corretto/corretto-8-docker

gpg key lookup fail

SHammade opened this issue · 3 comments

SHammade commented

Hi there,

the lookup for the key C554E802F4545B60919A0A87BD93DF06B540D62A fails
Lookup via web gives a "No results found"
http://ha.pool.sks-keyservers.net/pks/lookup?search=C554E802F4545B60919A0A87BD93DF06B540D62A&fingerprint=on&op=index

% docker build .
Sending build context to Docker daemon  163.3kB
Step 1/9 : FROM amazonlinux:2
 ---> b94321659aca
Step 2/9 : ARG rpm_x64=java-1.8.0-amazon-corretto-devel-1.8.0_222.b10-1.x86_64.rpm
 ---> Running in 763a22513282
Removing intermediate container 763a22513282
 ---> 48b547be5cf1
Step 3/9 : ARG path_x64=https://d3pxv6yz143wms.cloudfront.net/8.222.10.1
 ---> Running in 92c4b8389045
Removing intermediate container 92c4b8389045
 ---> 5408469d1224
Step 4/9 : ARG key_x64=C554E802F4545B60919A0A87BD93DF06B540D62A
 ---> Running in 4d1ead876785
Removing intermediate container 4d1ead876785
 ---> bd32ad937e18
Step 5/9 : ARG rpm_aarch64=java-1.8.0-amazon-corretto-devel-1.8.0_222.b10-4.aarch64.rpm
 ---> Running in 7940284d22e7
Removing intermediate container 7940284d22e7
 ---> f4f710e08495
Step 6/9 : ARG path_aarch64=https://d3pxv6yz143wms.cloudfront.net/8.222.10.4
 ---> Running in cf1c1def4a3a
Removing intermediate container cf1c1def4a3a
 ---> a7942a3e2665
Step 7/9 : ARG key_aarch64=826272FACCCCC8E76897C26CE9B1F93E1A158134
 ---> Running in e3b3063e5e10
Removing intermediate container e3b3063e5e10
 ---> de9c44f857b2
Step 8/9 : RUN set -eux;     case "$(uname -p)" in         x86_64) rpm=$rpm_x64; path=$path_x64; key=$key_x64 ;;         aarch64) rpm=$rpm_aarch64; path=$path_aarch64; key=$key_aarch64 ;;         *) echo >&2 "Unsupported architecture $(uname -p)."; exit 1 ;;     esac;         curl -O $path/$rpm     && export GNUPGHOME="$(mktemp -d)"     && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys $key     && gpg --armor --export $key > corretto.asc     && rpm --import corretto.asc     && rpm -K $rpm     && rpm -i $rpm     && rm -r $GNUPGHOME corretto.asc $rpm     && yum install -y fontconfig     && yum clean all
 ---> Running in 3b3230d7ca95
+ case "$(uname -p)" in
++ uname -p
+ rpm=java-1.8.0-amazon-corretto-devel-1.8.0_222.b10-1.x86_64.rpm
+ path=https://d3pxv6yz143wms.cloudfront.net/8.222.10.1
+ key=C554E802F4545B60919A0A87BD93DF06B540D62A
+ curl -O https://d3pxv6yz143wms.cloudfront.net/8.222.10.1/java-1.8.0-amazon-corretto-devel-1.8.0_222.b10-1.x86_64.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  111M  100  111M    0     0  12.7M      0  0:00:08  0:00:08 --:--:-- 17.4M
++ mktemp -d
+ export GNUPGHOME=/tmp/tmp.jzzxTOi6f0
+ GNUPGHOME=/tmp/tmp.jzzxTOi6f0
+ gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys C554E802F4545B60919A0A87BD93DF06B540D62A
gpg: keyring `/tmp/tmp.jzzxTOi6f0/secring.gpg' created
gpg: keyring `/tmp/tmp.jzzxTOi6f0/pubring.gpg' created
gpg: requesting key B540D62A from hkp server ha.pool.sks-keyservers.net
gpg: keyserver timed out
gpg: keyserver receive failed: Keyserver error
The command '/bin/sh -c set -eux;     case "$(uname -p)" in         x86_64) rpm=$rpm_x64; path=$path_x64; key=$key_x64 ;;         aarch64) rpm=$rpm_aarch64; path=$path_aarch64; key=$key_aarch64 ;;         *) echo >&2 "Unsupported architecture $(uname -p)."; exit 1 ;;     esac;         curl -O $path/$rpm     && export GNUPGHOME="$(mktemp -d)"     && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys $key     && gpg --armor --export $key > corretto.asc     && rpm --import corretto.asc     && rpm -K $rpm     && rpm -i $rpm     && rm -r $GNUPGHOME corretto.asc $rpm     && yum install -y fontconfig     && yum clean all' returned a non-zero code: 2

best regards,
Serbest

navyxliu commented

hi, @SHammade
Thank you for trying Corretto-8. I am looking into your problem.
It seems that the key B540D62A hasn't been propagated to ha.pool.sks-keyservers.net.

navyxliu commented

hello, @SHammade

The key has been populated to ha.pool.sks-keyservers.net.
http://ha.pool.sks-keyservers.net/pks/lookup?op=vindex&fingerprint=on&search=0xBD93DF06B540D62A

I am pretty sure it's a firewall issue. By default, gpg connects hkp using port 11371. Some enterprise firewalls block it. There're at least 2 workarounds for this issue:

  1. use http proxy or ssh tunnel.
  2. switch to http 80 server at your own risk.
    There're many choices here.
    https://sks-keyservers.net/overview-of-pools.php

here is an example.

diff --git a/Dockerfile b/Dockerfile
index 321a2b1..b76ad49 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -28,7 +28,7 @@ RUN set -eux; \
     \
     curl -O $path/$rpm \
     && export GNUPGHOME="$(mktemp -d)" \
-    && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys $key \
+    && gpg --batch --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys $key \
     && gpg --armor --export $key > corretto.asc \
     && rpm --import corretto.asc \
     && rpm -K $rpm \

At the end of world, you can download keyfile from our official website. Check out the Signature Verification:
https://docs.aws.amazon.com/corretto/latest/corretto-8-ug/downloads-list.html

SHammade commented

Hi @navyxliu
well, you're right. Didn't except this to be a firewall problem...
thanks for your help!