Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

devcontainer image has expired OpenSUSE signature #38464

Closed
nbaws opened this issue Feb 15, 2025 · 4 comments · Fixed by #38477
Closed

devcontainer image has expired OpenSUSE signature #38464

nbaws opened this issue Feb 15, 2025 · 4 comments · Fixed by #38477
Assignees
@phlax
Labels
area/build bug

Comments

@nbaws
Copy link
Contributor

nbaws commented Feb 15, 2025

Title: Devcontainer image has expired OpenSUSE signature

Description:
Dockerfile in devcontainer fails to build due to expired signature. Appears to have expired yesterday.

Image is sourced from

envoy/.devcontainer/Dockerfile

Line 1 in e9398d3

FROM gcr.io/envoy-ci/envoy-build:d2be0c198feda0c607fa33209da01bf737ef373f@sha256:6e494ff9bcfa96868cb43f1200f2126cdab39d62db52a5dda80c8ec1694a93ee

Not sure where the image is generated from so unable to PR for a newer hash if one fixes the problem.

@phlax

Repro steps:

root@ip-172-31-18-63 ssm-user]# docker build .
[+] Building 7.9s (5/5) FINISHED                                                                                                                                                                                                                                                    docker:default
 => [internal] load build definition from Dockerfile                                                                                                                                                                                                                                          0.0s
 => => transferring dockerfile: 1.05kB                                                                                                                                                                                                                                                        0.0s
 => [internal] load metadata for gcr.io/envoy-ci/envoy-build:d2be0c198feda0c607fa33209da01bf737ef373f@sha256:6e494ff9bcfa96868cb43f1200f2126cdab39d62db52a5dda80c8ec1694a93ee                                                                                                                 0.0s
 => [internal] load .dockerignore                                                                                                                                                                                                                                                             0.0s
 => => transferring context: 2B                                                                                                                                                                                                                                                               0.0s
 => CACHED [1/2] FROM gcr.io/envoy-ci/envoy-build:d2be0c198feda0c607fa33209da01bf737ef373f@sha256:6e494ff9bcfa96868cb43f1200f2126cdab39d62db52a5dda80c8ec1694a93ee                                                                                                                            0.0s
 => ERROR [2/2] RUN apt-get -y update   && apt-get -y install --no-install-recommends libpython2.7 net-tools psmisc vim 2>&1   && groupadd --gid 501 vscode   && useradd -s /bin/bash --uid 501 --gid 501 -m vscode -G pcap -d /build   && echo vscode ALL=(root) NOPASSWD:ALL > /etc/sudoer  7.9s
------
 > [2/2] RUN apt-get -y update   && apt-get -y install --no-install-recommends libpython2.7 net-tools psmisc vim 2>&1   && groupadd --gid 501 vscode   && useradd -s /bin/bash --uid 501 --gid 501 -m vscode -G pcap -d /build   && echo vscode ALL=(root) NOPASSWD:ALL > /etc/sudoers.d/vscode   &
& chmod 0440 /etc/sudoers.d/vscode:
0.402 Get:1 https://download.docker.com/linux/ubuntu focal InRelease [57.7 kB]
0.515 Get:2 https://download.docker.com/linux/ubuntu focal/stable amd64 Packages [66.1 kB]
0.899 Get:3 http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu focal InRelease [24.6 kB]
0.931 Get:4 http://security.ubuntu.com/ubuntu focal-security InRelease [128 kB]
0.978 Get:5 http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04  InRelease [1,642 B]
1.000 Get:6 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB]
1.073 Err:5 http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04  InRelease
1.073   The following signatures were invalid: EXPKEYSIG 4D64390375060AA4 devel:kubic OBS Project <devel:[email protected]>
1.553 Get:7 http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu focal/main amd64 Packages [28.7 kB]
2.143 Get:8 http://archive.ubuntu.com/ubuntu focal-updates InRelease [128 kB]
2.238 Get:9 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [1,298 kB]
2.422 Get:10 http://archive.ubuntu.com/ubuntu focal-backports InRelease [128 kB]
2.702 Get:11 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1,275 kB]
3.239 Get:12 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB]
3.518 Get:13 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [30.9 kB]
3.521 Get:14 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [4,337 kB]
4.254 Get:15 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [4,223 kB]
4.761 Get:16 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB]
4.765 Get:17 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB]
4.789 Get:18 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1,590 kB]
4.999 Get:19 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [4,526 kB]
5.587 Get:20 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [34.6 kB]
5.592 Get:21 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [4,699 kB]
6.203 Get:22 http://archive.ubuntu.com/ubuntu focal-backports/main amd64 Packages [55.2 kB]
6.210 Get:23 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [28.6 kB]
6.489 Reading package lists...
7.733 W: GPG error: http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04  InRelease: The following signatures were invalid: EXPKEYSIG 4D64390375060AA4 devel:kubic OBS Project <devel:[email protected]>
7.733 E: The repository 'http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04  InRelease' is not signed.
------
Dockerfile:11
--------------------
  10 |     ENV DEBIAN_FRONTEND=noninteractive
  11 | >>> RUN apt-get -y update \
  12 | >>>   && apt-get -y install --no-install-recommends libpython2.7 net-tools psmisc vim 2>&1 \
  13 | >>>   # Create a non-root user to use if preferred - see https://aka.ms/vscode-remote/containers/non-root-user.
  14 | >>>   && groupadd --gid $USER_GID $USERNAME \
  15 | >>>   && useradd -s /bin/bash --uid $USER_UID --gid $USER_GID -m $USERNAME -G pcap -d /build \
  16 | >>>   # [Optional] Add sudo support for non-root user
  17 | >>>   && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \
  18 | >>>   && chmod 0440 /etc/sudoers.d/$USERNAME
  19 |
--------------------
ERROR: failed to solve: process "/bin/bash -ec apt-get -y update   && apt-get -y install --no-install-recommends libpython2.7 net-tools psmisc vim 2>&1   && groupadd --gid $USER_GID $USERNAME   && useradd -s /bin/bash --uid $USER_UID --gid $USER_GID -m $USERNAME -G pcap -d /build   && echo$USERNAME ALL=\\(root\\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME   && chmod 0440 /etc/sudoers.d/$USERNAME" did not complete successfully: exit code: 100
[root@ip-172-31-18-63 ssm-user]#

Inspecting image directly

[root@ip-172-31-18-63 ssm-user]# docker run -it gcr.io/envoy-ci/envoy-build:d2be0c198feda0c607fa33209da01bf737ef373f@sha256:6e494ff9bcfa96868cb43f1200f2126cdab39d62db52a5dda80c8ec1694a93ee /bin/bash
root@f76266effca7:/# apt-get update
Get:1 https://download.docker.com/linux/ubuntu focal InRelease [57.7 kB]
Get:2 https://download.docker.com/linux/ubuntu focal/stable amd64 Packages [66.1 kB]
Get:3 http://security.ubuntu.com/ubuntu focal-security InRelease [128 kB]
Get:4 http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu focal InRelease [24.6 kB]
Get:5 http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04  InRelease [1,642 B]
Err:5 http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04  InRelease
  The following signatures were invalid: EXPKEYSIG 4D64390375060AA4 devel:kubic OBS Project <devel:[email protected]>
Get:6 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB]
Get:7 http://ppa.launchpad.net/ubuntu-toolchain-r/test/ubuntu focal/main amd64 Packages [28.7 kB]
Get:8 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [4,223 kB]
Get:9 http://archive.ubuntu.com/ubuntu focal-updates InRelease [128 kB]
Get:10 http://archive.ubuntu.com/ubuntu focal-backports InRelease [128 kB]
Get:11 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB]
Get:12 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1,275 kB]
Get:13 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [30.9 kB]
Get:14 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [1,298 kB]
Get:15 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [4,337 kB]
Get:16 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB]
Get:17 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB]
Get:18 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1,590 kB]
Get:19 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [34.6 kB]
Get:20 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [4,699 kB]
Get:21 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [4,526 kB]
Get:22 http://archive.ubuntu.com/ubuntu focal-backports/main amd64 Packages [55.2 kB]
Get:23 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [28.6 kB]
Reading package lists... Done
W: GPG error: http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04  InRelease: The following signatures were invalid: EXPKEYSIG 4D64390375060AA4 devel:kubic OBS Project <devel:[email protected]>
E: The repository 'http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_20.04  InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
root@f76266effca7:/# apt-get install pgpdump
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  pgpdump
0 upgraded, 1 newly installed, 0 to remove and 21 not upgraded.
Need to get 19.0 kB of archives.
After this operation, 64.5 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu focal/universe amd64 pgpdump amd64 0.33-2 [19.0 kB]
Fetched 19.0 kB in 1s (30.0 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package pgpdump.
(Reading database ... 20341 files and directories currently installed.)
Preparing to unpack .../pgpdump_0.33-2_amd64.deb ...
Unpacking pgpdump (0.33-2) ...
Setting up pgpdump (0.33-2) ...
root@f76266effca7:/# pgpdump /etc/apt/trusted.gpg.d/devel_kubic_libcontainers_stable.gpg
Old: Public Key Packet(tag 6)(269 bytes)
        Ver 4 - new
        Public key creation time - Fri Aug  3 13:23:19 UTC 2018
        Pub alg - RSA Encrypt or Sign(pub 1)
        RSA n(2048 bits) - ...
        RSA e(17 bits) - ...
Old: User ID Packet(tag 13)(56 bytes)
        User ID - devel:kubic OBS Project <devel:[email protected]>
Old: Signature Packet(tag 2)(318 bytes)
        Ver 4 - new
        Sig type - Positive certification of a User ID and Public Key packet(0x13).
        Pub alg - RSA Encrypt or Sign(pub 1)
        Hash alg - SHA256(hash 8)
        Hashed Sub: signature creation time(sub 2)(4 bytes)
                Time - Wed Dec  7 07:28:08 UTC 2022
        Hashed Sub: key flags(sub 27)(1 bytes)
                Flag - This key may be used to certify other keys
                Flag - This key may be used to sign data
        Hashed Sub: key expiration time(sub 9)(4 bytes)
                Time - Fri Feb 14 07:28:08 UTC 2025
        Hashed Sub: preferred symmetric algorithms(sub 11)(5 bytes)
                Sym alg - AES with 256-bit key(sym 9)
                Sym alg - AES with 192-bit key(sym 8)
                Sym alg - AES with 128-bit key(sym 7)
                Sym alg - CAST5(sym 3)
                Sym alg - Triple-DES(sym 2)
        Hashed Sub: preferred hash algorithms(sub 21)(5 bytes)
                Hash alg - SHA256(hash 8)
                Hash alg - SHA1(hash 2)
                Hash alg - SHA384(hash 9)
                Hash alg - SHA512(hash 10)
                Hash alg - SHA224(hash 11)
        Hashed Sub: preferred compression algorithms(sub 22)(3 bytes)
                Comp alg - ZLIB <RFC1950>(comp 2)
                Comp alg - BZip2(comp 3)
                Comp alg - ZIP <RFC1951>(comp 1)
        Hashed Sub: features(sub 30)(1 bytes)
                Flag - Modification detection (packets 18 and 19)
        Hashed Sub: key server preferences(sub 23)(1 bytes)
                Flag - No-modify
        Sub: issuer key ID(sub 16)(8 bytes)
                Key ID - 0x4D64390375060AA4
        Hash left 2 bytes - f5 5f
        RSA m^d mod n(2048 bits) - ...
                -> PKCS-1
Old: Signature Packet(tag 2)(70 bytes)
        Ver 4 - new
        Sig type - Positive certification of a User ID and Public Key packet(0x13).
        Pub alg - DSA Digital Signature Algorithm(pub 17)
        Hash alg - SHA1(hash 2)
        Hashed Sub: signature creation time(sub 2)(4 bytes)
                Time - Fri Aug  3 13:23:19 UTC 2018
        Sub: issuer key ID(sub 16)(8 bytes)
                Key ID - 0x3B3011B76B9D6523
        Hash left 2 bytes - a8 b3
        DSA r(157 bits) - ...
        DSA s(159 bits) - ...
                -> hash(DSA q bits)
root@f76266effca7:/# date
Sat 15 Feb 2025 06:20:08 AM UTC
@nbaws nbaws added bug triage Issue requires triage labels Feb 15, 2025
@nbaws
Copy link
Contributor Author

nbaws commented Feb 15, 2025

https://github.com/nbaws/envoy/tree/devcontainer_expired_sig will fix the issue in the meantime if anyone stumbles across this

@phlax
Copy link
Member

phlax commented Feb 16, 2025

container is built here https://github.com/envoyproxy/envoy-build-tools/

@nbaws
Copy link
Contributor Author

nbaws commented Feb 16, 2025

looks like they updated Release.key on 31 Jan 2025 and your builder is picking it up correctly but the last publish ran before the key was updated.. If you are able to rerun the publish workflow on envoy-build-tools, I'll PR to update the container hash and we should be good.

@phlax
Copy link
Member

phlax commented Feb 16, 2025

i can look at beginning of the week - the last few builds were with updated llvm - so that will need to be reverted to tackle this first - no need to PR here we have a bot to handle it

@phlax phlax self-assigned this Feb 16, 2025
@phlax phlax added area/build and removed triage Issue requires triage labels Feb 16, 2025
This was referenced Feb 17, 2025
Merged
Merged
@phlax phlax closed this as completed in cd9d58c Feb 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@phlax phlax

Labels
area/build bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

deps: Bump build images -> 506aa20 envoyproxy/envoy
2 participants
@phlax @nbaws