-features/common-utils_0 && chmod +x
./devcontainer-features-install.sh && ./devcontainer-features-install.sh:
#13 0.404 ======================================================================
=====
#13 0.404 Feature : Common Utilities
#13 0.404 Description : Installs a set of common command line utilities, Oh My
Zsh!, and sets up a non-root user.
#13 0.404 Id : ghcr.io/devcontainers/features/common-utils
#13 0.404 Version : 2.5.2
#13 0.404 Documentation : https://github.com/devcontainers/features/tree/main/sr
c/common-utils
#13 0.404 Options :
#13 0.404 INSTALLZSH="true"
#13 0.404 CONFIGUREZSHASDEFAULTSHELL="true"
#13 0.404 INSTALLOHMYZSH="true"
#13 0.404 INSTALLOHMYZSHCONFIG="true"
#13 0.404 UPGRADEPACKAGES="true"
#13 0.404 USERNAME="vscode"
#13 0.404 USERUID="1000"
#13 0.404 USERGID="1000"
#13 0.404 NONFREEPACKAGES="false"
#13 0.404 ======================================================================
=====
#13 0.411 Marker file found:
#13 0.412 PACKAGES_ALREADY_INSTALLED=true
#13 0.412 LOCALE_ALREADY_SET=true
#13 0.412 EXISTING_NON_ROOT_USER=vscode
#13 0.412 RC_SNIPPET_ALREADY_ADDED=true
#13 0.412 ZSH_ALREADY_INSTALLED=true
#13 0.421 Packages to verify are installed:
#13 0.606 Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
#13 0.771 Get:2 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB
]
#13 0.788 Err:1 http://deb.debian.org/debian bookworm InRelease
#13 0.788 The following signatures couldn't be verified because the public key
is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131 NO_PUBK
EY F8D2585B8783D481
#13 0.827 Get:3 http://deb.debian.org/debian-security bookworm-security InReleas
e [48.0 kB]
#13 0.838 Err:2 http://deb.debian.org/debian bookworm-updates InRelease
#13 0.838 The following signatures couldn't be verified because the public key
is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
#13 0.889 Err:3 http://deb.debian.org/debian-security bookworm-security InReleas
e
#13 0.889 The following signatures couldn't be verified because the public key
is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8
#13 0.890 Reading package lists...
[2024-11-16T11:37:01.679Z]
#13 0.897 W: GPG error: http://deb.debian.org/debian bookworm InRelease: The fol
lowing signatures couldn't be verified because the public key is not available:
NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131 NO_PUBKEY F8D2585B8783D481
#13 0.897 E: The repository 'http://deb.debian.org/debian bookworm InRelease' is
not signed.
#13 0.897 W: GPG error: http://deb.debian.org/debian bookworm-updates InRelease:
The following signatures couldn't be verified because the public key is not ava
ilable: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
#13 0.897 E: The repository 'http://deb.debian.org/debian bookworm-updates InRel
ease' is not signed.
#13 0.897 W: GPG error: http://deb.debian.org/debian-security bookworm-security
InRelease: The following signatures couldn't be verified because the public key
is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8
#13 0.897 E: The repository 'http://deb.debian.org/debian-security bookworm-secu
rity InRelease' is not signed.
#13 0.897 E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cach
e/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin
|| true'
#13 0.897 E: Sub-process returned an error code
#13 0.898 ERROR: Feature "Common Utilities" (ghcr.io/devcontainers/features/comm
on-utils) failed to install! Look at the documentation at https://github.com/dev
containers/features/tree/main/src/common-utils for help troubleshooting this err
or.
Okay, it looks like I was able to build it on my raspberry pi, but not on my windows machine.
That is very strange, because I would have through the public keys would be part of the image, but it is potentially somehow being affected by the host OS?
This is surely a bug right? It shouldn't matter which machine I use, it should build on both?
My main pc was running windows 10, and my pi is running raspbian.
Hello @Gryhyphen ,
Sorry for the very late reply on this. Thank you for reporting this issue. Is the windows machine where you are building this behind a corporate firewall? Could this be getting stuck in the firewall? Otherwise I don’t see how downloading the GPG key should be dependent on the host OS. Besides I presume that you must be using docker desktop in Windows PC to do this build.
@Kaniska244 No, no firewall. I'm using my personal laptop at home. And yeah, docker desktop would be it.
I was recently able to get the image built on a windows 11 machine running on-prem when I needed to make a quick modification to flash some hardware.
However, I believe building the container on my win10 laptop is still broken. I haven't tried it recently, but I when I have time, I'll give it a shot and keep you updated to see if I'm still observing the issue.
I face the GPG issue on MacOS 15.5 arm64 in both mcr.microsoft.com/devcontainers/typescript-node:dev-22-bullseye and mcr.microsoft.com/devcontainers/typescript-node:22-bullseye
Terminal output
Before:
After local build below:
To temporarily fix the GPG issue, you can build the image locally using the following Dockerfile:
FROM mcr.microsoft.com/devcontainers/typescript-node:dev-22-bullseye
RUN cat <<EOF > /etc/apt/apt.conf.d/99-custom-sources
APT::AllowInsecureRepositories "true";
Acquire::AllowInsecureRepositories "true";
EOF
docker build -t mcr.microsoft.com/devcontainers/typescript-node:dev-22-bullseye .
I face the GPG issue on MacOS 15.5 arm64 in both
mcr.microsoft.com/devcontainers/typescript-node:dev-22-bullseyeandmcr.microsoft.com/devcontainers/typescript-node:22-bullseyeTerminal output To temporarily fix the GPG issue, you can build the image locally using the following Dockerfile:
FROM mcr.microsoft.com/devcontainers/typescript-node:dev-22-bullseye
RUN cat <<EOF > /etc/apt/apt.conf.d/99-custom-sources APT::AllowInsecureRepositories "true"; Acquire::AllowInsecureRepositories "true"; EOF
docker build -t mcr.microsoft.com/devcontainers/typescript-node:dev-22-bullseye .
This is a terrible idea and SHOULD NOT be done. This means communication can be intercepted to apt repos.
