Bookworm: GPG Error when attempting apt update

[webaholik]

The issue seems to be related to the latest docker image update to bookworm

At the top of my Dockerfile:

FROM nginx
RUN apt-get update -qq && apt-get -y install apache2-utils

Now when building, I get these errors:

W: GPG error: http://deb.debian.org/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY F8D2585B8783D481
E: The repository 'http://deb.debian.org/debian bookworm InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian bookworm-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
E: The repository 'http://deb.debian.org/debian bookworm-updates InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian-security bookworm-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8
E: The repository 'http://deb.debian.org/debian-security bookworm-security InRelease' is not signed.
E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true'
E: Sub-process returned an error code

Attempted to manually add:

RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 648ACFD622F3D138
RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 0E98404D386FA1D9
RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys F8D2585B8783D481
RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 6ED0E7B82643E131
RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 54404762BBB6E853
RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys BDE6D2B9216EC7A8

Result:
E: gnupg, gnupg2 and gnupg1 do not seem to be installed, but one of them is required for this operation

Then tried running this first:
RUN apt-get install -y debian-keyring
Result:
E: Unable to locate package debian-keyring
-and I can't update my sources because of the GPG key

[thresheek]

Hi @webaholik,

It seems like the same issue as in #800 - can you please check the docker runtime versions you're running, as well as seccomp version and runc?

Thanks!

[webaholik]

Thanks for the quick reply, @thresheek, HOST is Centos

Docker version 1.13.1, build 7d71120/1.13.1

==========================================================================================================================================================================================================================================================================
 Package                                                       Arch                                                   Version                                                                               Repository                                               Size
==========================================================================================================================================================================================================================================================================

 docker                                                        x86_64                                                 2:1.13.1-209.git7d71120.el7.centos                                                    @extras                                                  64 M
 docker-client                                                 x86_64                                                 2:1.13.1-209.git7d71120.el7.centos                                                    @extras                                                  13 M
 docker-common                                                 x86_64                                                 2:1.13.1-209.git7d71120.el7.centos                                                    @extras                                                 4.4 k

[thresheek]

Thanks,

I think you need at least Docker 20.10.10+ for this image (and any other bookworm-based) to work as expected.

[yosifkit]

You can verify that it is libseccomp by running the bookworm image with --security-opt seccomp=unconfined. If it works, then I'd suggest updating docker and libseccomp on the host. Newer base OS's use newer system calls and an older libseccomp can block them since they are unknown to it.

Similar to docker-library/python#837

[webaholik]

@thresheek - thanks, updating docker resolved my issue:
https://docs.docker.com/engine/install/centos/