Skip to content

Fix Dev Container build failure from expired Yarn GPG key#4836

Closed
Copilot wants to merge 5 commits intomainfrom
copilot/fix-expired-yarn-gpg-key
Closed

Fix Dev Container build failure from expired Yarn GPG key#4836
Copilot wants to merge 5 commits intomainfrom
copilot/fix-expired-yarn-gpg-key

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Jan 30, 2026
edited
Loading

What is being addressed

Dev Container builds fail during apt update with NO_PUBKEY 62D54FD4003F6525. Yarn's GPG key expired and was replaced with a new signing key on 2026-01-28.

How is this addressed

  • Add RUN command in .devcontainer/Dockerfile to fetch updated Yarn GPG key before apt operations using the verified working solution:
RUN curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg \
    | gpg --batch --yes --dearmor -o /usr/share/keyrings/yarn-archive-keyring.gpg
  • Uses /usr/share/keyrings/yarn-archive-keyring.gpg (correct keyring location for the base image)
  • Adds --batch --yes flags to gpg command for non-interactive operation
  • Uses -o flag for direct output instead of tee
  • Placed after SHELL directive to execute before Docker installation and other apt-dependent operations
  • Updated CHANGELOG.md in BUG FIXES section
Original prompt

This section details on the original issue you should resolve

<issue_title>[Dev Container] Build fails due to expired Yarn GPG key (NO_PUBKEY 62D54FD4003F6525)</issue_title>
<issue_description>Describe the bug
[Dev Container] Build fails due to expired Yarn GPG key (NO_PUBKEY 62D54FD4003F6525)
see devcontainers/images#370
and devcontainers/images#1752 (comment)
yarnpkg/yarn#9218
Steps to reproduce

  1. rebuild devcontainer
  2. observe error in devcontainer log

Azure TRE release version (e.g. v0.14.0 or main):
main
Deployed Azure TRE components - click the (i) in the UI:
N/A

Workaround

adding this to line 18 of the dockerfile has worked for me

# Remove problematic yarn APT source with expired GPG key
RUN rm -f /etc/apt/sources.list.d/yarn. List || true

</issue_description>

<agent_instructions>Take the approach detailed: #4832 (comment)</agent_instructions>

Comments on the Issue (you are @copilot in this section)

@marrobi https://github.com/yarnpkg/yarn/issues/9216

I'm hoping it will start working again soon. Maybe the base image needs a rebuild.</comment_new>
<comment_new>@marrobi
Maybe we should do as per: mealie-recipes/mealie#6943 (comment)

Would avoid a reoccurrence.

FROM ....
RUN  curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor | sudo tee /etc/apt/keyrings/yarn-archive-keyring.gpg
```</body></comment_new>
</comments>

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits January 30, 2026 16:26
@marrobi
Fix Dev Container build failure due to expired Yarn GPG key
ce7edf8 
- Add RUN command to update Yarn GPG key before apt operations
- Update CHANGELOG.md with bug fix entry
- Resolves issue #4832

Co-authored-by: marrobi <17089773+marrobi@users.noreply.github.com>
@marrobi
Ensure /etc/apt/keyrings directory exists before writing GPG key
80798f7 
Co-authored-by: marrobi <17089773+marrobi@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix build failure due to expired Yarn GPG key Fix Dev Container build failure from expired Yarn GPG key Jan 30, 2026
Copilot AI requested a review from marrobi January 30, 2026 16:31
@JC-wk
Copy link
Copy Markdown
Collaborator

JC-wk commented Jan 30, 2026

Fyi @marrobi this errors for me
1.674 W: GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 62D54FD4003F6525

@marrobi marrobi requested review from JC-wk and tamirkamara January 30, 2026 18:28
@marrobi
Copy link
Copy Markdown
Member

marrobi commented Jan 30, 2026

@tamirkamara if this isn't fixed by Monday , suggest we merge this.

@JC-wk
Copy link
Copy Markdown
Collaborator

JC-wk commented Jan 30, 2026

this variant worked for me @marrobi see devcontainers/images#1752

RUN curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg \
  | sudo gpg \
        --batch \
        --yes \
        --dearmor \
        -o /usr/share/keyrings/yarn-archive-keyring.gpg

@marrobi
Copy link
Copy Markdown
Member

marrobi commented Jan 30, 2026

@copilot see #4836 (comment) anddhttps://github.com//pull/4836#issuecomment-3824982124 check the devcontainer builds

@marrobi
Use working Yarn GPG key fix with correct path and flags
8371462 
- Use /usr/share/keyrings path instead of /etc/apt/keyrings
- Add --batch --yes flags to gpg for non-interactive operation
- Use -o flag for direct output instead of tee
- Based on verified working solution from devcontainers/images#1752

Co-authored-by: marrobi <17089773+marrobi@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Jan 30, 2026
edited
Loading

Fyi @marrobi this errors for me
`1.674 W: GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 6...

Fixed in commit 8371462. Updated to use the working solution with /usr/share/keyrings path and --batch --yes GPG flags.

this variant worked for me @marrobi see devcontainers/images#1752

RUN curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg \

...

Thanks for the working solution! Implemented in commit 8371462.

@copilot see #4836 (comment) anddhttps://github.com//pull/4836#issuecomment-3824982124 check the devcontainer builds

Updated to use the verified working solution in commit 8371462. The fix now uses /usr/share/keyrings/yarn-archive-keyring.gpg with --batch --yes flags as suggested.

@JC-wk JC-wk mentioned this pull request Jan 30, 2026
Closed
@marrobi
Copy link
Copy Markdown
Member

marrobi commented Jan 30, 2026

/test 8371462

This might give us a cached dev container build that works.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jan 30, 2026

🤖 pr-bot 🤖

🏃 Running tests: https://github.com/microsoft/AzureTRE/actions/runs/21530235074 (with refid a88b5ded)

(in response to this comment from @marrobi)

@marrobi marrobi marked this pull request as ready for review January 30, 2026 21:09
@marrobi marrobi requested a review from a team as a code owner January 30, 2026 21:09
Copilot AI review requested due to automatic review settings January 30, 2026 21:09
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jan 30, 2026

Unit Test Results

0 tests   0 ✅  0s ⏱️
0 suites  0 💤
0 files    0 ❌

Results for commit 9a7f800.

Copilot AI reviewed Jan 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a Dev Container build failure caused by Yarn's expired GPG key (NO_PUBKEY 62D54FD4003F6525) by updating to the new signing key released on 2026-01-28.

Changes:

  • Added RUN command in .devcontainer/Dockerfile to fetch and install the updated Yarn GPG key before apt operations
  • Updated CHANGELOG.md with bug fix entry under the BUG FIXES section

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.devcontainer/Dockerfile Added GPG key update command after SHELL directive to fetch new Yarn signing key and install to /usr/share/keyrings/yarn-archive-keyring.gpg
CHANGELOG.md Added bug fix entry documenting the Yarn GPG key fix with issue reference #4832

Comment thread .devcontainer/Dockerfile
Comment on lines +21 to +22
RUN curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg \
| gpg --batch --yes --dearmor -o /usr/share/keyrings/yarn-archive-keyring.gpg
Copy link

Copilot AI Jan 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The GPG key update command lacks error handling. If the curl command fails (e.g., due to network issues or if the URL changes), the pipe will silently fail and the build will continue without updating the key, potentially leading to the same apt update failures this fix is meant to prevent.

Consider adding error handling by either:

  1. Running the curl command separately with explicit error checking
  2. Adding set -e behavior to ensure the RUN command fails on any error in the pipeline

This is especially important since this fix is critical for the build to succeed, and silent failures would be difficult to debug.

Suggested change
RUN curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg \
| gpg --batch --yes --dearmor -o /usr/share/keyrings/yarn-archive-keyring.gpg
RUN curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg -o /tmp/yarn-pubkey.gpg \
&& gpg --batch --yes --dearmor -o /usr/share/keyrings/yarn-archive-keyring.gpg /tmp/yarn-pubkey.gpg

Copilot uses AI. Check for mistakes.
JC-wk
JC-wk requested changes Feb 2, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@JC-wk JC-wk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see #4832 (comment)

@JC-wk JC-wk closed this Feb 2, 2026
@JC-wk JC-wk mentioned this pull request Feb 2, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JC-wk JC-wk JC-wk requested changes

@marrobi marrobi Awaiting requested review from marrobi

@tamirkamara tamirkamara Awaiting requested review from tamirkamara

Assignees

@marrobi marrobi

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Dev Container] Build fails due to expired Yarn GPG key (NO_PUBKEY 62D54FD4003F6525)

4 participants

@JC-wk @marrobi