search

mark-kubacki / apt-image

📦 minimal Ubuntu for containers, with curl and support for TLSv1.3
https://source.cloud.google.com/distro/apt-image
Universal Permissive License v1.0
146 stars 10 forks source link

The following signatures couldn't be verified because the public key is not available #21

Closed jimblizz closed 5 years ago

jimblizz commented 5 years ago

Hello,

We've used blitznote/debase for some time. Recently we've started getting the following issue with apt-get update is run in the Dockerfile (but also happens if I test it in a running container).

Err:4 https://s.blitznote.com/debs/ubuntu/amd64 all/ InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A771821D873C0D73
Reading package lists... Done
W: GPG error: https://s.blitznote.com/debs/ubuntu/amd64 all/ InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY A771821D873C0D73
E: The repository 'https://s.blitznote.com/debs/ubuntu/amd64 all/ InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

I did wonder if we need to add a GPG key, but I cannot find one. I also investigated this method but debase doesn't have the requisite components to run apt-key, it seems.

debootstrap works correctly, but I'd prefer to keep using the smaller image.

Do you have any suggestions?

Thanks, Jim

mark-kubacki commented 5 years ago

You're using an obsoleted image.

An easy way to avoid that in future is to have your images rebuilt whenever a preceding image is updated. That's called image linking or build chaining, and you can find it here on the Docker Hub:

42932f0e-a05a-11e6-9512-29acfe1f1a6a

If you don't use the Docker Hub, be aware that you can subscribe to changes to GIT repositories (such as this) on Github using Pubsubhub. Use that to trigger rebuilds.
https://developer.github.com/v3/repos/hooks/#pubsubhubbub

This is how I've tried to reproduce your issue anyway, to be sure (for 16.04 and 18.04):

# docker run -t --rm blitznote/debase:16.04 \
  apt-get -q update

Get:1 …
Get:14 …
Fetched 12.2 MB in 6s (1872 kB/s)
Reading package lists...

To list the public keys in use (I need to prune the expired, tbh), excerpt:

# apt-key list

/etc/apt/trusted.gpg.d/blitznote.gpg
------------------------------------
pub   ed25519 2019-01-22 [SC] [expires: 2020-05-18]
      567C FD96 DF91 DAE5 FD63  0E35 C790 9902 27C6 40E2
uid           [ unknown] Blitznote Release Tool (automatic) <releng@blitznote.com>
sub   ed25519 2019-01-22 [S] [expires: 2020-05-18]

… or directly (output omitted here):

# gpg --list-keys --list-options show-unusable-subkeys \
  --no-default-keyring --keyring /etc/apt/trusted.gpg.d/blitznote.gpg \
  --fingerprint --fingerprint releng@blitznote.com

You're mentioning this baseimage lacked requisite components to run apt-key, hence I looked into this as well:

This is how I'd add one key from public directories (which I don't use)—but this is really about how to use GnuPG—either:
(for the URL see below) (this is how I actually add keys in my own Docker images):

$ get-gpg-key "${longid}" | apt-key add

# see also: curl -fsSL -o - https://x509.directory/blitznote/releng.gpg

… or, provided you have a DNSSEC capable resolver:

# dig +short releng._pka.blitznote.com. TXT
"v=pka1;fpr=4C312F1DF5AC58A684FB9365A771821D873C0D73;uri=https://x509.directory/blitznote/releng.gpg"
"v=pka1;fpr=567CFD96DF91DAE5FD630E35C790990227C640E2;uri=https://x509.directory/blitznote/releng.gpg"

# or use: https://toolbox.googleapps.com/apps/dig/#TXT/

$ curl -fsS \
  -H "accept: application/dns-json" \
  "https://cloudflare-dns.com/dns-query?name=releng._pka.blitznote.com&type=TXT" \
| jq -r '.Answer[].data'

(I've omitted the command how to add the result right away. This is to prevent cargo-cultists from blindly copy-and-pasting them without considering security implications.)