Skip to content

GitLab

Closed
Created by Sven-Hendrik Haase@svenstaroContributor

pacman-key cannot locally sign third party keys

Created by: yan12125

For example, building the following Dockerfile:

FROM archlinux/base

# `pacman-key --recv-keys` does not work well with the default server
ADD https://dl.chyen.cc/lilac.key /

RUN echo $'[archlinuxcn]\nServer = https://repo.archlinuxcn.org/$arch' >> /etc/pacman.conf && \
    pacman -Sy --noconfirm && \
    pacman-key --add /lilac.key && \
    pacman-key --lsign-key 83F817213361BF5F02E7E124F9F9FA97A403F63E && \
    pacman -S --noconfirm python-git

CMD ["python3.9"]

fails with:

$ docker build --tag=python3.9 .
Sending build context to Docker daemon  2.048kB
Step 1/4 : FROM archlinux/base
 ---> 5e2b896c9d63
Step 2/4 : ADD https://dl.chyen.cc/lilac.key /
Downloading [==================================================>]  3.098kB/3.098kB

 ---> 65c483d90e69
Step 3/4 : RUN echo $'[archlinuxcn]\nServer = https://repo.archlinuxcn.org/$arch' >> /etc/pacman.conf &&     pacman -Sy --noconfirm &&     pacman-key --add /lilac.key &&     pacman-key --lsign-key 83F817213361BF5F02E7E124F9F9FA97A403F63E &&     pacman -S --noconfirm python-git
 ---> Running in 47a88e86f434
:: Synchronizing package databases...
downloading core.db...
downloading extra.db...
downloading community.db...
downloading archlinuxcn.db...
==> Updating trust database...
gpg: next trustdb check due at 2019-10-03
==> ERROR: There is no secret key available to sign with.                                                                        
==> Use 'pacman-key --init' to generate a default secret key.                                                                    
The command '/bin/sh -c echo $'[archlinuxcn]\nServer = https://repo.archlinuxcn.org/$arch' >> /etc/pacman.conf &&     pacman -Sy --noconfirm &&     pacman-key --add /lilac.key &&     pacman-key --lsign-key 83F817213361BF5F02E7E124F9F9FA97A403F63E &&     pacman -S --noconfirm python-git' returned a non-zero code: 1

Looks like private keys are excluded from this Docker image [1]. Is it intentional? If so, it might be better to document that the pacman keyring needs to be re-initialized before using third party keys.

[1] https://github.com/archlinux/archlinux-docker/blob/master/exclude#L6

Edited by Sven-Hendrik Haase
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information