docker-outside-of-docker failed to install -> rep ubuntu/20.04/prod focal InRelease is not signed

[seantleonard]

Trying to use the images:

• https://mcr.microsoft.com/en-us/product/devcontainers/dotnet/tags
  • 6.0-focal published June 24, 2024
  • dev-8.0 published June 24, 2024

The deployment errors out seemingly due to docker-outside-of-docker. Not sure if this is the cause or just a symptom of the failure.

5.546 W: GPG error: https://packages.microsoft.com/ubuntu/20.04/prod focal InRel
ease: The following signatures couldn't be verified because the public key is no
t available: NO_PUBKEY EB3E94ADBE1229CF
5.546 E: The repository 'https://packages.microsoft.com/ubuntu/20.04/prod focal
InRelease' is not signed.
5.547 ERROR: Feature "Docker (docker-outside-of-docker)" (ghcr.io/devcontainers/
features/docker-outside-of-docker) failed to install! Look at the documentation
at https://github.com/devcontainers/features/tree/main/src/docker-outside-of-doc
ker for help troubleshooting this error.

It looks like the docker outside of docker feature install.sh only imports the Microsoft signing keys if Moby is used:

features/src/docker-outside-of-docker/install.sh

Lines 215 to 229 in 414d345

	if [ "${USE_MOBY}" = "true" ]; then
	cli_package_name="moby-cli"
	# Import key safely and import Microsoft apt repo
	curl -sSL ${MICROSOFT_GPG_KEYS_URI} | gpg --dearmor > /usr/share/keyrings/microsoft-archive-keyring.gpg
	echo "deb [arch=${architecture} signed-by=/usr/share/keyrings/microsoft-archive-keyring.gpg] https://packages.microsoft.com/repos/microsoft-${ID}-${VERSION_CODENAME}-prod ${VERSION_CODENAME} main" > /etc/apt/sources.list.d/microsoft.list
	else
	# Name of proprietary engine package
	cli_package_name="docker-ce-cli"
	# Import key safely and import Docker apt repo
	curl -fsSL https://download.docker.com/linux/${ID}/gpg | gpg --dearmor > /usr/share/keyrings/docker-archive-keyring.gpg
	echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/${ID} ${VERSION_CODENAME} stable" > /etc/apt/sources.list.d/docker.list
	fi

I do notice the Sample project I'm using doesn't provide a Moby property, which per docker outside of docker docs, moby should be true by default. Not sure why the key setup isn't working.
https://github.com/Azure-Samples/azure-sql-library-app-blazor/blob/0a1ba8c97744d887f209d95c7f932ddf0eb8b04c/.devcontainer/devcontainer.json#L59-L61

		"ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
			"version": "latest"
		}

[seantleonard]

Solution was to add config to my dockerfile to import microsoft signing keys as suggested by Microsoft documentation. not sure why the key import in docker-outside-docker install.sh doesn't fulfill whatever is happening below:

# Import Microsoft Signing Keys
# https://learn.microsoft.com/dotnet/core/install/linux-ubuntu#unable-to-locate--some-packages-could-not-be-installed
RUN sudo apt-get install -y gpg wget \
    && wget https://packages.microsoft.com/keys/microsoft.asc \
    && cat microsoft.asc | gpg --dearmor -o microsoft.asc.gpg \
    && sudo mv microsoft.asc.gpg /etc/apt/trusted.gpg.d/ \
    && sudo chown root:root /etc/apt/trusted.gpg.d/microsoft.asc.gpg

[samruddhikhandale]

The docker-outside-of-docker feature's install.sh script should ideally handle the import of the necessary GPG keys. However, there could be several reasons why this might not be working as expected:

• Conditional Logic: The script might have conditional logic that skips the key import under certain conditions. For example, it might only import the keys if a specific version of Docker (like Moby) is being installed.
• Environment Differences: The environment in which the script runs might differ from your Dockerfile environment, leading to discrepancies in the key import process.
• Permissions: The script might not have the necessary permissions to import the keys or move them to the correct location.