search

serversideup / docker-php

🐳 Production-ready Docker images for PHP. Optimized for Laravel, WordPress, and more!
https://serversideup.net/open-source/docker-php/
GNU General Public License v3.0
1.65k stars 108 forks source link

nginx apt repository GPG expired #380

Closed madeddie closed 2 months ago

madeddie commented 2 months ago

Affected Docker Images

serversideup/php:8.3-fpm-nginx-bookworm-v3.2.0

Current Behavior

When doing an "apt-get update" I get this error:

1.700 W: GPG error: http://nginx.org/packages/debian bookworm InRelease: The following signatures were invalid: EXPKEYSIG ABF5BD827BD9BF62 nginx signing key <signing-key@nginx.com>
1.700 E: The repository 'http://nginx.org/packages/debian bookworm InRelease' is not signed.

Expected Behavior

Don't give this error

Steps To Reproduce

  1. Create Dockerfile with FROM serversideup/php:8.3-fpm-nginx-bookworm-v3.2.0 and RUN apt-get update -y
  2. docker build .
  3. error

Anything else?

The key has been updated in the keyservers with a new expiry: https://github.com/nginx/nginx.org/pull/41

A simple rebuild of the image (that downloads the latest key file) should suffice to fix this. I'd say even tag it with the same version is nothing else changes.

GeorgeNance commented 2 months ago

Same issue here

jaydrogers commented 2 months ago

Getting a number of reports on this.

Unfortunately I am AFK this weekend and will be returning Tuesday. If anyone wants to investigate this for me and propose a solution, I would appreciate it!

madeddie commented 2 months ago

My description should be enough, the file downloaded here https://github.com/serversideup/docker-php/blob/main/src/variations/fpm-nginx/Dockerfile#L35 should be downloaded again, since the file in the currently released image has an expired key. If someone can simply run the docker build and push again, that will solve it.

madeddie commented 2 months ago

A possible quick fix for people is to download the gpg key and copying it into the Dockerfile on build for now. curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor > nginx-archive-keyring.gpg in the same dir as your Dockerfile and add COPY nginx-archive-keyring.gpg /usr/share/keyrings/nginx-archive-keyring.gpg in your Dockerfile before you run apt[-get] update.

jaydrogers commented 2 months ago

Running this from my phone, but it failed. Trying again https://github.com/serversideup/docker-php/actions/runs/9131599748

jaydrogers commented 2 months ago

The run completed. Can someone help me validate it's actually fixed?

I want to make sure it works for the latest minor tags too (8.3-fpm-nginx, 8.2-fpm-nginx, etc)

madeddie commented 2 months ago

Did a quick and dirty test and it seems to be working.

Got a list of images with nginx in the name, but not alpine of the last 8 or 9 hours (since that was when your last build pushed), then unique'd on sha hash.

$ hub-tool tag ls serversideup/php --all | grep nginx | grep -v "alpine" | awk '{print $1, $2, $4, $5}' | egrep "(8|9) hours" | sort -s -u -k2,2 | awk '{print $1}'
serversideup/php:8.3-fpm-nginx-bookworm
serversideup/php:8.1-fpm-nginx-v3.2.0
serversideup/php:fpm-nginx-bookworm-v3.2.0
serversideup/php:8-fpm-nginx
serversideup/php:8.1.29-fpm-nginx
serversideup/php:8.2-fpm-nginx-v3.2.0
serversideup/php:8.2.20-fpm-nginx
serversideup/php:7-fpm-nginx-v3.2.0
serversideup/php:8.0-fpm-nginx-v3.2.0
serversideup/php:8.2.20-fpm-nginx-v3.2.0
serversideup/php:fpm-nginx-v3.2.0

Used this command to actually test them and all containers finished without error. $ hub-tool tag ls serversideup/php --all | grep nginx | grep -v "alpine" | awk '{print $1, $2, $4, $5}' | egrep "(8|9) hours" | sort -s -u -k2,2 | awk '{print $1}' | xargs -I% docker run --user root --entrypoint /usr/bin/apt-get % update

I consider this issue fixed. Thank you for quick response!

madeddie commented 2 months ago

(for anyone wanting to replicate the test, be sure to check the output after the first awk to see if the latest images are really 8 or 9 hours old, they'll likely be older by the time you read this :)) (pps hub-tool can be found here https://github.com/docker/hub-tool)

sixlive commented 2 months ago

I pulled serversideup/php:8.3-fpm-nginx-bookworm-v3.2.0 which is what we're using, everything seems like its working as expected.

jaydrogers commented 2 months ago

Thanks for confirming all! I appreciate your flexibility and support as I was AFK this weekend!

nickbasile commented 1 month ago

@jaydrogers is there a fix available for older images? I'm running serversideup/php:beta-8.2.17-fpm-nginx and started seeing the same error.

jaydrogers commented 1 month ago

If possible, I would recommend upgrading to the latest 8.2 minor version of PHP (as of this post):

serversideup/php:8.2.20-fpm-nginx

Manual fix

Summarizing the comment above: https://github.com/serversideup/docker-php/issues/380#issuecomment-2168996813

Download key from NGINX

curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor > nginx-archive-keyring.gpg

Overwrite old NGINX key (from your workstation to the container image)

COPY nginx-archive-keyring.gpg /usr/share/keyrings/nginx-archive-keyring.gpg

Update apt repos

apt-get update
nickbasile commented 1 month ago

Thanks so much! Confirming that the manual fix worked.

Need to get working on updating our stuff 😅