NGINX signing key is out of date in Dockerfiles

Question

NGINX signing key is out of date in Dockerfiles

chris-dickson opened this issue a month ago · comments

Chris Dickson commented a month ago

Describe the bug

Dockerfile.oss no longer builds anymore due to an out of date signing key

To reproduce

Steps to reproduce the behavior:

docker build -f Dockerfile.oss -t nginx-s3-gateway .
See error

 > [6/6] RUN set -eux     export DEBIAN_FRONTEND=noninteractive;     mkdir -p /var/cache/nginx/s3_proxy;     chown nginx:nginx /var/cache/nginx/s3_proxy;     chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh;     echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo 1~bookworm | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list;     apt-get update;     apt-get install --no-install-recommends --no-install-suggests --yes       curl       libedit2       nginx-module-njs=1.25.5+0.8.4-3~bookworm;     apt-get remove --purge --auto-remove --yes;     rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list:                    
0.085 + mkdir -p /var/cache/nginx/s3_proxy                                                                                                                                         
0.086 + chown nginx:nginx /var/cache/nginx/s3_proxy
0.086 + chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/00-check-for-required-env.sh /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh /docker-entrypoint.d/20-envsubst-on-templates.sh /docker-entrypoint.d/22-enable_js_fetch_trusted_certificate.sh /docker-entrypoint.d/30-tune-worker-processes.sh
0.090 mode of '/docker-entrypoint.sh' changed from 0644 (rw-r--r--) to 0755 (rwxr-xr-x)
0.090 mode of '/docker-entrypoint.d/00-check-for-required-env.sh' retained as 0755 (rwxr-xr-x)
0.090 mode of '/docker-entrypoint.d/10-listen-on-ipv6-by-default.sh' retained as 0755 (rwxr-xr-x)
0.090 mode of '/docker-entrypoint.d/20-envsubst-on-templates.sh' retained as 0755 (rwxr-xr-x)
0.090 mode of '/docker-entrypoint.d/22-enable_js_fetch_trusted_certificate.sh' retained as 0755 (rwxr-xr-x)
0.090 mode of '/docker-entrypoint.d/30-tune-worker-processes.sh' retained as 0755 (rwxr-xr-x)
0.091 + + echo 1~bookworm
0.091 cut -f2 -d~
0.091 + echo deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ bookworm nginx
0.091 + apt-get update
0.127 Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
0.152 Get:2 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
0.162 Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
0.183 Get:4 http://deb.debian.org/debian bookworm/main arm64 Packages [8685 kB]
0.313 Get:5 http://deb.debian.org/debian bookworm-updates/main arm64 Packages [13.7 kB]
0.314 Get:6 http://deb.debian.org/debian-security bookworm-security/main arm64 Packages [157 kB]
0.485 Get:7 https://nginx.org/packages/mainline/debian bookworm InRelease [2869 B]
0.502 Err:7 https://nginx.org/packages/mainline/debian bookworm InRelease
0.502   The following signatures were invalid: EXPKEYSIG ABF5BD827BD9BF62 nginx signing key <signing-key@nginx.com>
0.958 Reading package lists...
1.218 W: GPG error: https://nginx.org/packages/mainline/debian bookworm InRelease: The following signatures were invalid: EXPKEYSIG ABF5BD827BD9BF62 nginx signing key <signing-key@nginx.com>
1.218 E: The repository 'https://nginx.org/packages/mainline/debian bookworm InRelease' is not signed.
------
Dockerfile.oss:32
--------------------
  31 |     
  32 | >>> RUN set -eux \
  33 | >>>     export DEBIAN_FRONTEND=noninteractive; \
  34 | >>>     mkdir -p /var/cache/nginx/s3_proxy; \
  35 | >>>     chown nginx:nginx /var/cache/nginx/s3_proxy; \
  36 | >>>     chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh; \
  37 | >>>     echo "deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx" >> /etc/apt/sources.list.d/nginx.list; \
  38 | >>>     apt-get update; \
  39 | >>>     apt-get install --no-install-recommends --no-install-suggests --yes \
  40 | >>>       curl \
  41 | >>>       libedit2 \
  42 | >>>       nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE}; \
  43 | >>>     apt-get remove --purge --auto-remove --yes; \
  44 | >>>     rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list
  45 |     
--------------------
ERROR: failed to solve: process "/bin/sh -c set -eux     export DEBIAN_FRONTEND=noninteractive;     mkdir -p /var/cache/nginx/s3_proxy;     chown nginx:nginx /var/cache/nginx/s3_proxy;     chmod -R -v +x /docker-entrypoint.sh /docker-entrypoint.d/*.sh;     echo \"deb [signed-by=/etc/apt/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian/ $(echo $PKG_RELEASE | cut -f2 -d~) nginx\" >> /etc/apt/sources.list.d/nginx.list;     apt-get update;     apt-get install --no-install-recommends --no-install-suggests --yes       curl       libedit2       nginx-module-njs=${NGINX_VERSION}+${NJS_VERSION}-${NJS_RELEASE};     apt-get remove --purge --auto-remove --yes;     rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list" did not complete successfully: exit code: 100

Expected behavior

The container builds successfully

Your environment

Building OSS container from source on an Apple M2 Pro with Docker Desktop 4.27.1 (136059) (Engine v25.0.2)

Alessandro Fael Garcia · Answer 1 · Fri Jun 21 2024 05:57:50 GMT+0800 (China Standard Time)

Heya @chris-dickson! Thanks for reporting the issue! 2fcb617 should have fixed it the OSS Dockerfile!