search

CircleCI-Public / cimg-aws

The CircleCI AWS Docker Convenience Image.
https://circleci.com/developer/images/image/cimg/aws
MIT License
2 stars 2 forks source link

Security issue running apt inside cimg/aws:2022.11 #8

Closed bretttully closed 1 year ago

bretttully commented 1 year ago

When running 

sudo apt-get update --no-install-recommends -y
sudo apt-get install -y python3 python-is-python3

We get the following error about the google public key having been revoked

W: https://apt.releases.hashicorp.com/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: https://download.docker.com/linux/ubuntu/dists/jammy/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details.
W: GPG error: https://packages.cloud.google.com/apt kubernetes-xenial InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B53DC80D13EDEF05
E: The repository 'https://apt.kubernetes.io kubernetes-xenial InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

Perhaps this is the root cause? https://askubuntu.com/questions/1398344/apt-key-deprecation-warning-when-updating-system

JalexChen commented 1 year ago

hey @bretttully - i think this might actually be an issue with the deploy image and google needing to rotate their keys. we'll need to release updates to deploy suite anyway... stay tuned

bretttully commented 1 year ago

@JalexChen interesting fix -- I was also noticing this about the new Ubuntu images and wondering if it was host docker versioning related? https://askubuntu.com/questions/1429108/manually-add-key-the-following-signatures-couldnt-be-verified-because-the-publ

JalexChen commented 1 year ago

Opening this back up because of the additional comment. PR #9 released a new version of this image that includes the new GPG key that was rotated and what was breaking the build in the original comment

@bretttully - are you talking about the original errors and warnings you first brought up in this issue? if so, this image is built off the latest docker version at the moment; 20.10.22 so it's unlikely that is the issue.

The GCP GPG issue was - i'm pretty sure - google rotating their keys The deprecation warnings for apt-key have been present for a while. This is likely something that will need to be addressed at some point, but that is an issue from upstream here

bretttully commented 1 year ago

@JalexChen your new release fixes the issue. My comment was just musing on an potential issue that seemed related.