search

GoogleCloudPlatform / mysql-docker

GNU General Public License v2.0
24 stars 22 forks source link

Invalid key signature for mysql-docker/8/debian11/8.0 #98

Open roger2hk opened 9 months ago

roger2hk commented 9 months ago

According to the MySQL's Signature Checking Using GnuPG doc, the existing key has been expired.

The 3A79BD29 key expires on 2023-12-14. A new replacement key (A8D3785C) will sign upcoming MySQL 8.0.36 and higher packages. Both keys are installed by the MySQL repository setup packages released with MySQL 8.0.35, and both keys are also available at https://repo.mysql.com/.

The following GPG key does not match the one in the 'http://repo.mysql.com/apt/debian bullseye InRelease'.

https://github.com/GoogleCloudPlatform/mysql-docker/blob/1d42fda185883f88eb4240994dbb48dec5e874bf/8/debian11/8.0/Dockerfile#L51-L52

Steps to replicate

rogerng@cloudshell:~ (project_name)$ docker run \
  --name some-mysql \
  -e "MYSQL_ROOT_PASSWORD=example-password" \
  -p 3306:3306 \
  -d \
  marketplace.gcr.io/google/mysql8
7a84354684e98448fe13583c6221bffa4cfe26475b03e0d37f93f4d156ee0907
rogerng@cloudshell:~ (project_name)$ docker exec -it 7a8 bash
root@7a84354684e9:/# apt-get update && apt-get install
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://repo.mysql.com/apt/debian bullseye InRelease [17.9 kB]
Err:2 http://repo.mysql.com/apt/debian bullseye InRelease
  The following signatures were invalid: EXPKEYSIG 467B942D3A79BD29 MySQL Release Engineering <mysql-build@oss.oracle.com>
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:4 http://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Get:5 http://deb.debian.org/debian bullseye/main amd64 Packages [11.1 MB]
Get:6 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [17.7 kB]
Get:7 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [334 kB]
Reading package lists... Done                        
W: GPG error: http://repo.mysql.com/apt/debian bullseye InRelease: The following signatures were invalid: EXPKEYSIG 467B942D3A79BD29 MySQL Release Engineering <mysql-build@oss.oracle.com>
E: The repository 'http://repo.mysql.com/apt/debian bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
mhutchinson commented 8 months ago

https://bugs.mysql.com/bug.php?id=113432 is relevant discussion of the upstream issue.