[ros] install dedicated deb to setup apt gpg key instead of installing keys the old way #19162
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This comment has been minimized.
This comment has been minimized.
|
The humble and jazzy CI failures seem due to the official ubuntu apt repo being flaky and not the changes introduced in this PR: |
|
Thanks for working with me @mikaelarguedas to get this up update out. The CI failures here look to be the same intermittent failures of archive.ubuntu.com giving 403 errors. Our internal test builds took a few retires: osrf/docker_images#805 and and we've been seeing this across much of our CI recently. I suspect that a few retires will pass those builds as well. As this is replacing our expiring gpg key a prompt merge would be appreciated. I know that's tough with the intermittent CI problems. |
6 tasks
Signed-off-by: Mikael Arguedas <[email protected]>
mikaelarguedas
force-pushed
the
ros_apt_key
branch
from
8c9861a to
2aef623
Compare
This comment has been minimized.
This comment has been minimized.
|
I forced pushed the same content to retrigger CI now that ubuntu repos seem more stable. CI is now green 👍 |
# NOTE: How do we break cache and ensure rebuild if that version changes ?
RUN export ROS_APT_SOURCE_VERSION=$(curl -s https://api.github.com/repos/ros-infrastructure/ros-apt-source/releases/latest | grep -F "tag_name" | awk -F\" '{print $4}') ;\
curl -L -s -o /tmp/ros2-apt-source.deb "https://github.com/ros-infrastructure/ros-apt-source/releases/download/${ROS_APT_SOURCE_VERSION}/ros2-apt-source_${ROS_APT_SOURCE_VERSION}.$(. /etc/os-release && echo $VERSION_CODENAME)_all.deb" \Downloading and installing a deb without any verification is not acceptable (this is basically Something a little like this: -# NOTE: How do we break cache and ensure rebuild if that version changes ?
-RUN export ROS_APT_SOURCE_VERSION=$(curl -s https://api.github.com/repos/ros-infrastructure/ros-apt-source/releases/latest | grep -F "tag_name" | awk -F\" '{print $4}') ;\
- curl -L -s -o /tmp/ros2-apt-source.deb "https://github.com/ros-infrastructure/ros-apt-source/releases/download/${ROS_APT_SOURCE_VERSION}/ros2-apt-source_${ROS_APT_SOURCE_VERSION}.$(. /etc/os-release && echo $VERSION_CODENAME)_all.deb" \
+RUN export ROS_APT_SOURCE_VERSION='1.1.0' \
+ && . /etc/os-release \
+ && curl -L -s -o /tmp/ros2-apt-source.deb "https://github.com/ros-infrastructure/ros-apt-source/releases/download/${ROS_APT_SOURCE_VERSION}/ros2-apt-source_${ROS_APT_SOURCE_VERSION}.${VERSION_CODENAME}_all.deb" \
+ && export SHA256CHECKSUM="ABCDEF1234567890" \
+ && echo "$SHA256CHECKSUM */tmp/ros2-apt-source.deb" | sha256sum --strict --check \
# alternative with semicolons
+RUN set -e; \
+ export ROS_APT_SOURCE_VERSION='1.1.0'; \
+ . /etc/os-release; \
+ curl -L -s -o /tmp/ros2-apt-source.deb "https://github.com/ros-infrastructure/ros-apt-source/releases/download/${ROS_APT_SOURCE_VERSION}/ros2-apt-source_${ROS_APT_SOURCE_VERSION}.${VERSION_CODENAME}_all.deb"; \
+ export SHA256CHECKSUM="ABCDEF1234567890"; \
+ echo "$SHA256CHECKSUM */tmp/ros2-apt-source.deb" | sha256sum --strict --check; \ |
|
I would also add that we'd prefer if you avoid hitting |
Good point! Probably an appropriate location to compute and embed the checksum too. |
|
We'd flagged to add the version in our generator. I've started updating it to embed the version as well as the checksum and I can embed the distro as well while I'm at it. |
…alidation to be fixed in the Dockerfile Signed-off-by: Tully Foote <[email protected]>
Diff for a5ce8be:diff --git a/_bashbrew-cat b/_bashbrew-cat
index 692dfd2..b475388 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -13,7 +13,7 @@ Directory: ros/humble/ubuntu/jammy/ros-base
Tags: humble-ros-core, humble-ros-core-jammy
Architectures: amd64, arm64v8
-GitCommit: b525e9ef659ce448db6150fd5407ef62b2c5b265
+GitCommit: eb5634cf92ba079897e44fb7541d3b78aa6cf717
Directory: ros/humble/ubuntu/jammy/ros-core
Tags: jazzy-perception, jazzy-perception-noble
@@ -28,7 +28,7 @@ Directory: ros/jazzy/ubuntu/noble/ros-base
Tags: jazzy-ros-core, jazzy-ros-core-noble
Architectures: amd64, arm64v8
-GitCommit: b525e9ef659ce448db6150fd5407ef62b2c5b265
+GitCommit: eb5634cf92ba079897e44fb7541d3b78aa6cf717
Directory: ros/jazzy/ubuntu/noble/ros-core
Tags: kilted-perception, kilted-perception-noble
@@ -43,7 +43,7 @@ Directory: ros/kilted/ubuntu/noble/ros-base
Tags: kilted-ros-core, kilted-ros-core-noble
Architectures: amd64, arm64v8
-GitCommit: b835a530495c0b411a0d15db858710a2748ee0a0
+GitCommit: eb5634cf92ba079897e44fb7541d3b78aa6cf717
Directory: ros/kilted/ubuntu/noble/ros-core
Tags: noetic-perception, noetic-perception-focal
@@ -78,5 +78,5 @@ Directory: ros/rolling/ubuntu/noble/ros-base
Tags: rolling-ros-core, rolling-ros-core-noble
Architectures: amd64, arm64v8
-GitCommit: 2e9b4e3c02bff2c70271e6f0fd15d4132e8cbcbb
+GitCommit: eb5634cf92ba079897e44fb7541d3b78aa6cf717
Directory: ros/rolling/ubuntu/noble/ros-core
diff --git a/ros_humble-ros-core-jammy/Dockerfile b/ros_humble-ros-core-jammy/Dockerfile
index 8f6138d..c0e6b9c 100644
--- a/ros_humble-ros-core-jammy/Dockerfile
+++ b/ros_humble-ros-core-jammy/Dockerfile
@@ -11,22 +11,20 @@ RUN echo 'Etc/UTC' > /etc/timezone && \
# install packages
RUN apt-get update && apt-get install -q -y --no-install-recommends \
+ ca-certificates \
+ curl \
dirmngr \
gnupg2 \
&& rm -rf /var/lib/apt/lists/*
-# setup keys
-RUN set -eux; \
- key='C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654'; \
- export GNUPGHOME="$(mktemp -d)"; \
- gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
- mkdir -p /usr/share/keyrings; \
- gpg --batch --export "$key" > /usr/share/keyrings/ros2-latest-archive-keyring.gpg; \
- gpgconf --kill all; \
- rm -rf "$GNUPGHOME"
-
-# setup sources.list
-RUN echo "deb [ signed-by=/usr/share/keyrings/ros2-latest-archive-keyring.gpg ] http://packages.ros.org/ros2/ubuntu jammy main" > /etc/apt/sources.list.d/ros2-latest.list
+
+# Setup ROS Apt sources
+RUN curl -L -s -o /tmp/ros2-apt-source.deb https://github.com/ros-infrastructure/ros-apt-source/releases/download/1.1.0/ros2-apt-source_1.1.0.jammy_all.deb \
+ && echo "1600cb8cc28258a39bffc1736a75bcbf52d1f2db371a4d020c1b187d2a5a083b /tmp/ros2-apt-source.deb" | sha256sum --strict --check \
+ && apt-get update \
+ && apt-get install /tmp/ros2-apt-source.deb \
+ && rm -f /tmp/ros2-apt-source.deb \
+ && rm -rf /var/lib/apt/lists/*
# setup environment
ENV LANG=C.UTF-8
diff --git a/ros_jazzy-ros-core-noble/Dockerfile b/ros_jazzy-ros-core-noble/Dockerfile
index 397b97a..5e28f03 100644
--- a/ros_jazzy-ros-core-noble/Dockerfile
+++ b/ros_jazzy-ros-core-noble/Dockerfile
@@ -11,22 +11,20 @@ RUN echo 'Etc/UTC' > /etc/timezone && \
# install packages
RUN apt-get update && apt-get install -q -y --no-install-recommends \
+ ca-certificates \
+ curl \
dirmngr \
gnupg2 \
&& rm -rf /var/lib/apt/lists/*
-# setup keys
-RUN set -eux; \
- key='C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654'; \
- export GNUPGHOME="$(mktemp -d)"; \
- gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
- mkdir -p /usr/share/keyrings; \
- gpg --batch --export "$key" > /usr/share/keyrings/ros2-latest-archive-keyring.gpg; \
- gpgconf --kill all; \
- rm -rf "$GNUPGHOME"
-
-# setup sources.list
-RUN echo "deb [ signed-by=/usr/share/keyrings/ros2-latest-archive-keyring.gpg ] http://packages.ros.org/ros2/ubuntu noble main" > /etc/apt/sources.list.d/ros2-latest.list
+
+# Setup ROS Apt sources
+RUN curl -L -s -o /tmp/ros2-apt-source.deb https://github.com/ros-infrastructure/ros-apt-source/releases/download/1.1.0/ros2-apt-source_1.1.0.noble_all.deb \
+ && echo "35441f3092fd05773a3c397fab38661bec466584c7a1f1c05366579997cb5fe7 /tmp/ros2-apt-source.deb" | sha256sum --strict --check \
+ && apt-get update \
+ && apt-get install /tmp/ros2-apt-source.deb \
+ && rm -f /tmp/ros2-apt-source.deb \
+ && rm -rf /var/lib/apt/lists/*
# setup environment
ENV LANG=C.UTF-8
diff --git a/ros_kilted-ros-core-noble/Dockerfile b/ros_kilted-ros-core-noble/Dockerfile
index b650ebe..b78ebd3 100644
--- a/ros_kilted-ros-core-noble/Dockerfile
+++ b/ros_kilted-ros-core-noble/Dockerfile
@@ -11,22 +11,20 @@ RUN echo 'Etc/UTC' > /etc/timezone && \
# install packages
RUN apt-get update && apt-get install -q -y --no-install-recommends \
+ ca-certificates \
+ curl \
dirmngr \
gnupg2 \
&& rm -rf /var/lib/apt/lists/*
-# setup keys
-RUN set -eux; \
- key='C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654'; \
- export GNUPGHOME="$(mktemp -d)"; \
- gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
- mkdir -p /usr/share/keyrings; \
- gpg --batch --export "$key" > /usr/share/keyrings/ros2-latest-archive-keyring.gpg; \
- gpgconf --kill all; \
- rm -rf "$GNUPGHOME"
-
-# setup sources.list
-RUN echo "deb [ signed-by=/usr/share/keyrings/ros2-latest-archive-keyring.gpg ] http://packages.ros.org/ros2/ubuntu noble main" > /etc/apt/sources.list.d/ros2-latest.list
+
+# Setup ROS Apt sources
+RUN curl -L -s -o /tmp/ros2-apt-source.deb https://github.com/ros-infrastructure/ros-apt-source/releases/download/1.1.0/ros2-apt-source_1.1.0.noble_all.deb \
+ && echo "35441f3092fd05773a3c397fab38661bec466584c7a1f1c05366579997cb5fe7 /tmp/ros2-apt-source.deb" | sha256sum --strict --check \
+ && apt-get update \
+ && apt-get install /tmp/ros2-apt-source.deb \
+ && rm -f /tmp/ros2-apt-source.deb \
+ && rm -rf /var/lib/apt/lists/*
# setup environment
ENV LANG=C.UTF-8
diff --git a/ros_rolling-ros-core-noble/Dockerfile b/ros_rolling-ros-core-noble/Dockerfile
index d2ed728..e905e61 100644
--- a/ros_rolling-ros-core-noble/Dockerfile
+++ b/ros_rolling-ros-core-noble/Dockerfile
@@ -11,22 +11,20 @@ RUN echo 'Etc/UTC' > /etc/timezone && \
# install packages
RUN apt-get update && apt-get install -q -y --no-install-recommends \
+ ca-certificates \
+ curl \
dirmngr \
gnupg2 \
&& rm -rf /var/lib/apt/lists/*
-# setup keys
-RUN set -eux; \
- key='C1CF6E31E6BADE8868B172B4F42ED6FBAB17C654'; \
- export GNUPGHOME="$(mktemp -d)"; \
- gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
- mkdir -p /usr/share/keyrings; \
- gpg --batch --export "$key" > /usr/share/keyrings/ros2-latest-archive-keyring.gpg; \
- gpgconf --kill all; \
- rm -rf "$GNUPGHOME"
-
-# setup sources.list
-RUN echo "deb [ signed-by=/usr/share/keyrings/ros2-latest-archive-keyring.gpg ] http://packages.ros.org/ros2/ubuntu noble main" > /etc/apt/sources.list.d/ros2-latest.list
+
+# Setup ROS Apt sources
+RUN curl -L -s -o /tmp/ros2-apt-source.deb https://github.com/ros-infrastructure/ros-apt-source/releases/download/1.1.0/ros2-apt-source_1.1.0.noble_all.deb \
+ && echo "35441f3092fd05773a3c397fab38661bec466584c7a1f1c05366579997cb5fe7 /tmp/ros2-apt-source.deb" | sha256sum --strict --check \
+ && apt-get update \
+ && apt-get install /tmp/ros2-apt-source.deb \
+ && rm -f /tmp/ros2-apt-source.deb \
+ && rm -rf /var/lib/apt/lists/*
# setup environment
ENV LANG=C.UTF-8Relevant Maintainers:
|
|
I've updated the gpg key setup commands to pull the binaries directly by full url and embed the sha256 into the Dockerfile. Noble example: The failing tests above are our release that's just gone EOL over the weekend with Ubuntu. And we'll be moving it to a snapshot repository for legacy use. I saw the notice here: #19167 We will clear the focal usage out, but I'd like to not block getting the other platforms operational. |
JJWRoeloffs
added a commit
to JJWRoeloffs/learning_machines_robobo_rewrite
that referenced
this pull request
Jun 3, 2025
The GPG key inside the ROS:noetic images experied on 2025-6-1 This meant the images could not use apt anymore, failing their builds. Hotfix for this was copied over from here: osrf/docker_images#807 The actual fix is being worked on here: docker-library/official-images#19162 This commit can be reverted once the issue is solved upstream.
yosifkit
approved these changes
Jun 3, 2025
I stumbled upon that recently, they look to now be jobs of a "meta/arch" workflow: https://doi-janky.infosiftr.net/job/meta/job/arm64v8/job/build/76569/ |
|
Yep, see docker-library/faq#41 (which updated https://github.com/docker-library/faq#an-images-source-changed-in-git-now-what). 👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The ROS package GPG keys are now managed by a dedicated package: https://discourse.ros.org/t/ros-signing-key-migration-guide/43937/4
The GPG expires on June 1st so this PR is needed for images to keep building.