Dockerfile /openjdk/11/jdk/buster broken on gpg check

[paul-bormans]

When building the /openjdk/11/jdk/buster Dockerfile i ran into issue's with gpg:

Saving to: ‘openjdk.tgz.asc’

 0K                                    100% 16.9M=0s

2021-06-22 07:11:19 (16.9 MB/s) - ‘openjdk.tgz.asc’ saved [566/566]

• mktemp -d
• export GNUPGHOME=/tmp/tmp.dxqFdIU1qJ
• gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671 gpg: keybox '/tmp/tmp.dxqFdIU1qJ/pubring.kbx' created gpg: keyserver receive failed: No name

Increased logging level:

HTTP request sent, awaiting response... 200 OK Length: 566 [application/octet-stream] Saving to: ‘openjdk.tgz.asc’

 0K                                    100% 8.58M=0s

2021-06-22 07:17:58 (8.58 MB/s) - ‘openjdk.tgz.asc’ saved [566/566]

• mktemp -d
• export GNUPGHOME=/tmp/tmp.qhWdAE1bau
• gpg --debug-level guru --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671 gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog gpg: DBG: [not enabled in the source] start gpg: DBG: fd_cache_invalidate (/tmp/tmp.qhWdAE1bau/pubring.kbx) gpg: DBG: iobuf-1.0: open '/tmp/tmp.qhWdAE1bau/pubring.kbx' desc=file_filter(fd) fd=3 gpg: DBG: iobuf-1.0: close 'file_filter(fd)' gpg: DBG: /tmp/tmp.qhWdAE1bau/pubring.kbx: close fd/handle 3 gpg: DBG: fd_cache_close (/tmp/tmp.qhWdAE1bau/pubring.kbx) new slot created gpg: DBG: iobuf-.: ioctl '/tmp/tmp.qhWdAE1bau/pubring.kbx' invalidate gpg: DBG: fd_cache_invalidate (/tmp/tmp.qhWdAE1bau/pubring.kbx) gpg: DBG: did (/tmp/tmp.qhWdAE1bau/pubring.kbx) gpg: keybox '/tmp/tmp.qhWdAE1bau/pubring.kbx' created gpg: DBG: chan_3 <- # Home: /tmp/tmp.qhWdAE1bau gpg: DBG: chan_3 <- # Config: [none] gpg: DBG: chan_3 <- OK Dirmngr 2.2.12 at your service gpg: DBG: connection to the dirmngr established gpg: DBG: chan_3 -> GETINFO version gpg: DBG: chan_3 <- D 2.2.12 gpg: DBG: chan_3 <- OK gpg: DBG: chan_3 -> KEYSERVER --clear hkp://ha.pool.sks-keyservers.net gpg: DBG: chan_3 <- OK gpg: DBG: chan_3 -> KS_GET -- 0xEAC843EBD3EFDB98CC772FADA5CD6035332FA671 gpg: DBG: chan_3 <- ERR 167772380 No name gpg: keyserver receive failed: No name gpg: DBG: chan_3 -> BYE gpg: DBG: [not enabled in the source] stop gpg: keydb: handles=0 locks=0 parse=0 get=0 gpg: build=0 update=0 insert=0 delete=0 gpg: reset=0 found=0 not=0 cache=0 not=0 gpg: kid_not_found_cache: count=0 peak=0 flushes=0 gpg: sig_cache: total=0 cached=0 good=0 bad=0 gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0 outmix=0 getlvl1=0/0 getlvl2=0/0 gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0 gpg: secmem usage: 0/65536 bytes in 0 blocks

[wglambert]

See https://github.com/docker-library/faq#openpgp--gnupg-keys-and-verification (especially https://github.com/tianon/pgp-happy-eyeballs)

https://github.com/docker-library/official-images/issues/4252#issuecomment-381783035

TLDR; GPG servers are extremely flaky . . .

However in this instance that pool.sks-keyservers.net is no longer existent https://sks-keyservers.net/overview-of-pools.php We don't run into this issue during builds because that address is just a stand-in that gets DNS hijacked to point at a running instance of https://github.com/tianon/pgp-happy-eyeballs which queries multiple keyservers at once to get the fastest successful result.

You could add more servers to try https://github.com/docker-library/php/issues/586#issue-296627087

[yosifkit]

Related comment:

See https://github.com/docker-library/faq#openpgp--gnupg-keys-and-verification (especially https://github.com/tianon/pgp-happy-eyeballs) for why I haven't actually been affected by this directly, but yes, this should definitely be updated to a different keyserver now that SKS is dead. -https://github.com/tianon/dockerfiles/issues/121#issuecomment-866235268

Fixed by https://github.com/docker-library/openjdk/commit/20e86dbd02a19bca2f66b46bc3e8b00170f6f69c