Home / server / Questions / 1137215
Accepted
jlmt
Asked: 2023-07-15 00:13:21 +0800 CST

How can I write a Dockerfile based on Debian Slim in which 'apt-get update' doesn't fail with public key errors?

  • 772

The build server is Ubuntu 16.04, patched recently with sudo apt update && sudo apt upgrade.

docker version says:

Version:           18.06.0-ce
 API version:       1.38
 Go version:        go1.10.3
 Git commit:        0ffa825
 Built:             Wed Jul 18 19:11:02 2018
 OS/Arch:           linux/amd64
 Experimental:      false

The Dockerfile looks like this:

FROM debian:12-slim

RUN apt-get update \
    && apt-get install -y wget \
    && apt-get install -y supervisor \
    && apt-get install -y apt-utils \
    && apt-get install -y nginx \
    && apt-get install -y libgdiplus

RUN apt-get autoremove -y \
    && apt-get clean -y \
    && apt-get autoclean -y \
    && rm -rf /var/lib/apt/lists/*

# .. other stuff cut ..

The apt-get update step fails with:

W: GPG error: http://deb.debian.org/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY F8D2585B8783D481
E: The repository 'http://deb.debian.org/debian bookworm InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian bookworm-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
E: The repository 'http://deb.debian.org/debian bookworm-updates InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian-security bookworm-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8
E: The repository 'http://deb.debian.org/debian-security bookworm-security InRelease' is not signed.

Presumably I need to first RUN something to update public keys.

I can find a lot of guides to solving this manually by copy-pasting the missing keys into the command line, but obviously I need the fix to be part of the Dockerfile (and ideally not fall over if the keys get changed, if possible?).

But perhaps the fact that apt-get isn't working for an official base image indicates a deeper problem?

Am I using the correct tag for a minimal Debian Docker image?

Is the problem related to using the slim distribution of Debian?

Could this be an issue with the build environment or old Docker version?

Any thoughts?

(Background: the intention is to build a .Net Core 2.1 runtime image for a legacy app, but the official Microsoft runtime image is no longer supported and has recently developed its own problems in which apt-get fails with many 404 errors. The choice of Debian slim here is because that image was based on an older version of the same.)

Edit: The comments seemed to suggest that it was probably the environment that was the problem; When building the same Dockerfile on Ubuntu 22.04.2 with Docker 24.0.4, everything was fine. Question answered as: Don't use an out of date build server!

debian

1 Answers

  1. Best Answer

    The root cause is that outdated libseccomp blocks new Linux syscalls used by Debian Bookworm. There are three approaches:

    • Update Docker and libseccomp
    • Use older images like debian:11-slim
    • Run with security disabled --security-opt seccomp=unconfined (obviously insecure approach)
    • 0