Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

gpg keyserver timed out #348

Closed
spacepirate0001 opened this issue May 1, 2019 · 4 comments
Closed

gpg keyserver timed out #348

spacepirate0001 opened this issue May 1, 2019 · 4 comments

Comments

@spacepirate0001
Copy link

spacepirate0001 commented May 1, 2019
edited
Loading

When attempting to reproduce official build steps, gpg keyserver --keyserver ha.pool.sks-keyservers.net seems to no find the referenced key B42F6819007F00F88E364FD4036A9C25BF357DD4 even via GUI.

During build this result in the following error:
gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys 9DA31620334BD75D9DCB49F368818C72E52529D4 gpg: keyring "/tmp/tmp.8lxj168dRM/secring.gpg" created mgpg: keyring "/tmp/tmp.8lxj168dRM/pubring.gpg" created mgpg: requesting key E52529D4 from hkp server ha.pool.sks-keyservers.net mgpg: keyserver timed out gpg: keyserver receive failed: keyserver error

Get around:
apt-get install -y --allow-unauthenticated

This will produce the following warnings during build, but build will complete successfully:
GPG error: http://repo.mongodb.org/apt/ubuntu xenial/mongodb-org/4.0 Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 68818C72E52529D4

WARNING: The following packages cannot be authenticated! mongodb-org-shell mongodb-org-server mongodb-org-mongos mongodb-org-tools mongodb-org Authentication warning overridden.

It would be great if we can verify the source, so we can close the supply-chain(make things secure). I learned that at DockerCon 19 today lol! Shout out to Andy Clemenko from Docker.
@tianon
Copy link
Member

tianon commented May 1, 2019

https://github.com/docker-library/faq#openpgp--gnupg-keys-and-verification 😉

@spacepirate0001
Copy link
Author

@tianon Is it possible for me to build this as an image, run it as a container and direct --keyserver to container IP?

@spacepirate0001 spacepirate0001 mentioned this issue May 1, 2019
Open
@tianon
Copy link
Member

tianon commented May 2, 2019

Yes, some of that is documented in https://github.com/tianon/pgp-happy-eyeballs, and that's what we do on our official infrastructure.

You could also just retry the build a few times (it should eventually succeed) or edit that line of the Dockerfile to try several servers in a loop, but IMO hijacking DNS and using pgp-happy-eyeballs transparently for all containers is the simpler solution especially if you plan to do more of these sorts of rebuilds.

@tianon tianon closed this as completed May 2, 2019
@tianon
Copy link
Member

tianon commented May 2, 2019

See tianon/pgp-happy-eyeballs#1 for more discussion of usage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tianon @spacepirate0001