Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
  • Sign in
  • A archlinux-docker
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Graph
    • Compare
    • Locked Files
  • Issues 9
    • Issues 9
    • List
    • Boards
    • Service Desk
    • Milestones
    • Iterations
  • Merge requests 5
    • Merge requests 5
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
    • Test Cases
  • Deployments
    • Deployments
    • Releases
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Infrastructure Registry
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Arch LinuxArch Linux
  • archlinux-docker
  • Issues
  • #18
Closed
Open
Issue created Aug 23, 2019 by Sven-Hendrik Haase@svenstaroContributor

pacman-key cannot locally sign third party keys

Created by: yan12125

For example, building the following Dockerfile:

FROM archlinux/base

# `pacman-key --recv-keys` does not work well with the default server
ADD https://dl.chyen.cc/lilac.key /

RUN echo $'[archlinuxcn]\nServer = https://repo.archlinuxcn.org/$arch' >> /etc/pacman.conf && \
    pacman -Sy --noconfirm && \
    pacman-key --add /lilac.key && \
    pacman-key --lsign-key 83F817213361BF5F02E7E124F9F9FA97A403F63E && \
    pacman -S --noconfirm python-git

CMD ["python3.9"]

fails with:

$ docker build --tag=python3.9 .
Sending build context to Docker daemon  2.048kB
Step 1/4 : FROM archlinux/base
 ---> 5e2b896c9d63
Step 2/4 : ADD https://dl.chyen.cc/lilac.key /
Downloading [==================================================>]  3.098kB/3.098kB

 ---> 65c483d90e69
Step 3/4 : RUN echo $'[archlinuxcn]\nServer = https://repo.archlinuxcn.org/$arch' >> /etc/pacman.conf &&     pacman -Sy --noconfirm &&     pacman-key --add /lilac.key &&     pacman-key --lsign-key 83F817213361BF5F02E7E124F9F9FA97A403F63E &&     pacman -S --noconfirm python-git
 ---> Running in 47a88e86f434
:: Synchronizing package databases...
downloading core.db...
downloading extra.db...
downloading community.db...
downloading archlinuxcn.db...
==> Updating trust database...
gpg: next trustdb check due at 2019-10-03
==> ERROR: There is no secret key available to sign with.                                                                        
==> Use 'pacman-key --init' to generate a default secret key.                                                                    
The command '/bin/sh -c echo $'[archlinuxcn]\nServer = https://repo.archlinuxcn.org/$arch' >> /etc/pacman.conf &&     pacman -Sy --noconfirm &&     pacman-key --add /lilac.key &&     pacman-key --lsign-key 83F817213361BF5F02E7E124F9F9FA97A403F63E &&     pacman -S --noconfirm python-git' returned a non-zero code: 1

Looks like private keys are excluded from this Docker image [1]. Is it intentional? If so, it might be better to document that the pacman keyring needs to be re-initialized before using third party keys.

[1] https://github.com/archlinux/archlinux-docker/blob/master/exclude#L6

Edited Aug 29, 2020 by Sven-Hendrik Haase
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking