search

rocker-org / rocker

R configurations for Docker
https://rocker-project.org
GNU General Public License v2.0
1.45k stars 273 forks source link

r-base 4.1.2 is missing some public keys #479

Closed abudis closed 2 years ago

abudis commented 2 years ago

Hello all and a Happy New Year! 🥳 Hope you had a good break!

I see the following warnings and errors when trying to install debian packages using the latest r-base image - 4.1.2:

Err:6 http://deb.debian.org/debian testing InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
Get:7 http://deb.debian.org/debian experimental InRelease [75.4 kB]
Err:1 http://cdn-fastly.deb.debian.org/debian sid InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
Err:7 http://deb.debian.org/debian experimental InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
Reading package lists...
W: http://deb.debian.org/debian/dists/testing/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/testing/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/testing/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/testing/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/testing/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/testing/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/testing/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/testing/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/testing/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://deb.debian.org/debian testing InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
E: The repository 'http://deb.debian.org/debian testing InRelease' is not signed.
W: http://http.debian.net/debian/dists/sid/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://http.debian.net/debian/dists/sid/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://http.debian.net/debian/dists/sid/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://http.debian.net/debian/dists/sid/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://http.debian.net/debian/dists/sid/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://http.debian.net/debian/dists/sid/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://http.debian.net/debian/dists/sid/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://http.debian.net/debian/dists/sid/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://http.debian.net/debian/dists/sid/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://cdn-fastly.deb.debian.org/debian sid InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
E: The repository 'http://http.debian.net/debian sid InRelease' is not signed.
W: http://deb.debian.org/debian/dists/experimental/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/experimental/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/experimental/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/experimental/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/experimental/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/experimental/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/experimental/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/experimental/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/experimental/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://deb.debian.org/debian experimental InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
E: The repository 'http://deb.debian.org/debian experimental InRelease' is not signed.

r-base 4.1.1 works like a charm though and as far as I can tell, and judging by the Dockerfiles of both versions, the only difference I see is the R version. So my conclusion is that at the time 4.1.1 was built those keys were available, but expired by the time 4.1.2 was built. Could you please check if you see this as well? Thanks in advance!

eddelbuettel commented 2 years ago

II cannot reproduce this.

Our rocker/r-base

edd@rob:~$ docker run --rm -ti rocker/r-base:4.1.2 bash
root@c2ad5da0eec7:/# apt update
Ign:1 https://eddelbuettel.github.io/ppaR400 ./ InRelease
Get:2 https://eddelbuettel.github.io/ppaR400 ./ Release [1,204 B]     
Ign:3 https://eddelbuettel.github.io/ppaR400 ./ Release.gpg                                            
Get:4 https://eddelbuettel.github.io/ppaR400 ./ Packages [26.4 kB]    
Get:5 http://cdn-fastly.deb.debian.org/debian sid InRelease [165 kB]           
Get:6 http://deb.debian.org/debian testing InRelease [129 kB]
Get:7 http://deb.debian.org/debian experimental InRelease [75.4 kB]
Get:8 http://cdn-fastly.deb.debian.org/debian sid/main amd64 Packages [8,866 kB]
Get:9 http://deb.debian.org/debian testing/main amd64 Packages [8,248 kB]
Get:10 http://deb.debian.org/debian experimental/main amd64 Packages [455 kB]
Fetched 18.0 MB in 2s (8,112 kB/s)                    
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
133 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@c2ad5da0eec7:/#

The identical yet "official" with Docker image r-base:4.1.2 does this fine:

edd@rob:~$ docker run --rm -ti r-base:4.1.2 bash
root@bbc2dbe8f20c:/# apt update
Get:1 http://deb.debian.org/debian testing InRelease [129 kB]
Get:2 http://deb.debian.org/debian experimental InRelease [75.4 kB]                                    
Ign:3 https://eddelbuettel.github.io/ppaR400 ./ InRelease
Get:4 https://eddelbuettel.github.io/ppaR400 ./ Release [1,204 B]
Ign:5 https://eddelbuettel.github.io/ppaR400 ./ Release.gpg        
Get:6 https://eddelbuettel.github.io/ppaR400 ./ Packages [26.4 kB]
Get:7 http://deb.debian.org/debian testing/main amd64 Packages [8,248 kB]
Get:9 http://deb.debian.org/debian experimental/main amd64 Packages [455 kB]
Get:8 http://cdn-fastly.deb.debian.org/debian sid InRelease [165 kB]      
Get:10 http://cdn-fastly.deb.debian.org/debian sid/main amd64 Packages [8,866 kB]
Fetched 18.0 MB in 2s (9,512 kB/s)                          
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
40 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@bbc2dbe8f20c:/#

Make sure have current images (though the official one doesn't even rebuild):

edd@rob:~$ docker images | grep 4.1.2
r-base                               4.1.2           13f75f489d67   2 weeks ago     764MB
rocker/r-base                        4.1.2           91af7f4c94cd   2 months ago    814MB
edd@rob:~$

Did you maybe forget to run apt update before running an apt command or something else?

I do not think docker would access the keys from the host I am running on (but I could be wrong here). I could repeat this on a different machine...

abudis commented 2 years ago

Hey @eddelbuettel,

Thanks for looking into this!

The reason I'm checking 4.1.2 is because our old r-base image 3.6.3 started to fail (most likely due to changes upstream in debian:testing. I think I tracked it down to the glibc update, but I'm not 100% sure).

Our Dockerfile indeed includes apt-get update as the first step, and so the script fails at this stage. I tried first 4.1.2, which failed, and then 4.1.1 which worked, with the rest of the Dockerfile being the same.

This issue could be related to something that we do internally, but I'm thinking this would affect both 4.1.1 and 4.1.2 equally? Not really sure what's happening 🤔

eddelbuettel commented 2 years ago

Let's keep it open and dig a little. Keys do get updated, and these issues to happen (and we lastly had it at the Ubuntu repo for r-base and friends that is hosted by CRAN where it affected Ubuntu 21.10). I also think I have seen it, but then in some cases it also affected local helper repos I made for myself (and where I hadn't or didn't even sign the release files).

If it is present in the official files I should of course do something about it but first we need to triage. Can you maybe try with plain Debian 'stable' and 'testing' images if you see it there? We really need some sort of reproducible example first.

abudis commented 2 years ago

Hey,

I could confirm that the issue was due to a very old host system building the docker image. Apparently there's some incompatibility between the kernel and the glibc 2.33.

Think this can be closed.

Thanks!

eddelbuettel commented 2 years ago

I concur. It is an issue that comes up every now and then but it did sound like something local to your end. Thanks for confirming. (And and by the way: as you opened this you too could close it. It's not just repo owners. But doing so now.)