gpg key lookup fail
SHammade opened this issue · 3 comments
Hi there,
the lookup for the key C554E802F4545B60919A0A87BD93DF06B540D62A fails
Lookup via web gives a "No results found"
http://ha.pool.sks-keyservers.net/pks/lookup?search=C554E802F4545B60919A0A87BD93DF06B540D62A&fingerprint=on&op=index
% docker build .
Sending build context to Docker daemon 163.3kB
Step 1/9 : FROM amazonlinux:2
---> b94321659aca
Step 2/9 : ARG rpm_x64=java-1.8.0-amazon-corretto-devel-1.8.0_222.b10-1.x86_64.rpm
---> Running in 763a22513282
Removing intermediate container 763a22513282
---> 48b547be5cf1
Step 3/9 : ARG path_x64=https://d3pxv6yz143wms.cloudfront.net/8.222.10.1
---> Running in 92c4b8389045
Removing intermediate container 92c4b8389045
---> 5408469d1224
Step 4/9 : ARG key_x64=C554E802F4545B60919A0A87BD93DF06B540D62A
---> Running in 4d1ead876785
Removing intermediate container 4d1ead876785
---> bd32ad937e18
Step 5/9 : ARG rpm_aarch64=java-1.8.0-amazon-corretto-devel-1.8.0_222.b10-4.aarch64.rpm
---> Running in 7940284d22e7
Removing intermediate container 7940284d22e7
---> f4f710e08495
Step 6/9 : ARG path_aarch64=https://d3pxv6yz143wms.cloudfront.net/8.222.10.4
---> Running in cf1c1def4a3a
Removing intermediate container cf1c1def4a3a
---> a7942a3e2665
Step 7/9 : ARG key_aarch64=826272FACCCCC8E76897C26CE9B1F93E1A158134
---> Running in e3b3063e5e10
Removing intermediate container e3b3063e5e10
---> de9c44f857b2
Step 8/9 : RUN set -eux; case "$(uname -p)" in x86_64) rpm=$rpm_x64; path=$path_x64; key=$key_x64 ;; aarch64) rpm=$rpm_aarch64; path=$path_aarch64; key=$key_aarch64 ;; *) echo >&2 "Unsupported architecture $(uname -p)."; exit 1 ;; esac; curl -O $path/$rpm && export GNUPGHOME="$(mktemp -d)" && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys $key && gpg --armor --export $key > corretto.asc && rpm --import corretto.asc && rpm -K $rpm && rpm -i $rpm && rm -r $GNUPGHOME corretto.asc $rpm && yum install -y fontconfig && yum clean all
---> Running in 3b3230d7ca95
+ case "$(uname -p)" in
++ uname -p
+ rpm=java-1.8.0-amazon-corretto-devel-1.8.0_222.b10-1.x86_64.rpm
+ path=https://d3pxv6yz143wms.cloudfront.net/8.222.10.1
+ key=C554E802F4545B60919A0A87BD93DF06B540D62A
+ curl -O https://d3pxv6yz143wms.cloudfront.net/8.222.10.1/java-1.8.0-amazon-corretto-devel-1.8.0_222.b10-1.x86_64.rpm
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 111M 100 111M 0 0 12.7M 0 0:00:08 0:00:08 --:--:-- 17.4M
++ mktemp -d
+ export GNUPGHOME=/tmp/tmp.jzzxTOi6f0
+ GNUPGHOME=/tmp/tmp.jzzxTOi6f0
+ gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys C554E802F4545B60919A0A87BD93DF06B540D62A
gpg: keyring `/tmp/tmp.jzzxTOi6f0/secring.gpg' created
gpg: keyring `/tmp/tmp.jzzxTOi6f0/pubring.gpg' created
gpg: requesting key B540D62A from hkp server ha.pool.sks-keyservers.net
gpg: keyserver timed out
gpg: keyserver receive failed: Keyserver error
The command '/bin/sh -c set -eux; case "$(uname -p)" in x86_64) rpm=$rpm_x64; path=$path_x64; key=$key_x64 ;; aarch64) rpm=$rpm_aarch64; path=$path_aarch64; key=$key_aarch64 ;; *) echo >&2 "Unsupported architecture $(uname -p)."; exit 1 ;; esac; curl -O $path/$rpm && export GNUPGHOME="$(mktemp -d)" && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys $key && gpg --armor --export $key > corretto.asc && rpm --import corretto.asc && rpm -K $rpm && rpm -i $rpm && rm -r $GNUPGHOME corretto.asc $rpm && yum install -y fontconfig && yum clean all' returned a non-zero code: 2
best regards,
Serbest
hi, @SHammade
Thank you for trying Corretto-8. I am looking into your problem.
It seems that the key B540D62A hasn't been propagated to ha.pool.sks-keyservers.net.
hello, @SHammade
The key has been populated to ha.pool.sks-keyservers.net.
http://ha.pool.sks-keyservers.net/pks/lookup?op=vindex&fingerprint=on&search=0xBD93DF06B540D62A
I am pretty sure it's a firewall issue. By default, gpg connects hkp using port 11371. Some enterprise firewalls block it. There're at least 2 workarounds for this issue:
- use http proxy or ssh tunnel.
- switch to http 80 server at your own risk.
There're many choices here.
https://sks-keyservers.net/overview-of-pools.php
here is an example.
diff --git a/Dockerfile b/Dockerfile
index 321a2b1..b76ad49 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -28,7 +28,7 @@ RUN set -eux; \
\
curl -O $path/$rpm \
&& export GNUPGHOME="$(mktemp -d)" \
- && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys $key \
+ && gpg --batch --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys $key \
&& gpg --armor --export $key > corretto.asc \
&& rpm --import corretto.asc \
&& rpm -K $rpm \
At the end of world, you can download keyfile from our official website. Check out the Signature Verification:
https://docs.aws.amazon.com/corretto/latest/corretto-8-ug/downloads-list.html