linux-kernels fail to build with GPG errors

[compuwizz]

Both branches on the linux-kernel build are failing to build for me due to not being able to find GPG keys. Any tips to resolve this?

15:00:00  Running in /var/lib/jenkins/workspace/linux-kernel_sagitta/build-amd64/packages/linux-kernel/kernel
[Pipeline] {
[Pipeline] sh
15:00:00  + cd ..
15:00:00  + tomlq -r .kernel_version
15:00:00  + cat ../../data/defaults.toml
15:00:00  + KERNEL_VER=6.6.33
15:00:00  + gpg2 --locate-keys torvalds@kernel.org gregkh@kernel.org
15:00:00  gpg: directory '/home/vyos_bld/.gnupg' created
15:00:00  gpg: keybox '/home/vyos_bld/.gnupg/pubring.kbx' created
15:00:00  gpg: /home/vyos_bld/.gnupg/trustdb.gpg: trustdb created
15:00:01  gpg: error retrieving 'gregkh@kernel.org' via WKD: General error
15:00:01  gpg: error reading key: General error
15:00:01  gpg: error retrieving 'torvalds@kernel.org' via WKD: General error
15:00:01  gpg: error reading key: General error

I can import the keys manually but the build inside the docker container doesn't seem to find those.

I imported the keys with:

gpg --search-keys ABAF11C65A2970B130ABE3C479BE3E4300411886
gpg --search-keys 647F28654894E3BD457199BE38DBBDC86092693E

[dd010101]

The build is running inside docker container thus anything you do on the host itself will not change anything for the build.

The keys are being imported thus there is no need to import them manually - that's what the docker container is trying to do by itself:

09:32:30  + cd ..
09:32:30  + cat ../../data/defaults.toml
09:32:30  + tomlq -r .kernel_version
09:32:30  + KERNEL_VER=6.6.33
09:32:30  + gpg2 --locate-keys torvalds@kernel.org gregkh@kernel.org
09:32:30  gpg: directory '/home/vyos_bld/.gnupg' created
09:32:30  gpg: keybox '/home/vyos_bld/.gnupg/pubring.kbx' created
09:32:30  gpg: /home/vyos_bld/.gnupg/trustdb.gpg: trustdb created
09:32:32  gpg: key 38DBBDC86092693E: public key "Greg Kroah-Hartman <gregkh@kernel.org>" imported
09:32:32  gpg: Total number processed: 1
09:32:32  gpg:               imported: 1
09:32:33  gpg: key 79BE3E4300411886: public key "Linus Torvalds <torvalds@kernel.org>" imported
09:32:33  gpg: Total number processed: 1
09:32:33  gpg:               imported: 1
09:32:33  pub   rsa4096 2011-09-23 [SC]
09:32:33        647F28654894E3BD457199BE38DBBDC86092693E
09:32:33  uid           [ unknown] Greg Kroah-Hartman <gregkh@kernel.org>
09:32:33  sub   rsa4096 2011-09-23 [E]
09:32:33  
09:32:33  pub   rsa2048 2011-09-20 [SC]
09:32:33        ABAF11C65A2970B130ABE3C479BE3E4300411886
09:32:33  uid           [ unknown] Linus Torvalds <torvalds@kernel.org>
09:32:33  sub   rsa2048 2011-09-20 [E]

I did now try to run the sagitta linux-kernel build and it does pass the gpg keys just fine.

The gpg import seems to work on your host but fails for some reason in the docker container. We would need to add -vv to the gpg command like this gpg2 -vv --locate-keys torvalds@kernel.org gregkh@kernel.org to see why.

I expect this will work on your host but perhaps if you tried to run it in the container then you may reproduce the issue and see some hints.

Launch bash inside the container:

docker run -it vyos/vyos-build:sagitta bash

Try to import the keys:

gpg2 -vv --locate-keys torvalds@kernel.org gregkh@kernel.org

If this passed but still fails when Jenkins runs it - then you could git clone my fork of vyos-build, checkout sagitta branch, add the -vv to the gpg command in packages/linux-kernel/Jenkinsfile, commit the change and try to run build from your local git repository. If you want I can give you more specific directions on this. This is the easiest way to inject commands or extra parameters to debug build when Jenkins runs it in natural way.

[compuwizz]

Unfortunately it still isn't working when I manually try to import it.

Current UID/GID: 0/0
useradd warning: vyos_bld's uid 0 outside of the UID_MIN 1000 and UID_MAX 60000 range.
root@d26f4d0632e7:/# gpg2 -vv --locate-keys torvalds@kernel.org gregkh@kernel.org
gpg: directory '/home/vyos_bld/.gnupg' created
gpg: keybox '/home/vyos_bld/.gnupg/pubring.kbx' created
gpg: /home/vyos_bld/.gnupg/trustdb.gpg: trustdb created
gpg: using pgp trust model
gpg: error retrieving 'gregkh@kernel.org' via Local: No public key
gpg: no running Dirmngr - starting '/usr/bin/dirmngr'
gpg: waiting for the dirmngr to come up ... (5s)
gpg: connection to dirmngr established
gpg: error retrieving 'gregkh@kernel.org' via WKD: General error
gpg: error reading key: General error
gpg: error retrieving 'torvalds@kernel.org' via Local: No public key
gpg: error retrieving 'torvalds@kernel.org' via WKD: General error
gpg: error reading key: General error

I was able to import them inside the docker this way:

root@d26f4d0632e7:/# gpg --search-keys ABAF11C65A2970B130ABE3C479BE3E4300411886
gpg: data source: https://keys.openpgp.org:443
(1)   2048 bit RSA key 79BE3E4300411886, created: 2011-09-20
Keys 1-1 of 1 for "ABAF11C65A2970B130ABE3C479BE3E4300411886".  Enter number(s), N)ext, or Q)uit > 1
gpg: key 79BE3E4300411886: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
root@d26f4d0632e7:/# gpg --search-keys 647F28654894E3BD457199BE38DBBDC86092693E
gpg: data source: https://keys.openpgp.org:443
(1)   4096 bit RSA key 38DBBDC86092693E, created: 2011-09-23
Keys 1-1 of 1 for "647F28654894E3BD457199BE38DBBDC86092693E".  Enter number(s), N)ext, or Q)uit > 1
gpg: key 38DBBDC86092693E: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
root@d26f4d0632e7:/# exit
exit```

[dd010101]

Does the command with --locate-keys work on your host? Maybe this is not related to docker container but about the --locate-keys by e-mail?

What happens if you use --auto-locate-keys like this gpg2 -vv --auto-key-locate cert,pka,dane,wkd,keyserver --locate-keys torvalds@kernel.org gregkh@kernel.org does that work for you?

[compuwizz]

I haven't been able to track down much more information, but I have successfully been able to build with the same instructions on a VM outside my local network. So its something in either my local dns/a keycache/etc.

[dd010101]

Makes sense. 👍