apt repo for Xenial says the package cannot be authenticated

[hamid-elaosta]

I have 4 brand new, out of the box pieces of hardware, I've installed Xenial 16.04 on them and updated all packages.

Having added the key for docker and the xenial package repository and attempted to install docker-engine on each of the four machines, I get the following error;

user@Machine:~$ sudo apt-get install -y docker-engine
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  aufs-tools cgroupfs-mount libltdl7
Suggested packages:
  mountall
The following NEW packages will be installed
  aufs-tools cgroupfs-mount docker-engine libltdl7
0 to upgrade, 4 to newly install, 0 to remove and 0 not to upgrade.
Need to get 14.6 MB of archives.
After this operation, 73.8 MB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  docker-engine
E: There were unauthenticated packages and -y was used without --allow-unauthenticated
user@Machine:~$ 

Is the package in the Xenial repository not signed?

[thaJeztah]

did you run sudo apt-key update and sudo apt-get update before installing?

[hamid-elaosta]

@thaJeztah Yes, indeed.

user@Machine:~$ sudo apt-key update
gpg: key 437D05B5: "Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>" not changed
gpg: key FBB75451: "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>" not changed
gpg: key C0B21F32: "Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>" not changed
gpg: key EFE21092: "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" not changed
gpg: Total number processed: 4
gpg:              unchanged: 4
user@Machine:~$ sudo apt-get update
Hit:1 http://gb.archive.ubuntu.com/ubuntu xenial InRelease
Hit:2 http://security.ubuntu.com/ubuntu xenial-security InRelease       
Get:3 http://gb.archive.ubuntu.com/ubuntu xenial-updates InRelease [93.3 kB]
Hit:4 http://gb.archive.ubuntu.com/ubuntu xenial-backports InRelease
Ign:5 https://apt.dockerproject.org/repo ubuntu-xenial InRelease
Hit:6 https://apt.dockerproject.org/repo ubuntu-xenial Release
Get:7 https://apt.dockerproject.org/repo ubuntu-xenial Release.gpg [801 B]
Fetched 94.1 kB in 0s (132 kB/s)    
Reading package lists... Done
user@Machine:~$ sudo apt-get install docker-engine
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  aufs-tools cgroupfs-mount libltdl7
Suggested packages:
  mountall
The following NEW packages will be installed
  aufs-tools cgroupfs-mount docker-engine libltdl7
0 to upgrade, 4 to newly install, 0 to remove and 0 not to upgrade.
Need to get 14.6 MB of archives.
After this operation, 73.8 MB of additional disk space will be used.
Do you want to continue? [Y/n] 
WARNING: The following packages cannot be authenticated!
  docker-engine
Install these packages without verification? [y/N] 

And the key in case anyone is wondering (showing it's already installed):

user@Machine:~$ sudo apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
Executing: /tmp/tmp.4H9K17guXi/gpg.1.sh --keyserver
hkp://p80.pool.sks-keyservers.net:80
--recv-keys
58118E89F3A912897C070ADBF76221572C52609D
gpg: requesting key 2C52609D from hkp server p80.pool.sks-keyservers.net
gpg: key 2C52609D: "Docker Release Tool (releasedocker) <docker@docker.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
user@Machine:~$ 

[thaJeztah]

I don't have a physical box to test on, but I just created a fresh Ubuntu Xenial droplet on DigitalOcean, but I'm not able to reproduce, using these steps;

apt-get update
apt-get install apt-transport-https ca-certificates
apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
echo "deb https://apt.dockerproject.org/repo ubuntu-xenial main" > /etc/apt/sources.list.d/docker.list
apt-get update
apt-get install docker-engine

[thaJeztah]

(skipped some steps, such as installing dependencies for aufs, and updating apparmor)

[hamid-elaosta]

Ok, I solved it by deleting the key from the documentation: HERE

Unfortunately, this means, since I did not receive the pubkey directly from the Docker documentation I have no way to prove the docker-engine I downloaded is the version from Docker themselves, that it is genuine, or even that the signature I retrieved from the keyserver is really whom it claims to be.

Essentially, for all intents and purposes, I have circumvented the exact reason package signatures exist, which is to prove the author.

58118E89F3A912897C070ADBF76221572C52609D

and instead using the one suggested in the out put of apt-get update

Reading package lists... Done
W: GPG error: https://apt.dockerproject.org/repo ubuntu-xenial Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F76221572C52609D
W: The repository 'https://apt.dockerproject.org/repo ubuntu-xenial Release' is not signed.
N: Data from such a repository can't be authenticated and is therefore potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: There is no public key available for the following key IDs:
F76221572C52609D  

``

[thaJeztah]

your output states;

https://apt.dockerproject.org/repo ubuntu-xenial Release

What does /etc/apt/sources.list.d/docker.list contain? Perhaps I'm confused, but the repository should be main, not Release

[thaJeztah]

Never mind, I suspect that's the output of the GPG error only. But don't understand why it wouldn't work for you

[thaJeztah]

ping @tianon any ideas what can cause this? I'm not able to reproduce

[hamid-elaosta]

@thaJeztah That did make me wonder, when I saw that, but here's the content:

user@Machine:~$ cat /etc/apt/sources.list.d/docker.list                                                            
deb https://apt.dockerproject.org/repo ubuntu-xenial main
user@Machine:~$

[thaJeztah]

Sorry, I don't have a clear answer what can cause this. Is there something special in your setup (a proxy-server, apt-cacher?)

[hamid-elaosta]

Not that I'm aware of, but it's possible something operations have done I'm unaware of. I've set up all the systems now by deleting the keys and adding the one suggested in apt-get update. I'll look into it more if it occurs again. Thanks.

[mrmikee]

I was able to reach all Ubuntu official ppa's, but I had the problem of not getting the keys for the Docker ppa. Which is what led me to this post.

W: GPG error: https://apt.dockerproject.org/repo ubuntu-xenial Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F76221572C52609D

added proxy settings. Seems the company proxy allowed direct to "official" ppa's but proxied the one for docker. This 'fixed' the key issue but there still remains the issue of verification.

Still have issue verifying package:

# apt-get install docker-engine
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  aufs-tools cgroupfs-mount
Suggested packages:
  mountall
The following NEW packages will be installed:
  aufs-tools cgroupfs-mount docker-engine
0 upgraded, 3 newly installed, 0 to remove and 3 not upgraded.
Need to get 14.6 MB of archives.
After this operation, 73.7 MB of additional disk space will be used.
Do you want to continue? [Y/n] 
WARNING: The following packages cannot be authenticated!
  docker-engine
Install these packages without verification? [y/N]

[errordeveloper]

I have this problem too.

I am using this:

#cloud-config

repo_update: true
repo_upgrade: all

apt_sources:
  - source: "deb https://apt.dockerproject.org/repo ubuntu-xenial main"
    key: |
      -----BEGIN PGP PUBLIC KEY BLOCK-----
      mQINBFWln24BEADrBl5p99uKh8+rpvqJ48u4eTtjeXAWbslJotmC/CakbNSqOb9o
      ddfzRvGVeJVERt/Q/mlvEqgnyTQy+e6oEYN2Y2kqXceUhXagThnqCoxcEJ3+KM4R
      mYdoe/BJ/J/6rHOjq7Omk24z2qB3RU1uAv57iY5VGw5p45uZB4C4pNNsBJXoCvPn
      TGAs/7IrekFZDDgVraPx/hdiwopQ8NltSfZCyu/jPpWFK28TR8yfVlzYFwibj5WK
      dHM7ZTqlA1tHIG+agyPf3Rae0jPMsHR6q+arXVwMccyOi+ULU0z8mHUJ3iEMIrpT
      X+80KaN/ZjibfsBOCjcfiJSB/acn4nxQQgNZigna32velafhQivsNREFeJpzENiG
      HOoyC6qVeOgKrRiKxzymj0FIMLru/iFF5pSWcBQB7PYlt8J0G80lAcPr6VCiN+4c
      NKv03SdvA69dCOj79PuO9IIvQsJXsSq96HB+TeEmmL+xSdpGtGdCJHHM1fDeCqkZ
      hT+RtBGQL2SEdWjxbF43oQopocT8cHvyX6Zaltn0svoGs+wX3Z/H6/8P5anog43U
      65c0A+64Jj00rNDr8j31izhtQMRo892kGeQAaaxg4Pz6HnS7hRC+cOMHUU4HA7iM
      zHrouAdYeTZeZEQOA7SxtCME9ZnGwe2grxPXh/U/80WJGkzLFNcTKdv+rwARAQAB
      tDdEb2NrZXIgUmVsZWFzZSBUb29sIChyZWxlYXNlZG9ja2VyKSA8ZG9ja2VyQGRv
      Y2tlci5jb20+iQI4BBMBAgAiBQJVpZ9uAhsvBgsJCAcDAgYVCAIJCgsEFgIDAQIe
      AQIXgAAKCRD3YiFXLFJgnbRfEAC9Uai7Rv20QIDlDogRzd+Vebg4ahyoUdj0CH+n
      Ak40RIoq6G26u1e+sdgjpCa8jF6vrx+smpgd1HeJdmpahUX0XN3X9f9qU9oj9A4I
      1WDalRWJh+tP5WNv2ySy6AwcP9QnjuBMRTnTK27pk1sEMg9oJHK5p+ts8hlSC4Sl
      uyMKH5NMVy9c+A9yqq9NF6M6d6/ehKfBFFLG9BX+XLBATvf1ZemGVHQusCQebTGv
      0C0V9yqtdPdRWVIEhHxyNHATaVYOafTj/EF0lDxLl6zDT6trRV5n9F1VCEh4Aal8
      L5MxVPcIZVO7NHT2EkQgn8CvWjV3oKl2GopZF8V4XdJRl90U/WDv/6cmfI08GkzD
      YBHhS8ULWRFwGKobsSTyIvnbk4NtKdnTGyTJCQ8+6i52s+C54PiNgfj2ieNn6oOR
      7d+bNCcG1CdOYY+ZXVOcsjl73UYvtJrO0Rl/NpYERkZ5d/tzw4jZ6FCXgggA/Zxc
      jk6Y1ZvIm8Mt8wLRFH9Nww+FVsCtaCXJLP8DlJLASMD9rl5QS9Ku3u7ZNrr5HWXP
      HXITX660jglyshch6CWeiUATqjIAzkEQom/kEnOrvJAtkypRJ59vYQOedZ1sFVEL
      MXg2UCkD/FwojfnVtjzYaTCeGwFQeqzHmM241iuOmBYPeyTY5veF49aBJA1gEJOQ
      TvBR8Q==
      =Fm3p
      -----END PGP PUBLIC KEY BLOCK-----

packages:
  - curl
  - docker-engine

I'm using this with ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-20160420.3 (ami-840910ee) in us-east-1. It worked perfectly on 15.10, broke on 16.04.

I've logged in to the box and tried to add tried this:

ubuntu@ip-172-20-0-133:~$ sudo apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
Executing: /tmp/tmp.PMl7qDEbHB/gpg.1.sh --keyserver
hkp://p80.pool.sks-keyservers.net:80
--recv-keys
58118E89F3A912897C070ADBF76221572C52609D
gpg: requesting key 2C52609D from hkp server p80.pool.sks-keyservers.net
gpg: key 2C52609D: "Docker Release Tool (releasedocker) <docker@docker.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
ubuntu@ip-172-20-0-133:~$ sudo apt-key update
gpg: key 437D05B5: "Ubuntu Archive Automatic Signing Key <ftpmaster@ubuntu.com>" not changed
gpg: key FBB75451: "Ubuntu CD Image Automatic Signing Key <cdimage@ubuntu.com>" not changed
gpg: key C0B21F32: "Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>" not changed
gpg: key EFE21092: "Ubuntu CD Image Automatic Signing Key (2012) <cdimage@ubuntu.com>" not changed
gpg: Total number processed: 4
gpg:              unchanged: 4
ubuntu@ip-172-20-0-133:~$ sudo apt-get update
Hit:1 http://us-east-1.ec2.archive.ubuntu.com/ubuntu xenial InRelease
Hit:2 http://us-east-1.ec2.archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:3 http://us-east-1.ec2.archive.ubuntu.com/ubuntu xenial-backports InRelease
Ign:4 https://apt.dockerproject.org/repo ubuntu-xenial InRelease                 
Hit:5 https://apt.dockerproject.org/repo ubuntu-xenial Release
Get:6 https://apt.dockerproject.org/repo ubuntu-xenial Release.gpg [801 B]
Hit:7 http://security.ubuntu.com/ubuntu xenial-security InRelease                   
Fetched 801 B in 0s (3,015 B/s)                    
Reading package lists... Done
ubuntu@ip-172-20-0-133:~$ sudo apt-get install docker-engine
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  aufs-tools cgroupfs-mount libltdl7
Suggested packages:
  mountall
The following NEW packages will be installed:
  aufs-tools cgroupfs-mount docker-engine libltdl7
0 upgraded, 4 newly installed, 0 to remove and 27 not upgraded.
Need to get 14.6 MB of archives.
After this operation, 73.8 MB of additional disk space will be used.
Do you want to continue? [Y/n] 
WARNING: The following packages cannot be authenticated!
  docker-engine
Install these packages without verification? [y/N] n
E: Some packages could not be authenticated
ubuntu@ip-172-20-0-133:~$ 

As you can see, there is clearly an issue with signing.

[tianon]

I can't reproduce: 😢

FROM ubuntu:xenial

RUN apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 \
    --recv-keys 58118E89F3A912897C070ADBF76221572C52609D

RUN echo 'deb http://apt.dockerproject.org/repo ubuntu-xenial main' \
    > /etc/apt/sources.list.d/docker.list

RUN apt-get update && apt-get install -y docker-engine

RUN docker -v

(output below trimmed for readability)

$ docker build .
Sending build context to Docker daemon 2.048 kB
Step 1 : FROM ubuntu:xenial
 ---> c5f1cf30c96b
Step 2 : RUN apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
 ---> Running in a8f553d5d9bb
Executing: /tmp/tmp.CB21FieIfD/gpg.1.sh --keyserver
hkp://p80.pool.sks-keyservers.net:80
--recv-keys
58118E89F3A912897C070ADBF76221572C52609D
gpg: requesting key 2C52609D from hkp server p80.pool.sks-keyservers.net
gpg: key 2C52609D: public key "Docker Release Tool (releasedocker) <docker@docker.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
 ---> 0badecc43513
Removing intermediate container a8f553d5d9bb
Step 3 : RUN echo 'deb http://apt.dockerproject.org/repo ubuntu-xenial main' > /etc/apt/sources.list.d/docker.list
 ---> Running in 4bd4bf38861b
 ---> 304769780460
Removing intermediate container 4bd4bf38861b
Step 4 : RUN apt-get update && apt-get install -y docker-engine
 ---> Running in 11363734857d
Ign:1 http://apt.dockerproject.org/repo ubuntu-xenial InRelease
Get:2 http://apt.dockerproject.org/repo ubuntu-xenial Release [19.7 kB]
Get:3 http://apt.dockerproject.org/repo ubuntu-xenial Release.gpg [801 B]
Get:4 http://archive.ubuntu.com/ubuntu xenial InRelease [247 kB]
Get:5 http://apt.dockerproject.org/repo ubuntu-xenial/main amd64 Packages [1224 B]
Get:6 http://archive.ubuntu.com/ubuntu xenial-updates InRelease [94.5 kB]
...
Get:25 http://archive.ubuntu.com/ubuntu xenial-security/universe amd64 Packages [6767 B]
Fetched 23.0 MB in 2s (8896 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
The following additional packages will be installed:
  apparmor aufs-tools busybox-initramfs ca-certificates cgroupfs-mount cpio
  dh-python file git git-man ifupdown initramfs-tools initramfs-tools-bin
  initramfs-tools-core iproute2 iptables isc-dhcp-client isc-dhcp-common
  klibc-utils kmod krb5-locales less libapparmor-perl libasn1-8-heimdal
  libatm1 libbsd0 libcurl3-gnutls libdns-export162 libedit2 liberror-perl
  libexpat1 libffi6 libgdbm3 libgmp10 libgnutls30 libgssapi-krb5-2
  libgssapi3-heimdal libhcrypto4-heimdal libheimbase1-heimdal
  libheimntlm0-heimdal libhogweed4 libhx509-5-heimdal libidn11
  libisc-export160 libk5crypto3 libkeyutils1 libklibc libkrb5-26-heimdal
  libkrb5-3 libkrb5support0 libldap-2.4-2 libltdl7 libmagic1 libmnl0 libmpdec2
  libnettle6 libnfnetlink0 libp11-kit0 libperl5.22 libpopt0 libpython3-stdlib
  libpython3.5-minimal libpython3.5-stdlib libroken18-heimdal librtmp1
  libsasl2-2 libsasl2-modules libsasl2-modules-db libsqlite3-0 libssl1.0.0
  libtasn1-6 libwind0-heimdal libx11-6 libx11-data libxau6 libxcb1 libxdmcp6
  libxext6 libxmuu1 libxtables11 linux-base mime-support netbase
  openssh-client openssl patch perl perl-modules-5.22 python3 python3-minimal
  python3.5 python3.5-minimal rename rsync udev xauth xz-utils
Suggested packages:
  apparmor-profiles apparmor-profiles-extra apparmor-docs apparmor-utils
  mountall libarchive1 libdpkg-perl gettext-base git-daemon-run
  | git-daemon-sysvinit git-doc git-el git-email git-gui gitk gitweb git-arch
  git-cvs git-mediawiki git-svn ppp rdnssd bash-completion iproute2-doc
  resolvconf avahi-autoipd isc-dhcp-client-ddns gnutls-bin krb5-doc krb5-user
  libsasl2-modules-otp libsasl2-modules-ldap libsasl2-modules-sql
  libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal ssh-askpass
  libpam-ssh keychain monkeysphere ed diffutils-doc perl-doc
  libterm-readline-gnu-perl | libterm-readline-perl-perl make python3-doc
  python3-tk python3-venv python3.5-venv python3.5-doc binutils binfmt-support
  openssh-server
The following NEW packages will be installed:
  apparmor aufs-tools busybox-initramfs ca-certificates cgroupfs-mount cpio
  dh-python docker-engine file git git-man ifupdown initramfs-tools
  initramfs-tools-bin initramfs-tools-core iproute2 iptables isc-dhcp-client
  isc-dhcp-common klibc-utils kmod krb5-locales less libapparmor-perl
  libasn1-8-heimdal libatm1 libbsd0 libcurl3-gnutls libdns-export162 libedit2
  liberror-perl libexpat1 libffi6 libgdbm3 libgmp10 libgnutls30
  libgssapi-krb5-2 libgssapi3-heimdal libhcrypto4-heimdal libheimbase1-heimdal
  libheimntlm0-heimdal libhogweed4 libhx509-5-heimdal libidn11
  libisc-export160 libk5crypto3 libkeyutils1 libklibc libkrb5-26-heimdal
  libkrb5-3 libkrb5support0 libldap-2.4-2 libltdl7 libmagic1 libmnl0 libmpdec2
  libnettle6 libnfnetlink0 libp11-kit0 libperl5.22 libpopt0 libpython3-stdlib
  libpython3.5-minimal libpython3.5-stdlib libroken18-heimdal librtmp1
  libsasl2-2 libsasl2-modules libsasl2-modules-db libsqlite3-0 libssl1.0.0
  libtasn1-6 libwind0-heimdal libx11-6 libx11-data libxau6 libxcb1 libxdmcp6
  libxext6 libxmuu1 libxtables11 linux-base mime-support netbase
  openssh-client openssl patch perl perl-modules-5.22 python3 python3-minimal
  python3.5 python3.5-minimal rename rsync udev xauth xz-utils
0 upgraded, 98 newly installed, 0 to remove and 0 not upgraded.
Need to get 41.1 MB of archives.
After this operation, 213 MB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu xenial/main amd64 libatm1 amd64 1:2.5.1-1.5 [24.2 kB]
...
Get:4 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 libssl1.0.0 amd64 1.0.2g-1ubuntu4.1 [1122 kB]
Get:5 http://apt.dockerproject.org/repo ubuntu-xenial/main amd64 docker-engine amd64 1.11.1-0~xenial [14.5 MB]
Get:6 http://archive.ubuntu.com/ubuntu xenial/main amd64 libpython3.5-minimal amd64 3.5.1-10 [521 kB]
...
Get:98 http://archive.ubuntu.com/ubuntu xenial/main amd64 xz-utils amd64 5.1.1alpha+20120614-2ubuntu2 [78.8 kB]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 41.1 MB in 25s (1593 kB/s)
Selecting previously unselected package libatm1:amd64.
(Reading database ... 7253 files and directories currently installed.)
Preparing to unpack .../libatm1_1%3a2.5.1-1.5_amd64.deb ...
...
Selecting previously unselected package docker-engine.
Preparing to unpack .../docker-engine_1.11.1-0~xenial_amd64.deb ...
Unpacking docker-engine (1.11.1-0~xenial) ...
...
Unpacking xz-utils (5.1.1alpha+20120614-2ubuntu2) ...
Processing triggers for systemd (229-4ubuntu4) ...
Processing triggers for libc-bin (2.23-0ubuntu3) ...
Setting up libatm1:amd64 (1:2.5.1-1.5) ...
...
Setting up docker-engine (1.11.1-0~xenial) ...
invoke-rc.d: policy-rc.d denied execution of start.
Setting up liberror-perl (0.17-1.2) ...
...
Updating certificates in /etc/ssl/certs...
173 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
 ---> 33697b8b61da
Removing intermediate container 11363734857d
Step 5 : RUN docker -v
 ---> Running in 8fb0042eaf1c
Docker version 1.11.1, build 5604cbe
 ---> c5128ef75047
Removing intermediate container 8fb0042eaf1c
Successfully built c5128ef75047

[thaJeztah]

Discussing this with @tianon and @tiborvass - most likely suspects are corporate firewall, or CDN/transparent proxy (like apt-cacher-ng), but none of us is able to reproduce so far

[thaJeztah]

oh, lol, see @tianon just commented :-)

[meetupwayne]

Ive seen this succeeed and fail.

In the case where it has failed. It was a physical machine, I followed the documented Docker install instructions.

In the cases where it succeeded both were on virtual machines one was a virtual box VM and other was a VM in Google Cloud platform.

Both the physical machine and Virtual Box VM are on the same network.

[zabzal]

I Have also been seeing this issue for the last couple of days.I am using Vagrant shell provisioning to run

sudo curl -sSL "https://get.docker.com/" | sh

Up unit 5/6/16, I was able to provision my Ubuntu Trusty VM (Virtual Box) using this script. As of 5/6/16, I started getting:

WARNING: The following packages cannot be authenticated!
docker-engine
E: There are problems and -y was used without --force-yes

I am operating behind a firewall and proxy. Using my company's proxy credentials I have been able to set up docker this way for the past few months without issue.

[errordeveloper]

May be I didn't make it specific enough, for me it fails in AWS. I've used ami-840910ee.

[hamid-elaosta]

Can somebody try reproduce my fix? I deleted the key, cleaned apt cache and updated again. This errors about missing key so I copied the missing key shown by apt and added it usimg the command from the instructions (note it's a different hex string).

Apt update again and suddenly it worked.

[hamid-elaosta]

Oh, also, I found out I run behind squid proxy but it shouldn't affect my traffic, especially not HTTPS. Also, these four machines are the only instance of this happening to me.
The only differences from the hundreds of other docker installs I've done on the same network are; that I used a muxed terminal to run the command simultaneously on all 4 machines and that I'm using the xenial repository, normally I use the 14.04 one.

[iEmiya]

I am using this:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
sudo apt-get update

It worked.

[tbenst]

Here was the solution for me, similar to iEmiya:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 8B48AD6246925553

[hamid-elaosta]

I am trying to install a new VM on Digital Ocean with Xenial and have the same problem, I have tried both the documented version and @iEmiya version (using ubuntu keyserver). Since this time I'm installing from DO, I rule out any squid proxy or cache within my corporate environment. Can @iEmiya and @tbenst confirm they're using the Xenial repository? It's the only repo I have this issue on. Also, @iEmiya Didn't show the commands to the point of installing docker-engine. I'd like to point out that the apt update works fine with the key from either keyserver, it's installing docker-engine that fails to install due to being unable to authenticate. I still suspect the Xenial packages are mis-signed or signed with some other key?

[hamid-elaosta]

So this is the key in question;

http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xF76221572C52609D

If you install it using the fingerprint as documented here "Update your apt sources", section 4;
https://docs.docker.com/engine/installation/linux/ubuntulinux/

sudo apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D

The apt update will succeed but the apt install docker-engine will fail.

If you then remove the key and install it again using;

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys F76221572C52609D

Importantly, using the F7622157 and NOT the fingerprint, followed by and apt update and the apt install docker-engine succeeds.

Hopefully this can point us at the cause.

[thaJeztah]

@hamid-elaosta which region did you run on on DigitalOcean?

Here's what I did;

1. Created a new droplet (Ubuntu 16.04 x64, AMS3 region, 2GB memory)
2. Logged in, then:

apt-get update
apt-get install apt-transport-https ca-certificates
apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
echo 'deb https://apt.dockerproject.org/repo ubuntu-xenial main' > /etc/apt/sources.list.d/docker.list
apt-get update
apt-get install linux-image-extra-$(uname -r)
apt-get install docker-engine

After that, running docker version

Client:
 Version:      1.11.1
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   5604cbe
 Built:        Tue Apr 26 23:43:49 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.11.1
 API version:  1.23
 Go version:   go1.5.4
 Git commit:   5604cbe
 Built:        Tue Apr 26 23:43:49 2016
 OS/Arch:      linux/amd64

[hamid-elaosta]

Hi @thaJeztah I ran it on LON1, using the 2GB and Ubuntu 16.04 x64

I added the Xenial repository to /etc/apt/sources.list.d/docker.list and the key imports mentioned above then the update and install.

[thaJeztah]

Did you install apt-transport-https and ca-certificates?

apt-get install apt-transport-https ca-certificates

[tbenst]

Hi Hamid, yes I was on the default xenial repos

Tyler Benster | tylerbenster.com
Twitter: @tbenst http://twitter.com/tbenst | LinkedIn: tylerbenster
http://www.linkedin.com/in/tylerbenster/
US mobile: +1 (206) 919-8004 | International: +1 (206) 629-8762

On Wed, Jun 1, 2016 at 10:00 AM, Sebastiaan van Stijn <
notifications@github.com> wrote:

Did you install apt-transport-https and ca-certificates?

apt-get install apt-transport-https ca-certificates

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
docker#22599 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/AA0sX7ztphRqC114u4NCRzA03nhm45Rzks5qHbrHgaJpZM4IaGhU
.

[hamid-elaosta]

@thaJeztah Initially, the machines I had the issue with had them installed and up-to date already when I attempted to install them. I installed a fresh machine and installed those packages (they were missing this time) and it worked. However, I've just tried with another machine (clean install of Xenial on a physical server) which had those packages installed already after a fresh install/upgrade and it worked as expected. I'm no more clear on what the cause is/was than when I started.

[errordeveloper]

I am still seeing this in EC2, has anyone else attempted to reproduce in EC2?

[megahall]

I can see it when I am configuring from raw Xenial ISOs inside of a Packer based Linux VM Image bootstrap procedure. I am working on narrowing down the cause.

[megahall]

It seems like it can be prevented by ensuring all of the following commands are run before the aptitude / apt-get update:

# early debs needed for apt-add-repository and https repos
aptitude -y install software-properties-common apt-transport-https curl

# docker
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 36A1D7869245C8950F966E92D8576A8BA88D21E9
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys F76221572C52609D
apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
curl -sSL https://get.docker.com/gpg | apt-key add -
curl -sSL https://apt.dockerproject.org/gpg | apt-key add -

[codepainters]

I just encountered the very same problem. I managed to reproduce it under 16.04 VM.

If I do the following, the problem doesn't appear:

apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
echo "deb https://apt.dockerproject.org/repo ubuntu-xenial main" > /etc/apt/sources.list.d/apt_dockerproject_org_repo.list
apt-get update
apt-get install docker-engine

However, I can reproduce this problem in a fresh VM if I add the repo first, and only add the key after apt-get update. Rerunning apt-get update doesn't solve the problem:

echo "deb https://apt.dockerproject.org/repo ubuntu-xenial main" > /etc/apt/sources.list.d/apt_dockerproject_org_repo.list
# here it complains about missing F76221572C52609D key
apt-get update
apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
# this second update changes nothing (albeit it doesn't complain about keys anymore)
apt-get update
# apt-get install complains now (I abort here)
apt-get install docker-engine

Once it gets into this state, the only way to recover seems to be manually removing apt cache files:

rm /var/lib/apt/lists/apt.dockerproject.org_repo_dists_ubuntu-xenial_*
apt-get update
# and now it works
apt-get install docker-engine

It appears to me to be some apt-get quirk - adding a key after retrieving the repo list should be perfectly fine, AFAIK. Hope that helps.

[megahall]

Good catch. It might be wise to report this to the Debian / Ubuntu developers.

On Mon, Jun 13, 2016 at 09:25:52AM -0700, Przemys??aw W??grzyn wrote:

I just encountered the very same problem. I managed to reproduce it under 16.04 VM.

If I do the following, the problem doesn't appear:

apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
echo "deb https://apt.dockerproject.org/repo ubuntu-xenial main" > /etc/apt/sources.list.d/apt_dockerproject_org_repo.list
apt-get update
apt-get install docker-engine

However, I can reproduce this problem in a fresh VM if I add the repo first, and only add the key after apt-get update. Rerunning apt-get update doesn't solve the problem:

echo "deb https://apt.dockerproject.org/repo ubuntu-xenial main" > /etc/apt/sources.list.d/apt_dockerproject_org_repo.list
# here it complains about missing F76221572C52609D key
apt-get update
apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
# this second update changes nothing (albeit it doesn't complain about keys anymore)
apt-get update
# apt-get install complains now (I abort here)
apt-get install docker-engine

Once it gets into this state, the only way to recover seems to be manually removing apt cache files:

rm /var/lib/apt/lists/apt.dockerproject.org_repo_dists_ubuntu-xenial_*
apt-get update
# and now it works
apt-get install docker-engine

It appears to me to be some apt-get quirk - adding a key after retrieving the repo list should be perfectly fine, AFAIK. Hope that helps.

---

You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
docker#22599 (comment)

[errordeveloper]

@codepainters so it sounds like cloudinit also needs a fix (see my snippet in docker#22599 (comment))...

[errordeveloper]

Good catch. It might be wise to report this to the Debian / Ubuntu developers.

100%. Has anyone does this already?

[codepainters]

I haven't, I was way too busy those days. I'll try to check it with Debian, and then perhaps fill the ticket before next week. I'll post an update here.

[codepainters]

Hmm, something must have changed in the meantime - I can no longer reproduce it under Ubuntu 16.04 VM. Can anyone confirm?

[jamtur01]

I'm still seeing this - is the base image going to get a refresh of keys? @tianon ?

[roshan3133]

Getting same issue

apt-key adv --keyserver hkp://p80.pool.sks-keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D

not getting pubkey for ubuntu 16.04 LTS

[justincormack]

@jamtur01 @roshan3133 is this an issue with the workaround mentioned above, where you import the key before adding the repository?

[jamtur01]

@justincormack Hi! The issue for me if that I shouldn't have to use the workaround at all and the base image should get an update.

[hamid-elaosta]

@codepainters On a fresh 16.04.1 it no longer happens if I forget to at the key first. I just add it then apt update and it installs like normal.

[roshan3133]

Ok... will check that

On 1 Sep 2016 14:16, "Hamid" notifications@github.com wrote:

@codepainters https://github.com/codepainters On a fresh 16.04.1 it no
longer happens if I forget to at the key first. I just add it then apt
update and it installs like normal.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
docker#22599 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AHEi4clArijJSa-VGfEwXdErg5Eu9eW5ks5qlpDzgaJpZM4IaGhU
.

[tianon]

@jamtur01 not sure I understand what you're suggesting -- are you suggesting that we add Docker's APT repo key into the ubuntu base image?

[icecrime]

It seems that this one can be closed now: the issue is resolved for most, and doesn't seem like something that we can solve at our level. Please let me know if I'm missing something! Thank you all for reporting.

[lkraider]

Website instructions are wrong, here is what works in 16.04:

curl -s https://yum.dockerproject.org/gpg | sudo apt-key add
apt-key fingerprint 58118E89F3A912897C070ADBF76221572C52609D
sudo add-apt-repository "deb https://apt.dockerproject.org/repo ubuntu-$(lsb_release -cs) main"
sudo apt-get update
sudo apt-get install docker-engine=1.13.0-0~ubuntu-xenial

[pettyalex]

Thanks, @lkraider I just stubbed my toe on this setting up a new machine after 1.13 launch. Website needs to be updated.

[thaJeztah]

docs should be fixed now, apologies for the inconvenience! And thanks @lkraider for helping out here!

[alarv]

If your distro is Linux Mint, pay attention to this warning in the official docker repos:

Note: Sometimes, in a distribution like Linux Mint, you might have to change ubuntu-$(lsb_release -cs) to your parent Ubuntu distribution. example: If you are using Linux Mint Rafaela, you could type in ubuntu-trusty

Currently, lsb_release -cs returns sarah. I checked my parent distro on Mint, which is xenial. Then went to the additional repositories /etc/apt/sources.list.d/additional-repositories.list, removed sarah and added ubuntu-xenial as the distro version.

[T-vK]

For Linux Mint 18 this fixed it for me:
Menu -> Administration -> Software Sources -> Additional Repositories -> Edit the URL of the docker entry -> Replace sarah with xenial

[abdihakiim]

replace your source.list with this

deb http://repo.kali.org/kali kali-rolling main contrib free
deb-src http://repo.kali.org/kali kali-rolling main contrib free