Ubuntu Question posted in
The official Ubuntu documentation can be found here.

Ubuntu – GPG errors building custom Cloud Shell container

Documentation reference: https://cloud.google.com/shell/docs/customizing-container-image

I am attempting to create a custom Cloud Shell container using the documentation above.
I haven’t done anything wild in the Dockerfile:

FROM gcr.io/cloudshell-images/cloudshell:latest

RUN sudo apt -q update
RUN sudo apt -q install zsh virtualenvwrapper zsh-syntax-highlighting ttf-ancient-fonts fonts-powerline -y

Attempting to run cloudshell env build-local results in errors related to keys after the initial build has ended and the two lines I added to the Dockerfile start executing.

Paste of some of the log below (note: I am omitting a bunch of lines related to ‘Get NN’ as they weren’t throwing errors.

=> ERROR [2/3] RUN sudo apt -q update                                                                                                                                                           12.1s
------
 > [2/3] RUN sudo apt -q update:
0.706 
0.706 WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
0.707 
0.995 Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
2.453 Get:23 http://deb.debian.org/debian bullseye-updates/main amd64 Packages T-2023-12-29-1403.39-F-2023-12-11-2008.48.pdiff [1914 B]
2.622 Err:6 https://cli.github.com/packages bullseye InRelease
2.622   The following signatures were invalid: EXPKEYSIG 23F3D4EA75716059 GitHub CLI <[email protected]>
3.091 Err:8 https://packages.sury.org/php bullseye InRelease
3.091   The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <[email protected]>
3.423 Get:27 https://packages.microsoft.com/debian/11/prod bullseye/main arm64 Packages [37.6 kB]
3.556 Err:10 https://repo.mysql.com/apt/debian bullseye InRelease
3.556   The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B7B3B788A8D3785C
3.942 Get:28 https://packages.cloud.google.com/apt cloud-sdk-bullseye/main all Packages [1561 kB]
4.110 Get:29 https://apt.postgresql.org/pub/repos/apt bullseye-pgdg/main amd64 Packages [362 kB]
4.115 Get:30 https://packages.cloud.google.com/apt cloud-sdk-bullseye/main amd64 Packages [3355 kB]
4.767 Reading package lists...
5.662 W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://cli.github.com/packages bullseye InRelease: The following signatures were invalid: EXPKEYSIG 23F3D4EA75716059 GitHub CLI <[email protected]>
5.662 E: Repository 'https://packages.cloud.google.com/apt gcsfuse-bullseye InRelease' changed its 'Origin' value from 'namespaces/gcs-fuse-prod/repositories/gcsfuse-bullseye' to 'gcsfuse-bullseye'
5.662 E: Repository 'https://packages.cloud.google.com/apt gcsfuse-bullseye InRelease' changed its 'Label' value from 'namespaces/gcs-fuse-prod/repositories/gcsfuse-bullseye' to 'gcsfuse-bullseye'
5.662 W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/php bullseye InRelease: The following signatures were invalid: EXPKEYSIG B188E2B695BD4743 DEB.SURY.ORG Automatic Signing Key <[email protected]>
5.662 W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://repo.mysql.com/apt/debian bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY B7B3B788A8D3785C
------
Dockerfile:3
--------------------
   1 |     FROM gcr.io/cloudshell-images/cloudshell:latest
   2 |     
   3 | >>> RUN sudo apt -q update
   4 |     RUN sudo apt -q install zsh virtualenvwrapper zsh-syntax-highlighting ttf-ancient-fonts fonts-powerline -y
   5 |     
--------------------
ERROR: failed to solve: process "/bin/sh -c sudo apt -q update" did not complete successfully: exit code: 100
my_user@cloudshell:~/_repos/gcp_custom_cloudshell$

Does anyone have any insight into this? I did some Googling and was finding similar(ish) stuff from 2022 related to GitHub cli having expired keys, and a similar issue with Ubuntu at one point, but nothing specific to the Cloud Shell image.

I looks at the Artifact Registry and it was last updated 11 days ago (albeit created in 2023):
cloud shell registry

Tags:

2

Answers


  1. 0

    Possible issue

    From this error message

    2.622 The following signatures were invalid: EXPKEYSIG 23F3D4EA75716059 GitHub CLI [email protected]

    It seems that ‘apt’ (Debian package manager) downloaded the repo content, e.g., the repo index, and while attempting to verify the digital signature of the repo index, it found that the public key for the repo that it has access to has expired.

    Explanation of how apt works

    Debian-based package manager apt relies:

    a. A repo configuration file located in /etc/apt/sources.lists.d/ for each repo that apt uses to download Debian packages

    b. The GPG keys (in /etc/apt/keyrings/) to verify digital signatures accompanying the contents from the repo

    In the repo config file (item a.), there is signed-by directive pointing to the GPG key (item b.) that is used to verify digital signatures of content from the repo.

    Example of a repo config file for github-cli might likely be /etc/apt/sources.list.d/github-cli.list

    deb [arch=amd64 signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main

    Possible solution

    Perhaps download the updated key from here using the GPG key fingerprint 23F3D4EA75716059:

    curl -O https://cli.github.com/packages/githubcli-archive-keyring.gpg

    And when building the image put this GPG key in /etc/apt/keyrings/ and edit the repo config file for the repo containing github-cli (likely /etc/apt/sources.list.d/github-cli.list) to add/change the signed-by directive to point to this updated GPG key location.

    Further reference

    This is the official link showing how github-cli can be installed on Debian-based systems:

    https://github.com/cli/cli/blob/trunk/docs/install_linux.md#debian-ubuntu-linux-raspberry-pi-os-apt

    The one-liner in the doc to install github-cl:

    (type -p wget >/dev/null || (sudo apt update && sudo apt-get install wget -y)) 
    && sudo mkdir -p -m 755 /etc/apt/keyrings 
    && wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null 
    && sudo chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg 
    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null 
    && sudo apt update 
    && sudo apt install gh -y
    Login or Signup to reply.
  2. 0

    The Cloud Shell image is released ~weekly, but the tag for the public image gcr.io/cloudshell-images/cloudshell:latest was historically updated on a slower cycle and resulted in the errors you experienced.

    In particular, cloud-shell-v20231128-000053 was built long enough ago that keys within the image had expired. Since the system package manager couldn’t verify the integrity of resources it needed to fetch, it bailed out.

    To fix this issue, use the newest release that was introduced in late October (current :latest). You can verify that you have the right image by running lsb_release -a both in the local image, and in a Cloud Shell session. As of December 2024, it should be running Ubuntu 24.04.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search