yarn.gpg has expired
redNixon opened this issue · 3 comments
When building the ecs docs I am getting a failure due to this error that occurs when building the docs Dockerfile
INFO:docker build:#16 [node_deps 4/7] RUN install_packages yarn=1.21.1-1
INFO:docker build:#16 sha256:d97e178f101234141a36f6848bb1a286a3020a3e1a8d65137469942c33775282
INFO:docker build:#16 6.312 W: GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <yarn@dan.cx>
INFO:docker build:#16 6.312 E: The repository 'https://dl.yarnpkg.com/debian stable InRelease' is not signed.
INFO:docker build:#16 6.313 apt failed, retrying
INFO:docker build:#16 7.306 W: GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <yarn@dan.cx>
INFO:docker build:#16 7.306 E: The repository 'https://dl.yarnpkg.com/debian stable InRelease' is not signed.
INFO:docker build:#16 7.307 apt failed, retrying
INFO:docker build:#16 8.484 W: GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <yarn@dan.cx>
INFO:docker build:#16 8.484 E: The repository 'https://dl.yarnpkg.com/debian stable InRelease' is not signed.
INFO:docker build:#16 ERROR: executor failed running [/bin/sh -c install_packages yarn=1.21.1-1]: exit code: 100
This error is occurring because .docker/apt/keys/yarn.gpg expired today
$ gpg yarn.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096 2016-10-05 [SC]
72ECF46A56B4AD39C907BBB71646B01B86E50310
uid Yarn Packaging <yarn@dan.cx>
sub rsa4096 2016-10-05 [E]
sub rsa4096 2016-10-05 [S] [expired: 2017-10-05]
sub rsa4096 2016-10-30 [S] [expired: 2019-01-01]
sub rsa4096 2017-09-10 [S] [expired: 2019-01-01]
sub rsa4096 2019-01-02 [S] [expired: 2021-02-03]
sub rsa4096 2019-01-11 [S] [expired: 2021-02-03]
A new key is published here and after manually replacing this repo's version of yarn.gpg with it "make docs" once again was able to build successfully. Personally I would prefer that the public key is pulled from the server when building the docker image but I can appreciate the supply chain attack vector that an org like Elastic is probably worried about which leads to committing the known good key. Either way, either yarn.gpg needs to be manually updated or the Dockerfile needs a curl added to it before apt-key is ran(ie curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg) | apt-key add -)
I've honestly had the base layers of this image cached for so long that this hasn't impacted me, but thanks for reporting and making a PR @redNixon !
Closing since the new key has been committed