vscode-dev-containers icon indicating copy to clipboard operation
vscode-dev-containers copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Python feature can fail when retrieving gpg keys for build.

Open Clockwork-Muse opened this issue 3 years ago • 5 comments

(Posting here because it's the repository with the script library)

There is .... something... about my corporate wireless network that causes gpg key receive to fail when attempting to install python as a feature on Ubuntu images.

  • VSCode Version: 166.2
  • Local OS Version: Ubuntu
  • Local chip architecture: x86
  • Reproduces in: Remote - Containers
  • Name of Dev Container Definition with Issue: N/A

Steps to Reproduce:

It reproduces in my environment with the following container definition:

{
    "name": "Ubuntu",
    // My real base image is an nvidia/cudagl image, so upgrading the OS isn't an option for me
    "image": "ubuntu:20.04",

    "features": {
        "python": "3.10"
    }
}

repro.log (This particular run is done by connecting to a remote docker host/remote ssh host from Windows, but the error reproduces locally as well)

Clockwork-Muse avatar Apr 26 '22 18:04 Clockwork-Muse

cc @joshspicer for thoughts

bamurtaugh avatar Apr 27 '22 19:04 bamurtaugh

Hey @Clockwork-Muse! If your corporate network is blocking the GPG_KEY_SERVERS (presumably the hkp:// protocol?) below, we currently don't have a way to "disable" GPG verification on the feature via an argument.

GPG_KEY_SERVERS="keyserver hkp://keyserver.ubuntu.com:80
keyserver hkps://keys.openpgp.org
keyserver hkp://keyserver.pgp.com"

As it seems you may be aware, these features are essentially convenience wrappers around the scripts in the script-library, with some added dev container config automatically applied.

A workaround would be to patch out the trouble sections of the script (at your own risk :) ) , and manually check-in the script and incorporate the dev container attributes from the feature, similar to how we do in the python definition.

joshspicer avatar Apr 28 '22 16:04 joshspicer

Yeah, I'm not disabling source authentication. My current workaround is using the deadsnakes ppa, which might be a valid option for this script.

I'm not sure that the network actually is objecting to hkp. Trying to run manual commands to get a key seems to sometimes succeed:

> gpg --no-default-keyring -v --keyserver hkp://keyserver.ubuntu.com:80 --keyring /tmp/somefile --recv-keys B26995E310250568

gpg: data source: http://162.213.33.9:80
gpg: armor header: Comment: Hostname:
gpg: armor header: Version: Hockeypuck ~unreleased
gpg: key B26995E310250568: number of dropped non-self-signatures: 48
gpg: pub  rsa4096/B26995E310250568 2015-05-11  Łukasz Langa (GPG langa.pl) <[email protected]>
gpg: /tmp/tmp-gnupg/trustdb.gpg: trustdb created
gpg: using pgp trust model
gpg: key B26995E310250568: public key "Łukasz Langa (GPG langa.pl) <[email protected]>" imported
gpg: no running gpg-agent - starting '/usr/bin/gpg-agent'
gpg: waiting for the agent to come up ... (5s)
gpg: connection to agent established
gpg: Total number processed: 1
gpg:               imported: 1

> gpg --no-default-keyring -v --keyserver hkps://keys.opengpg.org --keyring /tmp/somekeyring/somefile --recv-keys B26995E310250568
gpg: keyserver receive failed: General error

> gpg --no-default-keyring -v --keyserver hkps://keyserver.pgp.com --keyring /tmp/somekeyring/somefile --recv-keys B26995E310250568
gpg: WARNING: unacceptable HTTP redirect from server was cleaned up
gpg: (further info: changed from '[https://35.169.187.251:443/pks/lookup?op=get&options=mr&search=0xB26995E310250568](https://35.169.187.251/pks/lookup?op=get&options=mr&search=0xB26995E310250568)' to '[https://keyserver.pgp.com:443/pks/lookup?op=get&options=mr&search=0xB26995E310250568](https://keyserver.pgp.com/pks/lookup?op=get&options=mr&search=0xB26995E310250568)')
gpg: WARNING: unacceptable HTTP redirect from server was cleaned up
gpg: (further info: changed from '[https://35.169.187.251:443/pks/lookup?op=get&options=mr&search=0xB26995E310250568](https://35.169.187.251/pks/lookup?op=get&options=mr&search=0xB26995E310250568)' to '[https://keyserver.pgp.com:443/pks/lookup?op=get&options=mr&search=0xB26995E310250568](https://keyserver.pgp.com/pks/lookup?op=get&options=mr&search=0xB26995E310250568)')
gpg: data source: [https://35.169.187.251:443](https://35.169.187.251/)
gpg: keyserver receive failed: No data

(If I'm reconstructing the commands correctly - I'm not much of a sysadmin)

Clockwork-Muse avatar Apr 28 '22 19:04 Clockwork-Muse

My workaround is changing the version to "python": "os-provided" and add apt-get -y install python3 python3-doc python3-pip python3-venv python3-dev python3-tk in the dockerfile.

doki23 avatar Aug 11 '22 06:08 doki23

My workaround is changing the version to "python": "os-provided" and add apt-get -y install python3 python3-doc python3-pip python3-venv python3-dev python3-tk in the dockerfile.

Won't work for my case, because Ubuntu 20.04 only has 3.9, and I specifically need 3.10 (due to a library I'm using). That's why the ppa.

Clockwork-Muse avatar Aug 11 '22 20:08 Clockwork-Muse