pacman-key cannot locally sign third party keys
Created by: yan12125
For example, building the following Dockerfile:
FROM archlinux/base
# `pacman-key --recv-keys` does not work well with the default server
ADD https://dl.chyen.cc/lilac.key /
RUN echo $'[archlinuxcn]\nServer = https://repo.archlinuxcn.org/$arch' >> /etc/pacman.conf && \
pacman -Sy --noconfirm && \
pacman-key --add /lilac.key && \
pacman-key --lsign-key 83F817213361BF5F02E7E124F9F9FA97A403F63E && \
pacman -S --noconfirm python-git
CMD ["python3.9"]fails with:
$ docker build --tag=python3.9 .
Sending build context to Docker daemon 2.048kB
Step 1/4 : FROM archlinux/base
---> 5e2b896c9d63
Step 2/4 : ADD https://dl.chyen.cc/lilac.key /
Downloading [==================================================>] 3.098kB/3.098kB
---> 65c483d90e69
Step 3/4 : RUN echo $'[archlinuxcn]\nServer = https://repo.archlinuxcn.org/$arch' >> /etc/pacman.conf && pacman -Sy --noconfirm && pacman-key --add /lilac.key && pacman-key --lsign-key 83F817213361BF5F02E7E124F9F9FA97A403F63E && pacman -S --noconfirm python-git
---> Running in 47a88e86f434
:: Synchronizing package databases...
downloading core.db...
downloading extra.db...
downloading community.db...
downloading archlinuxcn.db...
==> Updating trust database...
gpg: next trustdb check due at 2019-10-03
==> ERROR: There is no secret key available to sign with.
==> Use 'pacman-key --init' to generate a default secret key.
The command '/bin/sh -c echo $'[archlinuxcn]\nServer = https://repo.archlinuxcn.org/$arch' >> /etc/pacman.conf && pacman -Sy --noconfirm && pacman-key --add /lilac.key && pacman-key --lsign-key 83F817213361BF5F02E7E124F9F9FA97A403F63E && pacman -S --noconfirm python-git' returned a non-zero code: 1Looks like private keys are excluded from this Docker image [1]. Is it intentional? If so, it might be better to document that the pacman keyring needs to be re-initialized before using third party keys.
[1] https://github.com/archlinux/archlinux-docker/blob/master/exclude#L6
Edited by Sven-Hendrik Haase