MYSQL fails to install due to incorrect GPG Key #36231
Comments
|
Looks like Oracle did it again and changed their key. |
|
Similar to #20912 |
|
A quick workaround that should fix if anyone sees the problem (I can't reproduce it - likely due to timezone). I will come with some better fix also for historical images but this should fix it for now (add it to your Dockerfile). USER root
RUN sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys A8D3785C
RUN apt-get update ... |
I added both the lines suggested in the issues and keep getting the error with this image Even this which is not recommended doesn't pass the error |
Is time set properly on your host ? |
|
I am in Europe just like you. |
|
How about this: RUN sudo gpg --recv-keys 3A79BD29 |
|
( and I am talking about time not timezone) - whether your time is set properly on your machine |
|
This isn't working for me either, no so great workaround to get my builds to continue is just to remove mysql for now |
|
Can anyone post the full log of failing installation in text form, please? |
i think the new key version is: A8D3785C |
|
[error]#7 0.874 Get:12 http://deb.debian.org/debian-security bullseye-security/main amd64 Packages [260 kB] |
Dod it work @souzagmu ? |
and then got the |
|
It looks as though the apt repository still has the old gpg key set: https://repo.mysql.com/apt/debian/conf/distributions |
|
I think it might depend on which cache you hit |
For us we couldn't get the reference to the old key to go away. If it's hardcoded in the repo itself, this would explain it. Right now, for us what works is to remove the mysql repo from the sources in our docker image based on so |
|
Yeah. That's a quick fix if you need no mysql. I still cannot reproduce it even if I run it from scratch . So I think it really depends which cache you hit ... I am afraid we have to wait until cache refreshes globally and then fix it. |
|
If you are not sure of the GPG signature or can't find the |
|
I think the problem might be on Oracle side, packages are signed by expired key Note The 3A79BD29 key expires on 2023-12-14. A new replacement key (A8D3785C) will sign upcoming MySQL 8.0.36 and higher packages. Both keys are installed by the MySQL repository setup packages released with MySQL 8.0.35, and both keys are also available at https://repo.mysql.com/. I've tried to reproduce on main and this also happen to me on x86_64, ARM64 not affected as usual because it use MariaDB client libraries docker build . \
--build-arg DOCKER_CONTEXT_FILES=./docker-context-files \
--build-arg INSTALL_MYSQL_CLIENT="true" \
--build-arg INSTALL_MYSQL_CLIENT_TYPE=mysql \
--build-arg INSTALL_MSSQL_CLIENT="true" \
--build-arg INSTALL_POSTGRES_CLIENT="true" \
--tag "airflow-image:dec-15"
Then I've tried to replace airflow/scripts/docker/install_mysql.sh Line 78 in 01fd0d3 By add both keys export_key "467B942D3A79BD29" "mysql-2022"
export_key "A8D3785C" "mysql-2023"then I've got 7.158 Reading package lists...
7.428 W: GPG error: http://repo.mysql.com/apt/debian bookworm InRelease: The following signatures were invalid: EXPKEYSIG 467B942D3A79BD29 MySQL Release Engineering <mysql-build@oss.oracle.com>
7.428 E: The repository 'http://repo.mysql.com/apt/debian bookworm InRelease' is not signed.
------
Dockerfile:1506
--------------------
1505 | # That also protects against AUFS Docker backend problem where changing the executable bit required sync
1506 | >>> RUN bash /scripts/docker/install_mysql.sh prod \
1507 | >>> && bash /scripts/docker/install_mssql.sh prod \
1508 | >>> && bash /scripts/docker/install_postgres.sh prod \
1509 | >>> && adduser --gecos "First Last,RoomNumber,WorkPhone,HomePhone" --disabled-password \
1510 | >>> --quiet "airflow" --uid "${AIRFLOW_UID}" --gid "0" --home "${AIRFLOW_USER_HOME_DIR}" \
1511 | >>> # Make Airflow files belong to the root group and are accessible. This is to accommodate the guidelines from
1512 | >>> # OpenShift https://docs.openshift.com/enterprise/3.0/creating_images/guidelines.html
1513 | >>> && mkdir -pv "${AIRFLOW_HOME}" \
1514 | >>> && mkdir -pv "${AIRFLOW_HOME}/dags" \
1515 | >>> && mkdir -pv "${AIRFLOW_HOME}/logs" \
1516 | >>> && chown -R airflow:0 "${AIRFLOW_USER_HOME_DIR}" "${AIRFLOW_HOME}" \
1517 | >>> && chmod -R g+rw "${AIRFLOW_USER_HOME_DIR}" "${AIRFLOW_HOME}" \
1518 | >>> && find "${AIRFLOW_HOME}" -executable -print0 | xargs --null chmod g+x \
1519 | >>> && find "${AIRFLOW_USER_HOME_DIR}" -executable -print0 | xargs --null chmod g+x
1520 |
--------------------When I keep only new one export_key "A8D3785C" "mysql"then I've got 14.63 Reading package lists...
14.89 W: GPG error: http://repo.mysql.com/apt/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 467B942D3A79BD29
14.89 E: The repository 'http://repo.mysql.com/apt/debian bookworm InRelease' is not signed.
------
Dockerfile:1505
--------------------
1504 | # That also protects against AUFS Docker backend problem where changing the executable bit required sync
1505 | >>> RUN bash /scripts/docker/install_mysql.sh prod \
1506 | >>> && bash /scripts/docker/install_mssql.sh prod \
1507 | >>> && bash /scripts/docker/install_postgres.sh prod \
1508 | >>> && adduser --gecos "First Last,RoomNumber,WorkPhone,HomePhone" --disabled-password \
1509 | >>> --quiet "airflow" --uid "${AIRFLOW_UID}" --gid "0" --home "${AIRFLOW_USER_HOME_DIR}" \
1510 | >>> # Make Airflow files belong to the root group and are accessible. This is to accommodate the guidelines from
1511 | >>> # OpenShift https://docs.openshift.com/enterprise/3.0/creating_images/guidelines.html
1512 | >>> && mkdir -pv "${AIRFLOW_HOME}" \
1513 | >>> && mkdir -pv "${AIRFLOW_HOME}/dags" \
1514 | >>> && mkdir -pv "${AIRFLOW_HOME}/logs" \
1515 | >>> && chown -R airflow:0 "${AIRFLOW_USER_HOME_DIR}" "${AIRFLOW_HOME}" \
1516 | >>> && chmod -R g+rw "${AIRFLOW_USER_HOME_DIR}" "${AIRFLOW_HOME}" \
1517 | >>> && find "${AIRFLOW_HOME}" -executable -print0 | xargs --null chmod g+x \
1518 | >>> && find "${AIRFLOW_USER_HOME_DIR}" -executable -print0 | xargs --null chmod g+x
1519 |
--------------------Even latest provided by Oracle APT repo configurator (mysql-apt-config_0.8.28-1_all.deb) use RPM-GPG-KEY-mysql-2022 and not RPM-GPG-KEY-mysql-2023 @potiuk Maybe it is a good point to switch to MariaDB client libraries by default for x86_64? Because I guess we have a chance to get the same troubleshooting in the end of the 2024. And this is not first time when Oracle MySQL libraries have some problem when MariaDB not, e.g.: |
Clarification in the end of October 2025 pub rsa4096 2023-10-23 [SC] [expires: 2025-10-22]
BCA43417C3B485DD128EC6D4B7B3B788A8D3785C
uid MySQL Release Engineering <mysql-build@oss.oracle.com>
sub rsa4096 2023-10-23 [E] [expires: 2025-10-22] |
|
Yes. That's a good point @Taragolis - i forgot the ARM vs. X86 difference. There are two bugs already issued for MySQL - pretty much everyon who installs MySQL is affected. The problem is that a number of their repositories is still signed with the expired key and it's impossible to instally MySQL with either of the keys https://bugs.mysql.com/bug.php?id=113427 Apparently there are people there who viciously keep on refreshing the repository configuration in the hopes that MySQL will resign the repos. I commented on it. for now I will add both keys now hoping that they will fix it quickly AND switch to MariaDB fo CI as at the moment we change it, our CI will start failing (and we will test if all tests pass). We already have our CI showing the same errors - our CI - docker production examples - started to fail with the same error https://github.com/apache/airflow/actions/runs/7216372073/job/19662473895 |
2.5.* are next to go. |
|
The 2.5.* images are patched @portoedu - let me know if it works for you (make sure to pull the images rather than using cache. |
|
The 2.4.* images are patched:. Again request to maintainer :) |
|
2.3.* images patched. |
|
@portoedu - let us know if your 2.5.3 images work |
|
2.2.* patched. |
|
2.1.* patched |
|
2.0.* patched. |
|
Everyone who watched it - all the past released images of Airflow should have been patched with the new keys (and they should be also resilient to 2025 changes of the key - the mysql repository has been removed from apt repos (mysql is still installed in the images. Closing the issue now - finally. |
|
I also commented on all the issues opened in MySQL for that one, because I believe the policy of MySQL on sigining their repositories is deeply flawed and suggested them to change it. Here is the comment I made:
|
|
Hi there, for those using Debian, and having the apt-key is deprecated. Manage keyring files in trusted.gpg.d instead. You should save a file in the trusted.gpg.d folder with the new key:
Then update and upgrade as usual. Edit: added the gpg --dearmor as it need to be binary for apt to read. |
Yep. Not needed anymore for Airflow images (you can just re-pull the images and the key is added there as well as mysql Repo removed, but for generic debian-based images the above should work (after Oracle/MySQL resigned they repos that is). |
|
any solution for mysql:5.7-debian? my Dockerfile: FROM mysql:5.7-debian
# http://mirrors.aliyun.com/debian
RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 467B942D3A79BD29
RUN apt-get update && apt-get install -y --no-install-recommends \
iputils-ping \
vim-tiny \
telnet \
net-tools \
pv \
wget \
&& rm -rf /var/lib/apt/lists/*
COPY ./db-init.sql /docker-entrypoint-initdb.d/
EXPOSE 3306 |
|
Well. I can just repeat what I already wrote in #36231 (comment)
They are aware about the issue, they were told that their bad policy made their own images unusable, and we told them that they need to regenerate their images. If they did not (you might try to pull them again and see if they did) then you need to ask them how to fix it. I don't think anyone here is going to spend their time on fixing MySQL images in Airflow discussion. We are all here volunteers and MySQL/Oracle has paid staff that should take care about fixing the problem they created in the first place. |
|
In additional MySQL 5.7 is End Of Life since end of the October 2023 |
pgp.mit.edu has been decommissioned saltstack/salt#63806 (comment) is there another server to replace it that holds the key? Edit: Tried same other servers and it retrieves it but still failed with no public key available. |
|
Any - look it up in comments. I think most people in the discussions above (including Airlfow image) use |
|
airflow/scripts/docker/common.sh Lines 92 to 100 in 43acc4f |
Workaround for docker-library/mysql#1016 as provided in apache/airflow#36231. Signed-off-by: David Enyeart <enyeart@us.ibm.com>
patch: aptでmysqlの署名キー期限切れが発生しておりインストールでコケるのをパッチする apache/airflow#36231
my solution FROM mysql:5.7-debian
# http://mirrors.aliyun.com/debian
RUN rm /etc/apt/sources.list.d/mysql.list
RUN apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 467B942D3A79BD29
RUN apt-get update && apt-get install -y --no-install-recommends \
iputils-ping \
vim-tiny \
telnet \
net-tools \
pv \
wget \
&& rm -rf /var/lib/apt/lists/*
COPY ./db-init.sql /docker-entrypoint-initdb.d/
EXPOSE 3306 |
This fixed the issue, thank you @pilipe-ar sudo wget https://repo.mysql.com/RPM-GPG-KEY-mysql-2023 -O /etc/apt/trusted.gpg.d/mysql2023 |
Discussed in #36230
Originally posted by furquan39 December 14, 2023
Apache Airflow version
Other Airflow 2 version (please specify below)
If "Other Airflow 2 version" selected, which one?
2.4.1
What happened?
When attempting to rebuild an apache airflow image, we are getting failures during our builds when trying to run apt-get update.
The error we see:
What you think should happen instead?
The airflow image should build successfully without any errors.
How to reproduce
Create a Dockerfile. Add the following lines to the Dockerfile:
`FROM apache/airflow:2.4.1-python3.8
ENV SSH_PASSWD "root:Docker!"
RUN pip3 install msal Authlib flask_oauthlib azure-storage-file-datalake apache-airflow-providers-databricks==3.1.0
USER root
RUN apt-get update
&& apt-get install -y --no-install-recommends
openssh-server
&& apt-get autoremove -yqq --purge
&& apt-get clean
&& rm -rf /var/lib/apt/lists/*`
Operating System
Debian 11
Versions of Apache Airflow Providers
No response
Deployment
Docker-Compose
Deployment details
No response
Anything else?
Seems like a similar issue to this: #20911
Are you willing to submit PR?
Code of Conduct
The text was updated successfully, but these errors were encountered: