Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Docker images have expired key for github cli packages #18268

Closed
3 tasks done
andreineculau opened this issue Sep 6, 2024 · 9 comments
Closed
3 tasks done

Docker images have expired key for github cli packages #18268

andreineculau opened this issue Sep 6, 2024 · 9 comments
Labels
bug Reproducible Homebrew/brew bug

Comments

@andreineculau
Copy link
Contributor

brew doctor output

n/a

Verification

brew config output

n/a

What were you trying to do (and why)?

use the latest homebrew docker image and get the latest aptitude packages

In

&& curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
we get the github cli keyring, but it expired.

so running

docker run --rm -it ghcr.io/homebrew/ubuntu22.04:latest

Followed by an apt-get update, like

sudo apt-get -y --fix-missing --allow-releaseinfo-change update

will now error.

Any other fix than build a new image or rebuild the current image (same version)?
For the time being, I guess it can be fixed downstream by updating the keyring.

PS: Maybe someone can explain why do we need github cli on the homebrew docker image. Can it be removed?

What happened (include all command output)?

W: GPG error: https://cli.github.com/packages stable InRelease: The following signatures were invalid: EXPKEYSIG 23F3D4EA75716059 GitHub CLI <[email protected]>
E: The repository 'https://cli.github.com/packages stable InRelease' is not signed.

What did you expect to happen?

no error

Step-by-step reproduction instructions (by running brew commands)

docker run --rm -it ghcr.io/homebrew/ubuntu22.04:latest

# inside docker, run:
sudo apt-get -y --fix-missing --allow-releaseinfo-change update
@andreineculau andreineculau added the bug Reproducible Homebrew/brew bug label Sep 6, 2024
@carlocab
Copy link
Member

carlocab commented Sep 6, 2024

Is there another keyring we can get that isn't expired?

PS: Maybe someone can explain why do we need github cli on the homebrew docker image.

Homebrew CI makes heavy use of gh.

Can it be removed?

Not without breaking pretty much all of our CI.

@carlocab
Copy link
Member

carlocab commented Sep 6, 2024

See also cli/cli#9569.

Seems like the image just needs to be rebuilt. If this is blocking you, consider using ghcr.io/homebrew/ubuntu22.04:master instead.

A rebuilt :latest image should be available on the next brew tag (likely early next week).

In a pinch, you could probably also run this inside the :latest container:

curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | 
  sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg

@williammartin
Copy link

Hi folks, many apologies for the troubles from the GitHub CLI.

I just added some docker related details to our tracking issue: cli/cli#9569 (comment)

I can confirm the new keyring is available at https://cli.github.com/packages/githubcli-archive-keyring.gpg. If you own the layer that grabs this key, I would expect rebuilding the image solves the problem. If you don't own the layer, running:

RUN wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null \
    && chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg

Before the apt update, should workaround until the base layer is updated.

Sorry 🙏

@carlocab
Copy link
Member

carlocab commented Sep 6, 2024

@williammartin thanks for chiming in!

I think /etc/apt/keyrings there should be /usr/share/keyrings, because our Dockerfile still uses the old instructions:

brew/Dockerfile

Lines 47 to 51 in 94eb0c7

&& curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
&& chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
&& apt-get update \
&& apt-get install -y --no-install-recommends gh \

I'll open a PR to update our Dockerfile.

@williammartin
Copy link

Ahha! Thanks. I'm going to update our issue to provide both sets of instructions.

@andreineculau
Copy link
Contributor Author

Thank you @carlocab ! We're good on our side. We have a hotfix to remove everything gh (via apt; we also make use of gh, but we install it via homebrew 😅 #inception)

And thank you @williammartin ! Do take it easy and enjoy the weekend! ❤️

@williammartin
Copy link

Updated the instructions to account for the old location here: cli/cli#9569 (comment)

Cheers!

@carlocab
Copy link
Member

carlocab commented Sep 6, 2024

Thanks @williammartin! Dockerfile now updated in #18272.

@carlocab
Copy link
Member

carlocab commented Sep 9, 2024

This should be fixed as of https://github.com/Homebrew/brew/releases/tag/4.3.20.

@carlocab carlocab closed this as completed Sep 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Reproducible Homebrew/brew bug
Projects
None yet
Development

No branches or pull requests

3 participants