postgres:10.0 apt-key misconfiguration / trusted.gpg read permissions

Created on 12 Oct 2017  Â·  12Comments  Â·  Source: docker-library/postgres

Hey folks,

Hope you're having a fine day! :)
I wanted to use the postgres 10 debian image as a base for a Citus 7.0 image, but due to some trouble with apt repository authentication/verification I fail to install some packages. A workaround would be to allow unauthenticated installs... which I really don't want to do for obvious reasons. :)

So, I've noticed that apt throws some gpg-key related warnings when running apt update in a fresh postgres:10.0 container.
I'm not 100% sure if this isn't an upstream issue, however running apt update in debian:stretch gives me no warnings so I assume that the behaviour is introduced in the postgres Dockerfile.

The warnings I encountered are that /etc/apt/trusted.gpg is ignored because it's not readable by the _apt user. Giving the correct permissions (644 - which are the same as the other files in /etc/apt/trusted.gpg.d/ have) then leads to more warnings, this time due to missing public keys:

W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.debian.org/debian stretch-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://deb.debian.org/debian stretch Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010 NO_PUBKEY EF0F382A1A7B6500
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://security.debian.org stretch/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY 8B48AD6246925553
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: http://apt.postgresql.org/pub/repos/apt stretch-pgdg InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7FCC7D46ACCC4CF8
W: Failed to fetch http://deb.debian.org/debian/dists/stretch-updates/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010
W: Failed to fetch http://security.debian.org/dists/stretch/updates/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9D6D8F6BC857C906 NO_PUBKEY 8B48AD6246925553
W: Failed to fetch http://apt.postgresql.org/pub/repos/apt/dists/stretch-pgdg/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7FCC7D46ACCC4CF8
W: Failed to fetch http://deb.debian.org/debian/dists/stretch/Release.gpg  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 8B48AD6246925553 NO_PUBKEY 7638D0442B90D010 NO_PUBKEY EF0F382A1A7B6500
W: Some index files failed to download. They have been ignored, or old ones used instead.

Any help would be greatly appreciated! :)

Best regards,
Kai

picture kaikuchn

Most helpful comment

Tracked it down to the pgdg-keyring package, and filed https://github.com/ChristophBerg/pgdg-keyring/pull/1. :+1:

picture tianon on 12 Oct 2017
👍3

All 12 comments

Hi Kay,
Have you checked this pull request? https://github.com/citusdata/docker/pull/43

ImreSamu picture ImreSamu on 12 Oct 2017

These are just warnings and should be harmless, although it'd be great if we could figure out why this file is being created and avoid it! :sweat_smile:

tianon picture tianon on 12 Oct 2017

Although the warnings you've posted look at lot more serious than the ones I get when I run that same command:

$ docker run --rm postgres:10 apt-get update
Get:1 http://security.debian.org stretch/updates InRelease [62.9 kB]
Get:4 http://apt.postgresql.org/pub/repos/apt stretch-pgdg InRelease [41.3 kB]
Ign:2 http://cdn-fastly.deb.debian.org/debian stretch InRelease
Get:3 http://cdn-fastly.deb.debian.org/debian stretch-updates InRelease [91.0 kB]
Get:5 http://cdn-fastly.deb.debian.org/debian stretch Release [118 kB]
Get:6 http://cdn-fastly.deb.debian.org/debian stretch Release.gpg [2,479 B]
Get:7 http://security.debian.org stretch/updates/main amd64 Packages [222 kB]
Get:8 http://apt.postgresql.org/pub/repos/apt stretch-pgdg/main amd64 Packages [145 kB]
Get:9 http://cdn-fastly.deb.debian.org/debian stretch-updates/main amd64 Packages [5,841 B]
Get:10 http://cdn-fastly.deb.debian.org/debian stretch/main amd64 Packages [9,500 kB]
Fetched 10.2 MB in 1s (6,117 kB/s)
Reading package lists...
W: http://security.debian.org/dists/stretch/updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://apt.postgresql.org/pub/repos/apt/dists/stretch-pgdg/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/stretch-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/stretch/Release.gpg: The key(s) in the keyring /etc/apt/trusted.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
tianon picture tianon on 12 Oct 2017

@tianon
according to "citusdata/docker/Dockerfile - PG10" probably the root of the problem is the bad GPG file on Debian Stretch.

my test:

$ docker run --rm postgres:10 /bin/bash -c "rm -f /etc/apt/trusted.gpg && apt-get update" 
Get:1 http://security.debian.org stretch/updates InRelease [62.9 kB]
Ign:2 http://deb.debian.org/debian stretch InRelease
Get:3 http://deb.debian.org/debian stretch-updates InRelease [91.0 kB]
Get:4 http://deb.debian.org/debian stretch Release [118 kB]
Get:5 http://deb.debian.org/debian stretch Release.gpg [2,479 B]
Get:6 http://security.debian.org stretch/updates/main amd64 Packages [222 kB]
Get:7 http://apt.postgresql.org/pub/repos/apt stretch-pgdg InRelease [41.3 kB]
Get:8 http://deb.debian.org/debian stretch-updates/main amd64 Packages [5,841 B]
Get:9 http://deb.debian.org/debian stretch/main amd64 Packages [9,500 kB]
Get:10 http://apt.postgresql.org/pub/repos/apt stretch-pgdg/main amd64 Packages [145 kB]
Fetched 10.2 MB in 4s (2,525 kB/s)
Reading package lists...
ImreSamu picture ImreSamu on 12 Oct 2017

Right, that removes the warnings, but they're harmless in the first place
-- I don't know where Kai's warnings are coming from (since they're much
more serious).

I think @yosifkit has a lead on where the trusted.gpg file is coming from
though -- more to come.

tianon picture tianon on 12 Oct 2017
👍1

Instead of removing the file I "fixed" the read permissions. That's why I
get those other warnings. (Sorry, should've stressed that point more in my
original posting.)
But apparently removing it is okay.. so I'll do that :)

Tianon Gravi notifications@github.com schrieb am Do., 12. Okt. 2017 um
19:23 Uhr:

Right, that removes the warnings, but they're harmless in the first place
-- I don't know where Kai's warnings are coming from (since they're much
more serious).

I think @yosifkit has a lead on where the trusted.gpg file is coming from
though -- more to come.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/docker-library/postgres/issues/357#issuecomment-336207234,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AA-MvFlsaLbuWPCo4h22GcCkuEIywHVCks5srksTgaJpZM4P3TL1
.

kaikuchn picture kaikuchn on 12 Oct 2017

Tracked it down to the pgdg-keyring package, and filed https://github.com/ChristophBerg/pgdg-keyring/pull/1. :+1:

tianon picture tianon on 12 Oct 2017
👍3

@ImreSamu thanks for the link! I'll take a look at what jasonmp85 changed in the deb.sh to see what's necessary.

Thank you all for your super quick responses! :)

kaikuchn picture kaikuchn on 12 Oct 2017
👍1

@kaikuchn — talking about me without an @ sign?!?

Be sure to share your findings about whether Christoph's updated keyring package fixes this, so I can remove the workaround in our images!

jasonmp85 picture jasonmp85 on 1 Nov 2017

In case anyone else is interested; it does not appear to be fixed yet in the PostgreSQL 10.0 package (I still need the rm in my Dockerfile.

jasonmp85 picture jasonmp85 on 1 Nov 2017

Seems to be fixed in the latest push of postgres:10: :tada: :balloon: 

$ docker pull postgres:10
10: Pulling from library/postgres
Digest: sha256:98488a9218ac8173280bb1e59339db151faaa83060fca9cfb57752ff96b828fd
Status: Image is up to date for postgres:10

$ docker run -it --rm postgres:10 ls -l /etc/apt/trusted.gpg
ls: cannot access '/etc/apt/trusted.gpg': No such file or directory
tianon picture tianon on 15 Nov 2017
🎉1

Great! I was able to remove my workaround for this in my recent Citus image builds.

jasonmp85 picture jasonmp85 on 15 Nov 2017
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rap2hpoutre picture rap2hpoutre  Â·  3Comments
mcnesium picture mcnesium  Â·  3Comments
AnatoliyTishaevTR picture AnatoliyTishaevTR  Â·  3Comments
alexisrolland picture alexisrolland  Â·  3Comments
TJM picture TJM  Â·  4Comments