cypress/browsers:node-18* images can't successfully apt-get update (or install after that) from missing public key E88979FB9B30ACF2
mastamark opened this issue · comments
It appears that as of ~yesterday the amd64 flavor of cypress/browers:node-18 (of any minor version) can no longer run an apt-get update which in our case we need to do before installing a few other tools for our testing workflow.
Repro:
$ docker run --platform linux/amd64 -it cypress/browsers:node-18.15.0-chrome-106.0.5249.61-1-ff-99.0.1-edge-114.0.1823.51-1 apt-get update
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:4 https://packages.microsoft.com/repos/edge stable InRelease [3589 B]
Get:5 https://dl.google.com/linux/chrome/deb stable InRelease [1825 B]
Get:6 http://deb.debian.org/debian bullseye/main amd64 Packages [8062 kB]
Get:7 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [267 kB]
Get:8 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [18.8 kB]
Get:9 https://packages.microsoft.com/repos/edge stable/main amd64 Packages [7725 B]
Err:5 https://dl.google.com/linux/chrome/deb stable InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E88979FB9B30ACF2
Reading package lists... Done
W: Target Packages (main/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list.d/microsoft-edge-stable.list:1 and /etc/apt/sources.list.d/microsoft-edge.list:3
W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list.d/microsoft-edge-stable.list:1 and /etc/apt/sources.list.d/microsoft-edge.list:3
W: GPG error: https://dl.google.com/linux/chrome/deb stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY E88979FB9B30ACF2
E: The repository 'https://dl.google.com/linux/chrome/deb stable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: Target Packages (main/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list.d/microsoft-edge-stable.list:1 and /etc/apt/sources.list.d/microsoft-edge.list:3
W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list.d/microsoft-edge-stable.list:1 and /etc/apt/sources.list.d/microsoft-edge.list:3
It appears arm64 is working just peachy.
$ docker run --platform linux/arm64 -it cypress/browsers:node-18.15.0-chrome-106.0.5249.61-1-ff-99.0.1-edge-114.0.1823.51-1 apt-get update
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://deb.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Get:4 http://deb.debian.org/debian bullseye/main arm64 Packages [7951 kB]
Get:5 http://deb.debian.org/debian-security bullseye-security/main arm64 Packages [262 kB]
Get:6 http://deb.debian.org/debian bullseye-updates/main arm64 Packages [16.3 kB]
Fetched 8438 kB in 2s (5067 kB/s)
Reading package lists... Done
The same problem does not manifest on the cypress/browsers:node-20* images near as I can tell, and for a few other reasons we can't just easily jump to that a newer node yet.
Is there any chance we can get this fixed upstream an a new image pushed?
Ah I missed that cypress/browsers:node-18.16.1-chrome-114.0.5735.133-1-ff-114.0.2-edge-114.0.1823.51-1 existed and is NOT blowing up. I will swap to that image for now.
I do notice that there's a build difference though which probably makes the amd64 flavor susceptible to this happening down the road:
amd64 - chrome and microsoft sources
$ docker run --platform linux/amd64 -it cypress/browsers:node-18.16.1-chrome-114.0.5735.133-1-ff-114.0.2-edge-114.0.1823.51-1 ls /etc/apt/sources.list.d/
google-chrome.list microsoft-edge-stable.list microsoft-edge.list
arm64 - no chrome nor microsoft sources
$ docker run --platform linux/arm64 -it cypress/browsers:node-18.16.1-chrome-114.0.5735.133-1-ff-114.0.2-edge-114.0.1823.51-1 ls /etc/apt/sources.list.d/
I'll just add a build step to blindly clean that out first, and I'd guess this is fixed in newer versions of cypress/browsers:node-* but I'll leave this comment here and close out the issue in case future anyone else runs into this.
aware of this thread is closed (but for the ones facing the same issue as me), here goes a workaround:
# BUILD IMAGE
FROM cypress/browsers:node18.12.0-chrome107 as build
# Mute chrome source list until keys cannot be installed (to be able to run update without any issues)
RUN echo "#deb [arch=amd64] https://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google-chrome.list
# Install gnupg deps (to be able to add desired key)
RUN apt update -y && apt install -y gnupg
# add desired key (with apt-key, now available)
RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E88979FB9B30ACF2
# Bring back chrome source list since chrome source key is already available
RUN echo "deb [arch=amd64] https://dl.google.com/linux/chrome/deb/ stable main" > /etc/apt/sources.list.d/google-chrome.list
RUN apt update -y
hope it works for you guys!