xyz#ubuntu:~$ curl -s https://raw.githubusercontent.com/ros/rosdistro/master/ros.asc | sudo apt-key add -
gpg: no valid OpenPGP data found.
getting this error while installing ROS noetic in ubuntu 20.04.5, arm64, UTM
Tried few steps but didn't worked
I am trying to upgrade one of our docker base images to the latest stable version of Ubuntu. I have isolated the problem to a simple reproducible case. I have a Dockerfile like this:
FROM ubuntu:22.04
MAINTAINER mep-dev#zulily.com
# Install java and clean-up
RUN apt-get update
When I build it on my local machine, I don't have any problems. However, when I build it on my CICD, I sometimes get this error:
Step 3/3 : RUN apt-get update
---> Running in 6ca01b60de64
Get:1 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB]
Get:2 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]
Get:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [109 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [99.8 kB]
Err:1 http://archive.ubuntu.com/ubuntu jammy InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
Err:3 http://archive.ubuntu.com/ubuntu jammy-updates InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
Err:4 http://archive.ubuntu.com/ubuntu jammy-backports InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
Err:2 http://security.ubuntu.com/ubuntu jammy-security InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
Reading package lists...
W: http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://archive.ubuntu.com/ubuntu jammy InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
E: The repository 'http://archive.ubuntu.com/ubuntu jammy InRelease' is not signed.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://archive.ubuntu.com/ubuntu jammy-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
E: The repository 'http://archive.ubuntu.com/ubuntu jammy-updates InRelease' is not signed.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://archive.ubuntu.com/ubuntu/dists/jammy-backports/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://archive.ubuntu.com/ubuntu jammy-backports InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
E: The repository 'http://archive.ubuntu.com/ubuntu jammy-backports InRelease' is not signed.
W: http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://security.ubuntu.com/ubuntu/dists/jammy-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://security.ubuntu.com/ubuntu jammy-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
E: The repository 'http://security.ubuntu.com/ubuntu jammy-security InRelease' is not signed.
E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cache/apt/archives/.deb /var/cache/apt/archives/partial/.deb /var/cache/apt/*.bin || true'
E: Sub-process returned an error code
The command '/bin/sh -c apt-get update' returned a non-zero code: 100
If I comment out RUN apt-get update, then it succeeds, and I can enter the container and see that /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg and /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg do exist and have read for all permissions:
root#b778220b39d8:/# ls -l /etc/apt/trusted.gpg.d
total 8
-rw-r--r-- 1 root root 2794 Mar 26 2021 ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Mar 26 2021 ubuntu-keyring-2018-archive.gpg
I also checked the parent directories, and they have r-x at least for all.
This answer might be related, but why would the file have the correct structure when the base image is used in one environment and not another?
Update:
By using --pull, I can see the exact image it's using.
$ docker build --pull -t $EMAIL_DELIVERABILITY_ARN .
Step 1/3 : FROM ubuntu:22.04
22.04: Pulling from library/ubuntu
Digest: sha256:b6b83d3c331794420340093eb706a6f152d9c1fa51b262d9bf34594887c2c7ac
Status: Downloaded newer image for ubuntu:22.04
---> 27941809078c
This is the same sha and image id that I see when building locally, which works.
I am not having the same problem with ubuntu:20.04.
After spending half a day trying to fix the Ubuntu images (which aren't broken) I have eventually started debugging the host.
It's a docker problem. Ubuntu makes use of syscalls for better key security, which Docker didn't support yet. The solution is to update docker... or use runc or something similar.
Instead of apt getting the message that the syscalls aren't supported, it gets the message that permission is denied, which results in the confusing error messages.
You could technically patch ubuntu to be less secure, and to work with older docker, but that is sadly not a long term solution.
When you reference a docker image by name, Docker only checks to see if it exists locally or not -- it doesn't check for updates. So if there is already a version of the named image available, it will use that even though it might be stale. I suspect that's what you're seeing: some of your CI nodes must have a cached version of the image that has problems.
There are a few ways of dealing with this:
Explicitly docker pull ubuntu:22.04 before calling docker run; this will pull down a newer version of the image if one exists.
Add --pull always to your docker run command line. This accomplishes the same thing but without requiring an extra command execution.
Reference an image by digest rather than by tag. If you use an image reference like this:
FROM ubuntu#sha256:bace9fb0d5923a675c894d5c815da75ffe35e24970166a48a4460a48ae6e0d19
Then docker will use that exact image. You can find the image digests on docker hub.
Exactly same problem
Err:3 http://security.ubuntu.com/ubuntu jammy-security InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 871920D1991BC93C
Reading package lists...
[91mW: http://archive.ubuntu.com/ubuntu/dists/jammy/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
Dockerfile (simple how to reproduce) docker-version: 18.x or 19.03/
FROM ubuntu:latest
RUN apt-get -y update
With latest Docker version 20.10.9, i did not see the issue.
some of the options tried to tshoot:
sed -i 's/jammy/focal/g' /etc/apt/sources.list
RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 871920D1991BC93C
this fails with with another child-issue
gnupg, gnupg2 and gnupg1 do not seem to be installed, but one of them is required for this operation
SO, solutions seems to be either update docker-version or use a tagged image where it has worked previously.
A very dirty but probably acceptable hack for some docker hacking is this:
apt update --allow-insecure-repositories
Which just ignores the signatures. The errors get still printed, but the package repository is updated, and you can install new packages afterwards. Even though you get warned and asked if that is really what you want to do.
It is the same from me, something is broken inside the Ubuntu image. The issue is not coming from the docker software/pkg, it is sourced within the image.
I am configuring CentOS 6 Server. i am trying to install rvm but i am getting error. when i try to install rvm in server. Can anyone knows the reason?
step1.
gpg --keyserver hkp://pool.sks-keyservers.net:80 --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
OUTPUT
gpg: key D39DC0E3: "Michal Papis (RVM signing) <mpapis#gmail.com>" not changed
gpg: key D39DC0E3: "Totally Legit Signing Key <mallory#example.org>" not changed
gpg: key 39499BDB: "Piotr Kuczynski <piotr.kuczynski#gmail.com>" not changed
gpg: Total number processed: 3
gpg: unchanged: 3
step 2 (where i get error)
curl -sSL https://get.rvm.io | bash -s stable
Output
WARN: ...the preceeding error with code 35 occurred while fetching https://api.github.com/repos/rvm/rvm/tags
curl: (35) SSL connect error
WARN: ...the preceeding error with code 35 occurred while fetching https://api.bitbucket.org/2.0/repositories/mpapis/rvm/refs/tags?sort=-name&pagelen=20
ERROR: Exhausted all sources trying to fetch version 'latest' of RVM!
What is the version of cURL in your server?
This might shed some light: cURL SSL connect error 35 with NSS error -5961
I am trying to install RVM on my ubuntu system using this blog. https://rvm.io/
when I run these command
gpg2 --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
\curl -sSL https://get.rvm.io | bash -s stable
I am getting this problem.
Downloading https://github.com/rvm/rvm/archive/1.29.9.tar.gz
Downloading https://github.com/rvm/rvm/releases/download/1.29.9/1.29.9.tar.gz.asc
gpg: Signature made Wednesday 10 July 2019 02:01:02 PM IST
gpg: using RSA key 7D2BAF1CF37B13E2069D6956105BD0E739499BDB
gpg: Good signature from "Piotr Kuczynski <piotr.kuczynski#gmail.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7D2B AF1C F37B 13E2 069D 6956 105B D0E7 3949 9BDB
GPG verified '/usr/share/rvm/archives/rvm-1.29.9.tgz'
tar: binscripts: Cannot utime: Operation not permitted
tar: config/solaris: Cannot utime: Operation not permitted
tar: config: Cannot utime: Operation not permitted
tar: contrib/hudson: Cannot utime: Operation not permitted
tar: contrib: Cannot utime: Operation not permitted
tar: docs: Cannot utime: Operation not permitted
I think keys are not working. Does anyone knows how to solve this problem?
Looks like the ubuntu rvm package is already installed and you are trying to install rvm again. If you installed using the package, there is no need to run the manual install steps, rvm will work.
To remove the package, just use sudo apt purge rvm. After it finishes, check if you have any presence of /usr/share/rvm and delete the folder in case it's present.
After that, you can get the latest rvm through the steps you are already doing.
I am trying to install RVM in my Ubuntu machine with the following info:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04 LTS
I am doing this by following the official RVM guide, presented here:
https://rvm.io/rvm/install
However I fail in the very first command, I cannot import mpapi's public key (even when using sudo):
gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
I get the following error:
fl4m3ph03n1x: ~ $ sudo gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
gpg: WARNING: unsafe ownership on configuration file `/home/fl4m3ph03n1x/.gnupg/gpg.conf'
gpg: external program calls are disabled due to unsafe options file permissions
gpg: keyserver communications error: general error
gpg: keyserver receive failed: general error
At first I thought that the problem was a permission issue (by checking the warning), but after reading and trying out the solution in the discussion below nothing changed.
gpg: WARNING: unsafe ownership on configuration file, $gpg --fingerprint on Ubuntu9.10
Here are the permissions on the file:
fl4m3ph03n1x: ~ $ ls -ld /home/fl4m3ph03n1x/.gnupg/gpg.conf
-rwx------ 1 fl4m3ph03n1x fl4m3ph03n1x 9398 Jul 21 14:43 /home/fl4m3ph03n1x/.gnupg/gpg.conf
fl4m3ph03n1x: ~ $ ls -l /home/fl4m3ph03n1x/.gnupg/gpg.conf
-rwx------ 1 fl4m3ph03n1x fl4m3ph03n1x 9398 Jul 21 14:43 /home/fl4m3ph03n1x/.gnupg/gpg.conf
What am I doing wrong ? How can I fix my problem?
It turns out that the problem was indeed fixed by file permissions. There are a few things I want to point out however.
The solution for this problem relies in changing the permission of several files in cascade.
For a more complete answer on permissions, I recommend this discussion, suggested by Maxim Pontyushenko:
gpg: WARNING: unsafe ownership on configuration file, $gpg --fingerprint on Ubuntu9.10
Now for the solution itself. You must changed the ownership and the read/write permissions of the following files, in the following order:
/home/[username]/.gnupg/gpg.conf
/home/[username]/.gnupg/pubring.gpg
/home/[username]/.gnupg/trustdb.gpg
You must change the permissions on these 3 files in this specific order.
Additionally, do not run the gpg command using sudo.
If you do it, you will be stuck on a error regarding safe file permissions to which i was not able to find any solution.
Instead, run the gpg command using your username.
I hope this helps the next person having problems. Kudos++ to all who commented!