Homebrew / brew

🍺 The missing package manager for macOS (or Linux)
https://brew.sh
BSD 2-Clause "Simplified" License
41.35k stars 9.72k forks source link

Docker images have expired key for github cli packages #18268

Closed andreineculau closed 2 months ago

andreineculau commented 2 months ago

brew doctor output

n/a

Verification

brew config output

n/a

What were you trying to do (and why)?

use the latest homebrew docker image and get the latest aptitude packages

In https://github.com/Homebrew/brew/blob/94eb0c7f83a8f085d7d08ffcedd06855a0da7918/Dockerfile#L47 we get the github cli keyring, but it expired.

so running

docker run --rm -it ghcr.io/homebrew/ubuntu22.04:latest

Followed by an apt-get update, like

sudo apt-get -y --fix-missing --allow-releaseinfo-change update

will now error.

Any other fix than build a new image or rebuild the current image (same version)? For the time being, I guess it can be fixed downstream by updating the keyring.

PS: Maybe someone can explain why do we need github cli on the homebrew docker image. Can it be removed?

What happened (include all command output)?

W: GPG error: https://cli.github.com/packages stable InRelease: The following signatures were invalid: EXPKEYSIG 23F3D4EA75716059 GitHub CLI <opensource+cli@github.com>
E: The repository 'https://cli.github.com/packages stable InRelease' is not signed.

What did you expect to happen?

no error

Step-by-step reproduction instructions (by running brew commands)

docker run --rm -it ghcr.io/homebrew/ubuntu22.04:latest

# inside docker, run:
sudo apt-get -y --fix-missing --allow-releaseinfo-change update
carlocab commented 2 months ago

Is there another keyring we can get that isn't expired?

PS: Maybe someone can explain why do we need github cli on the homebrew docker image.

Homebrew CI makes heavy use of gh.

Can it be removed?

Not without breaking pretty much all of our CI.

carlocab commented 2 months ago

See also https://github.com/cli/cli/issues/9569.

Seems like the image just needs to be rebuilt. If this is blocking you, consider using ghcr.io/homebrew/ubuntu22.04:master instead.

A rebuilt :latest image should be available on the next brew tag (likely early next week).

In a pinch, you could probably also run this inside the :latest container:

curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | 
  sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
williammartin commented 2 months ago

Hi folks, many apologies for the troubles from the GitHub CLI.

I just added some docker related details to our tracking issue: https://github.com/cli/cli/issues/9569#docker-build-failing

I can confirm the new keyring is available at https://cli.github.com/packages/githubcli-archive-keyring.gpg. If you own the layer that grabs this key, I would expect rebuilding the image solves the problem. If you don't own the layer, running:

RUN wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null \
    && chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg

Before the apt update, should workaround until the base layer is updated.

Sorry 🙏

carlocab commented 2 months ago

@williammartin thanks for chiming in!

I think /etc/apt/keyrings there should be /usr/share/keyrings, because our Dockerfile still uses the old instructions:

https://github.com/Homebrew/brew/blob/94eb0c7f83a8f085d7d08ffcedd06855a0da7918/Dockerfile#L47-L51

I'll open a PR to update our Dockerfile.

williammartin commented 2 months ago

Ahha! Thanks. I'm going to update our issue to provide both sets of instructions.

andreineculau commented 2 months ago

Thank you @carlocab ! We're good on our side. We have a hotfix to remove everything gh (via apt; we also make use of gh, but we install it via homebrew 😅 #inception)

And thank you @williammartin ! Do take it easy and enjoy the weekend! ❤️

williammartin commented 2 months ago

Updated the instructions to account for the old location here: https://github.com/cli/cli/issues/9569#what-do-you-need-to-do-about-apt

Cheers!

carlocab commented 2 months ago

Thanks @williammartin! Dockerfile now updated in #18272.

carlocab commented 2 months ago

This should be fixed as of https://github.com/Homebrew/brew/releases/tag/4.3.20.