PGP key expiration #1016
Comments
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
|
Is https://keyserver.ubuntu.com/pks/lookup?search=mysql-build%40oss.oracle.com&fingerprint=on&op=index |
|
If you're just looking to build a docker file from the MySQL Debian images you can just add this rm /etc/apt/sources.list.d/mysql.listto your Dockerfile or run in your container before doing any |
|
Oh interesting, https://repo.mysql.com/RPM-GPG-KEY-mysql-2023 wasn't listed on https://repo.mysql.com/ yesterday 👀 This does require that Oracle / MySQL re-sign their APT repo with the new key if we're supposed to swap though, and I'm not sure yet if they've done that step. root@519c19c8b144:/# wget -qO- 'https://repo.mysql.com/RPM-GPG-KEY-mysql-2023' | gpg --import
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key B7B3B788A8D3785C: public key "MySQL Release Engineering <mysql-build@oss.oracle.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
root@519c19c8b144:/# gpg --fingerprint
/root/.gnupg/pubring.kbx
------------------------
pub rsa4096 2023-10-23 [SC] [expires: 2025-10-22]
BCA4 3417 C3B4 85DD 128E C6D4 B7B3 B788 A8D3 785C
uid [ unknown] MySQL Release Engineering <mysql-build@oss.oracle.com>
sub rsa4096 2023-10-23 [E] [expires: 2025-10-22] |
|
They have been uploaded to debian, we have been able to use the new signed copies. I dont know about other distrabutions. |
|
@glennslaven thank you for the workaround and @yosifkit thank you for the fix. Can we estimate when it will be available through the Docker |
It will not be updated; the |
|
What about the older images like mysql:5.7.42-debian. It should be supported as many productions are running with it. |
|
Unfortunately, we cannot control MySQL upstream's support or end of life (we're merely packagers of what they publish). |
Workaround for docker-library/mysql#1016 as provided in apache/airflow#36231. Signed-off-by: David Enyeart <enyeart@us.ibm.com>
Workaround for docker-library/mysql#1016. Signed-off-by: David Enyeart <enyeart@us.ibm.com>
|
"Hooray", hitting the RPM repos now 😄 |
Looks like https://bugs.mysql.com/bug.php?id=85029 has resurged today with an expiration of the PGP key used for signing MySQL releases. 😅
It appears that RPM/DNF/YUM don't mind the key being expired, but APT sure does, and fails our (re)builds on 8.0 and 5.7 (Debian-based images).
@ltangvald do you think there's a chance of this key getting a renewed expiration date? If not, we'll probably consider applying something like https://github.com/debuerreotype/debuerreotype/blob/60b625d1ce31bd81525bb67fc3a33f9686bc3433/scripts/.gpgv-ignore-expiration.sh during our build instead (so we still get the cryptographic benefits of PGP but without honoring/failing on the expiration date).
For reference:
The text was updated successfully, but these errors were encountered: