buildah: Missing gpg key when using ubuntu / debian images

Description

When using FROM ubuntu:jammy or FROM debian:bookworm-slim, and use RUN apt-get update, I receive:

GPG error: http://deb.debian.org/debian bookworm-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9

The same steps work perfectly using docker build or running apt-get update interactively in a podman / docker session using the images mentioned above.

Also debian:bullseye(-slim) and ubuntu:focal work like expected.

Steps to reproduce the issue:

  1. Create a Dockerfile containing:
FROM debian:bookworm-slim
RUN apt-get update
  1. Run podman build -t test .

Describe the results you received:

podman / buildah fails to build with:

STEP 1/2: FROM debian:bookworm-slim
STEP 2/2: RUN apt-get update
Get:1 http://deb.debian.org/debian bookworm InRelease [157 kB]
Get:2 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:3 http://deb.debian.org/debian bookworm-updates InRelease [49.6 kB]
Err:1 http://deb.debian.org/debian bookworm InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
Err:2 http://deb.debian.org/debian-security bookworm-security InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853
Err:3 http://deb.debian.org/debian bookworm-updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
Reading package lists...
W: http://deb.debian.org/debian/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/bookworm/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://deb.debian.org/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
E: The repository 'http://deb.debian.org/debian bookworm InRelease' is not signed.
W: http://deb.debian.org/debian-security/dists/bookworm-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian-security/dists/bookworm-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian-security/dists/bookworm-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian-security/dists/bookworm-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian-security/dists/bookworm-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian-security/dists/bookworm-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian-security/dists/bookworm-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian-security/dists/bookworm-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian-security/dists/bookworm-security/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://deb.debian.org/debian-security bookworm-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853
E: The repository 'http://deb.debian.org/debian-security bookworm-security InRelease' is not signed.
W: http://deb.debian.org/debian/dists/bookworm-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/bookworm-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-security-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/bookworm-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-bullseye-stable.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/bookworm-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-buster-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/bookworm-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-buster-security-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/bookworm-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-buster-stable.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/bookworm-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/bookworm-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-security-automatic.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: http://deb.debian.org/debian/dists/bookworm-updates/InRelease: The key(s) in the keyring /etc/apt/trusted.gpg.d/debian-archive-stretch-stable.gpg are ignored as the file is not readable by user '_apt' executing apt-key.
W: GPG error: http://deb.debian.org/debian bookworm-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
E: The repository 'http://deb.debian.org/debian bookworm-updates InRelease' is not signed.
E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true'
E: Sub-process returned an error code
Error: error building at STEP "RUN apt-get update": error while running runtime: exit status 100

Describe the results you expected:

podman buildah can build the image

Output of rpm -q buildah or apt list buildah:

No rpm or apt. Using podman 4.2.0 on calculate linux.

podman info | grep build
  buildahVersion: 1.27.0

Output of buildah version:

bash: buildah: command not found

Output of podman version if reporting a podman build issue:

Client:       Podman Engine
Version:      4.2.0
API Version:  4.2.0
Go Version:   go1.18.4
Git Commit:   7fe5a419cfd2880df2028ad3d7fd9378a88a04f4
Built:        Fri Sep  2 14:33:55 2022
OS/Arch:      linux/amd64

Output of cat /etc/*release:

Calculate Linux Desktop 22.0.1 Cinnamon
DISTRIB_ID="Gentoo"
#------------------------------------------------------------------------------
# Modified Calculate Utilities 3.7.2.15
# Processed template files:
# /var/db/repos/calculate/profiles/templates/3.6/2_ac_install_merge/sys-apps/baselayout/os-release
# To modify this file, create a /etc/os-release.clt template.
#------------------------------------------------------------------------------

NAME="Calculate"
ID="calculate"
ID_LIKE="gentoo"
PRETTY_NAME="Calculate Linux Desktop 22.0.1 Cinnamon"
VERSION="22.0.1 (Cinnamon)"
VERSION_ID=22.0.1
BUILD_ID=20181228
ANSI_COLOR="1;32"
HOME_URL="https://www.calculate-linux.org"
DOCUMENTATION_URL="https://wiki.calculate-linux.org"
SUPPORT_URL="https://chat.calculate-linux.org"
BUG_REPORT_URL="https://forum.calculate-linux.org"
VARIANT_ID=desktop

Output of uname -a:

Linux calculate 5.15.29-calculate #1 SMP PREEMPT Thu Mar 17 13:22:02 UTC 2022 x86_64 Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz GenuineIntel GNU/Linux

Output of cat /etc/containers/storage.conf:

cat: /etc/containers/storage.conf: No such file or directory

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 1
  • Comments: 24 (7 by maintainers)

Most upvoted comments

For me helps change crun -> runc

Thx @mazzz1y I can confirm that this helps. Also after a fresh install, I can no longer reproduce the above issue.

+1
g-braeunlich on Jan 26, 2023

the same for me

host:
  arch: amd64
  buildahVersion: 1.28.0
  cgroupControllers:
  - cpuset
  - cpu
  - io
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: /usr/bin/conmon is owned by conmon 1:2.1.5-1
    path: /usr/bin/conmon
    version: 'conmon version 2.1.5, commit: c9f7f19eb82d5b8151fc3ba7fbbccf03fdcd0325'
  cpuUtilization:
    idlePercent: 94.64
    systemPercent: 1.48
    userPercent: 3.87
  cpus: 16
  distribution:
    distribution: arch
    version: unknown
  eventLogger: journald
  hostname: framework
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    - container_id: 65537
      host_id: 231072
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    - container_id: 65537
      host_id: 231072
      size: 65536
  kernel: 6.0.9-arch1-1
  linkmode: dynamic
  logDriver: journald
  memFree: 45481086976
  memTotal: 67131629568
  networkBackend: netavark
  ociRuntime:
    name: runc
    package: /usr/bin/runc is owned by runc 1.1.4-1
    path: /usr/bin/runc
    version: |-
      runc version 1.1.4
      spec: 1.0.2-dev
      go: go1.19
      libseccomp: 2.5.4
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: /usr/bin/slirp4netns is owned by slirp4netns 1.2.0-1
    version: |-
      slirp4netns version 1.2.0
      commit: 656041d45cfca7a4176f6b7eed9e4fe6c11e8383
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 4
      libseccomp: 2.5.4
  swapFree: 0
  swapTotal: 0
  uptime: 3h 29m 9.00s (Approximately 0.12 days)
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  volume:
  - local
registries:
  search:
  - docker.io
  - registry.fedoraproject.org
  - quay.io
  - registry.access.redhat.com
  - registry.centos.org
store:
  configFile: /home/user/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: overlay
  graphOptions:
    overlay.mount_program:
      Executable: /usr/bin/fuse-overlayfs
      Package: /usr/bin/fuse-overlayfs is owned by fuse-overlayfs 1.9-1
      Version: |-
        fusermount3 version: 3.12.0
        fuse-overlayfs: version 1.9
        FUSE library version 3.12.0
        using FUSE kernel interface version 7.31
  graphRoot: /home/user/.local/share/containers/storage
  graphRootAllocated: 33565814784
  graphRootUsed: 85016576
  graphStatus:
    Backing Filesystem: tmpfs
    Native Overlay Diff: "false"
    Supports d_type: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 1
  runRoot: /run/user/1000/containers
  volumePath: /home/user/.local/share/containers/storage/volumes
version:
  APIVersion: 4.3.1
  Built: 1668092357
  BuiltTime: Thu Nov 10 20:59:17 2022
  GitCommit: 814b7b003cc630bf6ab188274706c383f9fb9915-dirty
  GoVersion: go1.19.3
  Os: linux
  OsArch: linux/amd64
  Version: 4.3.1

For me helps change crun -> runc

Changing tmpfs to btrfs and fuse-overlayfs to overlayfs doesn’t change anything, so just ignore it here.

+1
mazzz1y on Nov 22, 2022
Read more comments on GitHub
← buildah: Missing FCAP I fail to install `httpd` into Fedora 33 container in `build-using-dockerfile`
buildah: [OSTree] Cannot build rootfs with Containerfile due to dangling files /etc/{hostname,hosts,resolv.conf} →