Update old yarn gpg key

[tlttnz2018]

Currently, when I build my image based on this image, it will generate this error

Get:1 http://deb.debian.org/debian buster InRelease [122 kB]
Get:2 http://security.debian.org/debian-security buster/updates InRelease [65.4 kB]
Get:3 http://deb.debian.org/debian buster-updates InRelease [49.3 kB]
Get:4 https://dl.yarnpkg.com/debian stable InRelease [17.1 kB]
Get:5 https://deb.nodesource.com/node_8.x buster InRelease [4619 B]
Get:6 http://security.debian.org/debian-security buster/updates/main amd64 Packages [175 kB]
Get:7 http://deb.debian.org/debian buster/main amd64 Packages [7908 kB]
Err:4 https://dl.yarnpkg.com/debian stable InRelease
  The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <[email protected]>
Get:8 http://deb.debian.org/debian buster-updates/main amd64 Packages [5792 B]
Get:9 https://deb.nodesource.com/node_8.x buster/main amd64 Packages [1008 B]
Reading package lists...
�[91mW: GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <[email protected]>
E: The repository 'https://dl.yarnpkg.com/debian stable InRelease' is not signed.

It seems the prebuilt image of this dcoker-python-nodejs contains the old gpg key. Could you please update those images with new GPG key?

Thanks

FYI: yarnpkg/yarn#7866

[tlttnz2018]

Another FYI: I use nikolaik/python-nodejs:python3.6-nodejs8

[tlttnz2018]

Hmm, checked the version support. Seem nodev8 is out of support so that image will not longer be updated automatically.

Close this issue. Sorry for disturbing

[Daniel15]

You'll have to get whoever maintains the Docker image to update the GPG key.

[Mark-Hetherington]

I'm also seeing this on nikolaik/python-nodejs:python3.7-nodejs12. I'm not sure how the build process operates for these to know if the same root cause exists for both these versions.

[tlttnz2018]

I'm also seeing this on nikolaik/python-nodejs:python3.7-nodejs12. I'm not sure how the build process operates for these to know if the same root cause exists for both these versions.

Oops, I don't test it on new distribution. I think with the current build 2 times per day, the gpg key should be updated.

Let re open it then.

[tlttnz2018]

You'll have to get whoever maintains the Docker image to update the GPG key.

I think I posted this issue of the maintainer's repo 🤔

[Daniel15]

I think I posted this issue of the maintainer's repo 🤔

Oops, sorry, I thought you posted this in the Yarn repo. Sorry! 😅

[bodyslam]

For those who want to follow any updates you can find it here:
yarnpkg/yarn#7866

[nikolaik]

Are you still seeing this after the images have been rebuilt and using docker build --pull . ?

[Mark-Hetherington]

We use this image in a build process, and I had worked around this by adding curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - as a build step.
I've removed that and run a new build (which should pull new images), which has succeeded.

I believe the issue is now resolved.

[nikolaik]

Closing based on Mark's comment, thank you! 🤗

[gzamaury]

Since apt-key was deprecated, this works for me:

ENV YARNKEY=yarn-keyring.gpg
RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo gpg --dearmour -o /usr/share/keyrings/$YARNKEY && \
echo "deb [signed-by=/usr/share/keyrings/$YARNKEY] https://dl.yarnpkg.com/debian stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
RUN apt-get update 

Source: https://tickets.dominodatalab.com/hc/en-us/articles/12830637385364-Yarn-Package-invalid-key