apt-get update fails with signatures couldn't be verified because the public key is not available
akandimalla opened this issue · 6 comments
Jenkins and plugins versions report
Environment
Creating a custom docker file and installing packages.Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Err:1 http://deb.debian.org/debian bookworm InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131 NO_PUBKEY F8D2585B8783D481
Err:2 http://deb.debian.org/debian bookworm-updates InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
Err:3 http://deb.debian.org/debian-security bookworm-security InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8
Get:4 https://packagecloud.io/github/git-lfs/debian bookworm InRelease [25.8 kB]
Err:4 https://packagecloud.io/github/git-lfs/debian bookworm InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6B05F25D762E3157
Reading package lists...
W: GPG error: http://deb.debian.org/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131 NO_PUBKEY F8D2585B8783D481
E: The repository 'http://deb.debian.org/debian bookworm InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian bookworm-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
E: The repository 'http://deb.debian.org/debian bookworm-updates InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian-security bookworm-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8
E: The repository 'http://deb.debian.org/debian-security bookworm-security InRelease' is not signed.
W: GPG error: https://packagecloud.io/github/git-lfs/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6B05F25D762E3157
E: The repository 'https://packagecloud.io/github/git-lfs/debian bookworm InRelease' is not signed.
E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true'
E: Sub-process returned an error code
What Operating System are you using (both controller, and any agents involved in the problem)?
centos 7.9
Reproduction steps
FROM jenkins/jenkins:latest-jdk17
USER root
RUN
mkdir -p /var/jenkins_home/deployer &&
apt-get update &&
apt-get install curl nfs-common vim tcpdump net-tools dnsutils traceroute netcat -y &&
curl -kvL https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb -o /var/jenkins_home/deployer/google-chrome-stable_current_amd64.deb &&
apt-get -f install -y /var/jenkins_home/deployer/google-chrome-stable_current_amd64.deb &&
chown -R jenkins:jenkins /var/jenkins_home/deployer/ &&
mkdir -pv /var/lib/jenkins &&
chown -R jenkins:jenkins /var/lib/jenkins/
USER jenkins
Expected Results
Build the docker image successfully.
Actual Results
Err:1 http://deb.debian.org/debian bookworm InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131 NO_PUBKEY F8D2585B8783D481
Err:2 http://deb.debian.org/debian bookworm-updates InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
Err:3 http://deb.debian.org/debian-security bookworm-security InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8
Get:4 https://packagecloud.io/github/git-lfs/debian bookworm InRelease [25.8 kB]
Err:4 https://packagecloud.io/github/git-lfs/debian bookworm InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6B05F25D762E3157
Reading package lists...
W: GPG error: http://deb.debian.org/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131 NO_PUBKEY F8D2585B8783D481
E: The repository 'http://deb.debian.org/debian bookworm InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian bookworm-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
E: The repository 'http://deb.debian.org/debian bookworm-updates InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian-security bookworm-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8
E: The repository 'http://deb.debian.org/debian-security bookworm-security InRelease' is not signed.
W: GPG error: https://packagecloud.io/github/git-lfs/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6B05F25D762E3157
E: The repository 'https://packagecloud.io/github/git-lfs/debian bookworm InRelease' is not signed.
E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cache/apt/archives/.deb /var/cache/apt/archives/partial/.deb /var/cache/apt/*.bin || true'
E: Sub-process returned an error code
Anything else?
No response
Hi @akandimalla , I cannot reproduce this error: can you check that you have pulled the latest jenkins/jenkins:latest-jdk17 image? I have the following digest: docker.io/jenkins/jenkins:latest-jdk17@sha256:73a13706fa97708d252112508b08f3e307379d88c16bb85dcbf914ab06a7a613.
=> You might want to use a pinned version in the docker tag such as jenkins/jenkins:2.421-jdk17 in your case (with the Jenkins version, which is the latest weekly version at the time of writing these lines) to avoid bad surprises with updates of the image (as the adage says: "friends do not let friends use latest docker tag ;))
By the way, I still get an error when building your image which is the following:
=> ERROR [2/2] RUN mkdir -p /var/jenkins_home/deployer && apt-get update && apt-get install curl nfs-common vim tcpdump net-tools dnsutils traceroute netcat -y && curl -kvL https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb -o /var/jenkins_home/deployer/google-chrome-stable_current_amd64.deb && apt-get -f install -y /var/jenkins_home/deployer/google-chrome-stable_current_amd64.deb && c 4.0s
------
> [2/2] RUN mkdir -p /var/jenkins_home/deployer && apt-get update && apt-get install curl nfs-common vim tcpdump net-tools dnsutils traceroute netcat -y && curl -kvL https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb -o /var/jenkins_home/deployer/google-chrome-stable_current_amd64.deb && apt-get -f install -y /var/jenkins_home/deployer/google-chrome-stable_current_amd64.deb && chown -R jenkins:jenkins /var/jenkins_home/deployer/ && mkdir -pv /var/lib/jenkins && chown -R jenkins:jenkins /var/lib/jenkins/:
0.282 Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
0.352 Get:2 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB]
0.382 Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
0.430 Get:4 http://deb.debian.org/debian bookworm/main arm64 Packages [8803 kB]
1.223 Get:6 http://deb.debian.org/debian bookworm-updates/main arm64 Packages [4960 B]
1.223 Get:7 http://deb.debian.org/debian-security bookworm-security/main arm64 Packages [58.1 kB]
1.936 Get:5 https://packagecloud.io/github/git-lfs/debian bookworm InRelease [25.8 kB]
3.010 Get:8 https://packagecloud.io/github/git-lfs/debian bookworm/main arm64 Packages [1432 B]
3.031 Fetched 9145 kB in 3s (3212 kB/s)
3.031 Reading package lists...
3.305 Reading package lists...
3.551 Building dependency tree...
3.631 Reading state information...
3.634 Package netcat is a virtual package provided by:
3.634 netcat-openbsd 1.219-1
3.634 netcat-traditional 1.10-47
3.634
3.637 E: Package 'netcat' has no installation candidate
=> Debian bookworm changed some packages names: in that case, netcat should be netcat-traditional in order to fix this problem.
It looks like you've been bitten by using the latest-jdk17 tag as its base operating system was changed from Debian "Bullseye" to "Bookworm" (which is a breaking change for the docker image) as indicated in https://github.com/jenkinsci/docker/releases/tag/2.420
@dduportal - Thanks for the reply. I used the jenkins/jenkins:2.421-jdk17 and removed netcat command. I still get the same issue while updating the image. What will be the alternative to fix the bookworm updates?
https://github.com/jenkinsci/docker/releases/tag/2.420
FROM jenkins/jenkins:2.421-jdk17
LABEL Jenkins.version="LTS-2.421-jdk17" \
USER root
RUN \
mkdir -p /var/jenkins_home/deployer && \
apt-get update && \
apt-get install curl nfs-common vim tcpdump net-tools dnsutils traceroute -y && \
curl -kvL https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb -o /var/jenkins_home/deployer/google-chrome-stable_current_amd64.deb && \
apt-get -f install -y /var/jenkins_home/deployer/google-chrome-stable_current_amd64.deb && \
chown -R jenkins:jenkins /var/jenkins_home/deployer/ && \
mkdir -pv /var/lib/jenkins && \
chown -R jenkins:jenkins /var/lib/jenkins/
# drop back to the regular jenkins user - good practice
USER jenkins
[root@abc cams-jenkins-docker]# docker build --no-cache -f jenkins-server -t xxxxxxx.dkr.ecr.us-east-2.amazonaws.com/jenkins-cams:jenkins-server-2.414.1-jdk17 .
Sending build context to Docker daemon 7.104MB
Step 1/5 : FROM jenkins/jenkins:2.421-jdk17
2.421-jdk17: Pulling from jenkins/jenkins
de4cac68b616: Pull complete
cffec3cc7c7f: Pull complete
c87735bd7296: Pull complete
03f3a2e39105: Pull complete
9c19bce053ef: Pull complete
2a31ca18fdf8: Pull complete
e56e04ec7299: Pull complete
d3bd95d5b053: Pull complete
5d159810df2a: Pull complete
cc7b171ffaed: Pull complete
1ad3210ec0e8: Pull complete
eaf0ac567eee: Pull complete
Digest: sha256:73a13706fa97708d252112508b08f3e307379d88c16bb85dcbf914ab06a7a613
Status: Downloaded newer image for jenkins/jenkins:2.421-jdk17
---> 876d2f148000
Step 2/5 : Jenkins.version="LTS-2.414-jdk17"
---> Running in 8e50f46b48d2
Removing intermediate container 8e50f46b48d2
---> a85b1da73457
Step 3/5 : USER root
---> Running in 48bf08829159
Removing intermediate container 48bf08829159
---> c07a223c34b0
Step 4/5 : RUN mkdir -p /var/jenkins_home/deployer && apt-get update && apt-get install curl nfs-common vim tcpdump net-tools dnsutils traceroute -y && curl -kvL https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb -o /var/jenkins_home/deployer/google-chrome-stable_current_amd64.deb && apt-get -f install -y /var/jenkins_home/deployer/google-chrome-stable_current_amd64.deb && chown -R jenkins:jenkins /var/jenkins_home/deployer/ && mkdir -pv /var/lib/jenkins && chown -R jenkins:jenkins /var/lib/jenkins/
---> Running in ccb44b53549a
Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Err:1 http://deb.debian.org/debian bookworm InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131 NO_PUBKEY F8D2585B8783D481
Err:2 http://deb.debian.org/debian bookworm-updates InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
Err:3 http://deb.debian.org/debian-security bookworm-security InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8
Get:4 https://packagecloud.io/github/git-lfs/debian bookworm InRelease [25.8 kB]
Err:4 https://packagecloud.io/github/git-lfs/debian bookworm InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6B05F25D762E3157
Reading package lists...
W: GPG error: http://deb.debian.org/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131 NO_PUBKEY F8D2585B8783D481
E: The repository 'http://deb.debian.org/debian bookworm InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian bookworm-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
E: The repository 'http://deb.debian.org/debian bookworm-updates InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian-security bookworm-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8
E: The repository 'http://deb.debian.org/debian-security bookworm-security InRelease' is not signed.
W: GPG error: https://packagecloud.io/github/git-lfs/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6B05F25D762E3157
E: The repository 'https://packagecloud.io/github/git-lfs/debian bookworm InRelease' is not signed.
E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true'
E: Sub-process returned an error code
The command '/bin/sh -c mkdir -p /var/jenkins_home/deployer && apt-get update && apt-get install curl nfs-common vim tcpdump net-tools dnsutils traceroute -y && curl -kvL https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb -o /var/jenkins_home/deployer/google-chrome-stable_current_amd64.deb && apt-get -f install -y /var/jenkins_home/deployer/google-chrome-stable_current_amd64.deb && chown -R jenkins:jenkins /var/jenkins_home/deployer/ && mkdir -pv /var/lib/jenkins && chown -R jenkins:jenkins /var/lib/jenkins/' returned a non-zero code: 100
Are you building inside a corporate network?
Or is this direct to the internet?
Inside a corporate network. It has outbound internet access allowed.
Inside a corporate network. It has outbound internet access allowed.
It looks like the corporate network is not allowing the outbound HKP protocol (which apt uses to retrieve the GPG public keys of its package repositories).
You should be able to reproduce the same error with a docker run --ti --entrypoint=bash debian:bookworm -c 'apt-get update && apt-get install <whataver>' to rule out the Jenkins specifics.
@dduportal @timja - Thanks for the help. The Port was blocked. I was able to build the image from my local environment. Appreciate your time.