GPG error in php:8.2-fpm after latest retag

[manuasir]

I'm facing these errors after the today's retag:

W: GPG error: http://deb.debian.org/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY F8D2585B8783D481
E: The repository 'http://deb.debian.org/debian bookworm InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian bookworm-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
E: The repository 'http://deb.debian.org/debian bookworm-updates InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian-security bookworm-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8
E: The repository 'http://deb.debian.org/debian-security bookworm-security InRelease' is not signed.
E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true'
E: Sub-process returned an error code

In this step

# Install packages
RUN apt-get update && apt-get install -y \
    zip \
    wget \
    sudo \
    libcurl4-openssl-dev \
    libmcrypt-dev \
    libzip-dev \
    libssl-dev \
    curl \
    git \
    vim

[vdt-mik]

The same problem on php:8.1-fpm

[tianon]

I'm not able to reproduce, can you please provide a bit more information about what you're doing?

[manuasir]

Hello @tianon ,

Thanks for the reply. I'm just trying to build a Dockerfile in CircleCI. The process crashes when executing the RUN I attached before. It always was fine until today without any changes on our side. I'll be happy to provide any information that you might need.

[tianon]

As a workaround, you can update your Dockerfile to be FROM php:8.2-fpm-bullseye (which is probably a good idea anyways so that you're controlling when those Debian updates apply to your images).

It sounds like this is probably seccomp issues and you'll need to make sure your host's libseccomp, runc, and Docker are of a sufficiently recent version (I believe that's something like 2.5.1 on libseccomp and 20.10.10+ on Docker).

[vdt-mik]

In my case, I run a docker build from GitLab-runner. Gitlab-runner and a docker in a host machine have the latest version. As a Hotfix, I had to change the image in my Dockerfile to php:8.1.19-fpm instead of php:8.1-fpm(php:8.1.20-fpm). Locally, I couldn't reproduce this problem.

[kevcomparadise]

same as @vdt-mik here

[heddn]

The error is coming from apt update. The GPG keys in the docker image seem to be expired. Not sure how to resolve. For now, will pin on bullseye

[yosifkit]

Same answer as https://github.com/docker-library/python/issues/837#issuecomment-1593437629:

I am unable to reproduce. I'd suggest updating docker and libseccomp on the host. Newer base OS's use newer system calls and an older libseccomp can block them since they are unknown to it. You can verify that it is libseccomp by running the bookworm image with --security-opt seccomp=unconfined.

[bytestream]

I think @tianon and @yosifkit are on the right track. I can't replicate on libseccomp 2.5.1 and Docker 20.10.21.

I was able to replicate in CI job which was running in docker:19.03.12 and docker:19.03.12-dind. Upgrading the job to 20.10.21 fixed the issue.

[leiting6]

I met same problem in 8.3 bookworm fpm.

[tianon]

I'd suggest updating docker and libseccomp on the host. Newer base OS's use newer system calls and an older libseccomp can block them since they are unknown to it. You can verify that it is libseccomp by running the bookworm image with --security-opt seccomp=unconfined.