Invalid signature from cli.github.com

[drodil]

Describe the bug

Cannot run apt update in the build image.

Reading package lists...
--
81 | W: GPG error: https://cli.github.com/packages stable InRelease: The following signatures were invalid: EXPKEYSIG 23F3D4EA75716059 GitHub CLI <opensource+cli@github.com>
82 | E: The repository 'https://cli.github.com/packages stable InRelease' is not signed.

To Reproduce Steps to reproduce the behavior:

1. Run sudo apt-get update in start of the build

Expected behavior sudo apt-get update works

Platform (please complete the following information):

• aws/codebuild/standard:7.0

Additional context The keys were updated because of expiration, see https://github.com/cli/cli/issues/9569

[williammartin]

Hi folks, many apologies for the troubles from the GitHub CLI.

Glancing around this repo I believe that the important layer that needs to be rebuilt is: https://github.com/aws/aws-codebuild-docker-images/blob/1bd6ad2e247b957c8597fc31e172e3d2df185a19/ubuntu/standard/7.0/Dockerfile#L174

Any layer on top of this that does apt update should begin working again.

For anyone building their images from the ones here, the workaround is probably to add the following to your dockerfiles before running apt update:

RUN mkdir -p -m 755 /etc/apt/keyrings \
    && wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null \
    && chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg \
    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null

Or possibly trimmed down as:

RUN wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null \
    && chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg

This will grab the new keyring.

[drodil]

Thanks a lot for this @williammartin 👍 I think this affects many CodeBuild users, so I hope it also gets some eyes from the AWS side!

[williammartin]

If the workaround above works for you, it would be great if you could drop a note back here for others and for us to know, since we'll be trying to proactively reach out on issues for to support. 🙏

[drodil]

@williammartin I can confirm that adding wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null && chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg before the update fixes the issue for now.

However, it still should be fixed to the original image.

[toplac]

Another quick and dirty workaround is to remove the repository before running apt-get update or similar This works for us because we don't use the gh binary

rm /etc/apt/sources.list.d/github-cli.list

[williammartin]

However, it still should be fixed to the original image.

Hopefully the AWS folks will come bail out our embarrassment soon 😅

Thanks for the confirmation! I'll probably update the linked issue with a Docker specific section shortly.

[Dylan-AWS]

CodeBuild team is working on releasing a new image to resolve this issue

[Dylan-AWS]

CodeBuild has deployed a patch to our images to update the keyring. You will no longer see this error. Resolving this issue.

[ritog]

https://github.com/cli/cli/issues/9569

This page actually worked for me.

The "What do you need to do about it?" section.