Key download for debian 12 does not work. This is a patch to fix it.,

[bligneri]

The instructions do not work.
I believe the file need to be in gpg format.

Tested on a fresh debian 12 install withn only htop and nvim installed.

Description

Related issues or tickets

Reviews

• Technical review
• Editorial review
• Product review

[netlify]

✅ Deploy Preview for docsdocker ready!

Name	Link
🔨 Latest commit	e761e1d
🔍 Latest deploy log	https://app.netlify.com/sites/docsdocker/deploys/66f7428c1d73e8000872dc00
😎 Deploy Preview	https://deploy-preview-21012--docsdocker.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[offensive-vk]

Have you tested it? I mean locally?

[dvdksn]

I don't think this change is desirable. Can you explain the error you encountered?

[bligneri]

I did change the URL for a debian URL.
I don't know why we need to dearmor but I can confirm that without this change, the instructions are not working.

With the change, one can install the docker source and then install locker on a fresh new debian install.

[dvdksn]

pinging @thaJeztah @tianon for input here... Do either of you know why this is happening? We also have #20834 which looks like an attempt at a workaround.

[thaJeztah]

No idea what's happening there; I tried on a fresh install of Debian 12 on DigitalOcean, and using the steps from the docs, all works without issues;

apt-get update
apt-get install ca-certificates curl
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
chmod a+r /etc/apt/keyrings/docker.asc
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

It's worth checking what your /etc/apt/sources.list.d/docker.list looks like, and if perhaps something went wrong there, and it's looking for the wrong distro and/or key.

We have over a million weekly downloads of packages for Debian, so at least it's not a widespread issue, but it could be something specific in your environment (I have run into some cloud providers having some non-standard / minimalized setup)

[bligneri]

I still have the issue on my home server. If I follow the instructions, it does not work:

1 Removed the files in /etc/atp/keyring => apt should not work

root@ligneris-cloud:/etc/apt/keyrings# apt update
Hit:1 http://deb.debian.org/debian bookworm InRelease
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]    
Get:3 http://security.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Hit:4 https://download.docker.com/linux/debian bookworm InRelease                                                  
Get:5 http://security.debian.org/debian-security bookworm-security/main Sources [111 kB]
Get:6 http://security.debian.org/debian-security bookworm-security/main amd64 Packages [183 kB]
Get:7 http://security.debian.org/debian-security bookworm-security/main Translation-en [111 kB]
Err:4 https://download.docker.com/linux/debian bookworm InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7EA0A9C3F273FCD8
Fetched 508 kB in 1s (787 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://download.docker.com/linux/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7EA0A9C3F273FCD8
W: Failed to fetch https://download.docker.com/linux/debian/dists/bookworm/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7EA0A9C3F273FCD8
W: Some index files failed to download. They have been ignored, or old ones used instead.

Step 2: follow the documentation to download the key and add it to the keyring

root@ligneris-cloud:/etc/apt/keyrings# curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
root@ligneris-cloud:/etc/apt/keyrings# chmod a+r /etc/apt/keyrings/docker.asc
root@ligneris-cloud:/etc/apt/keyrings# apt update                                                                             
Hit:1 http://deb.debian.org/debian bookworm InRelease
Hit:2 http://deb.debian.org/debian bookworm-updates InRelease                  
Hit:3 http://security.debian.org/debian-security bookworm-security InRelease   
Hit:4 https://download.docker.com/linux/debian bookworm InRelease
Err:4 https://download.docker.com/linux/debian bookworm InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7EA0A9C3F273FCD8
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
W: An error occurred during the signature verification. The repository is not updated and the previous index files will be used. GPG error: https://download.docker.com/linux/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7EA0A9C3F273FCD8
W: Failed to fetch https://download.docker.com/linux/debian/dists/bookworm/InRelease  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7EA0A9C3F273FCD8
W: Some index files failed to download. They have been ignored, or old ones used instead.

The file is there:

root@ligneris-cloud:/etc/apt/keyrings# ls -la
total 12
drwxr-xr-x 2 root root 4096 Sep 27 16:30 .
drwxr-xr-x 9 root root 4096 Sep 27 16:29 ..
-rw-r--r-- 1 root root 3817 Sep 27 16:30 docker.asc
root@ligneris-cloud:/etc/apt/keyrings# cat docker.asc 
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth
lqqwp028AqyY+PRfVMtSYMbjuQuu5byyKR01BbqYhuS3jtqQmljZ/bJvXqnmiVXh
38UuLa+z077PxyxQhu5BbqntTPQMfiyqEiU+BKbq2WmANUKQf+1AmZY/IruOXbnq
L4C1+gJ8vfmXQt99npCaxEjaNRVYfOS8QcixNzHUYnb6emjlANyEVlZzeqo7XKl7
UrwV5inawTSzWNvtjEjj4nJL8NsLwscpLPQUhTQ+7BbQXAwAmeHCUTQIvvWXqw0N
cmhh4HgeQscQHYgOJjjDVfoY5MucvglbIgCqfzAHW9jxmRL4qbMZj+b1XoePEtht
ku4bIQN1X5P07fNWzlgaRL5Z4POXDDZTlIQ/El58j9kp4bnWRCJW0lya+f8ocodo
vZZ+Doi+fy4D5ZGrL4XEcIQP/Lv5uFyf+kQtl/94VFYVJOleAv8W92KdgDkhTcTD
G7c0tIkVEKNUq48b3aQ64NOZQW7fVjfoKwEZdOqPE72Pa45jrZzvUFxSpdiNk2tZ
XYukHjlxxEgBdC/J3cMMNRE1F4NCA3ApfV1Y7/hTeOnmDuDYwr9/obA8t016Yljj
q5rdkywPf4JF8mXUW5eCN1vAFHxeg9ZWemhBtQmGxXnw9M+z6hWwc6ahmwARAQAB
tCtEb2NrZXIgUmVsZWFzZSAoQ0UgZGViKSA8ZG9ja2VyQGRvY2tlci5jb20+iQI3
BBMBCgAhBQJYrefAAhsvBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEI2BgDwO
v82IsskP/iQZo68flDQmNvn8X5XTd6RRaUH33kXYXquT6NkHJciS7E2gTJmqvMqd
tI4mNYHCSEYxI5qrcYV5YqX9P6+Ko+vozo4nseUQLPH/ATQ4qL0Zok+1jkag3Lgk
jonyUf9bwtWxFp05HC3GMHPhhcUSexCxQLQvnFWXD2sWLKivHp2fT8QbRGeZ+d3m
6fqcd5Fu7pxsqm0EUDK5NL+nPIgYhN+auTrhgzhK1CShfGccM/wfRlei9Utz6p9P
XRKIlWnXtT4qNGZNTN0tR+NLG/6Bqd8OYBaFAUcue/w1VW6JQ2VGYZHnZu9S8LMc
FYBa5Ig9PxwGQOgq6RDKDbV+PqTQT5EFMeR1mrjckk4DQJjbxeMZbiNMG5kGECA8
g383P3elhn03WGbEEa4MNc3Z4+7c236QI3xWJfNPdUbXRaAwhy/6rTSFbzwKB0Jm
ebwzQfwjQY6f55MiI/RqDCyuPj3r3jyVRkK86pQKBAJwFHyqj9KaKXMZjfVnowLh
9svIGfNbGHpucATqREvUHuQbNnqkCx8VVhtYkhDb9fEP2xBu5VvHbR+3nfVhMut5
G34Ct5RS7Jt6LIfFdtcn8CaSas/l1HbiGeRgc70X/9aYx/V/CEJv0lIe8gP6uDoW
FPIZ7d6vH+Vro6xuWEGiuMaiznap2KhZmpkgfupyFmplh0s6knymuQINBFit2ioB
EADneL9S9m4vhU3blaRjVUUyJ7b/qTjcSylvCH5XUE6R2k+ckEZjfAMZPLpO+/tF
M2JIJMD4SifKuS3xck9KtZGCufGmcwiLQRzeHF7vJUKrLD5RTkNi23ydvWZgPjtx
Q+DTT1Zcn7BrQFY6FgnRoUVIxwtdw1bMY/89rsFgS5wwuMESd3Q2RYgb7EOFOpnu
w6da7WakWf4IhnF5nsNYGDVaIHzpiqCl+uTbf1epCjrOlIzkZ3Z3Yk5CM/TiFzPk
z2lLz89cpD8U+NtCsfagWWfjd2U3jDapgH+7nQnCEWpROtzaKHG6lA3pXdix5zG8
eRc6/0IbUSWvfjKxLLPfNeCS2pCL3IeEI5nothEEYdQH6szpLog79xB9dVnJyKJb
VfxXnseoYqVrRz2VVbUI5Blwm6B40E3eGVfUQWiux54DspyVMMk41Mx7QJ3iynIa
1N4ZAqVMAEruyXTRTxc9XW0tYhDMA/1GYvz0EmFpm8LzTHA6sFVtPm/ZlNCX6P1X
zJwrv7DSQKD6GGlBQUX+OeEJ8tTkkf8QTJSPUdh8P8YxDFS5EOGAvhhpMBYD42kQ
pqXjEC+XcycTvGI7impgv9PDY1RCC1zkBjKPa120rNhv/hkVk/YhuGoajoHyy4h7
ZQopdcMtpN2dgmhEegny9JCSwxfQmQ0zK0g7m6SHiKMwjwARAQABiQQ+BBgBCAAJ
BQJYrdoqAhsCAikJEI2BgDwOv82IwV0gBBkBCAAGBQJYrdoqAAoJEH6gqcPyc/zY
1WAP/2wJ+R0gE6qsce3rjaIz58PJmc8goKrir5hnElWhPgbq7cYIsW5qiFyLhkdp
YcMmhD9mRiPpQn6Ya2w3e3B8zfIVKipbMBnke/ytZ9M7qHmDCcjoiSmwEXN3wKYI
mD9VHONsl/CG1rU9Isw1jtB5g1YxuBA7M/m36XN6x2u+NtNMDB9P56yc4gfsZVES
KA9v+yY2/l45L8d/WUkUi0YXomn6hyBGI7JrBLq0CX37GEYP6O9rrKipfz73XfO7
JIGzOKZlljb/D9RX/g7nRbCn+3EtH7xnk+TK/50euEKw8SMUg147sJTcpQmv6UzZ
cM4JgL0HbHVCojV4C/plELwMddALOFeYQzTif6sMRPf+3DSj8frbInjChC3yOLy0
6br92KFom17EIj2CAcoeq7UPhi2oouYBwPxh5ytdehJkoo+sN7RIWua6P2WSmon5
U888cSylXC0+ADFdgLX9K2zrDVYUG1vo8CX0vzxFBaHwN6Px26fhIT1/hYUHQR1z
VfNDcyQmXqkOnZvvoMfz/Q0s9BhFJ/zU6AgQbIZE/hm1spsfgvtsD1frZfygXJ9f
irP+MSAI80xHSf91qSRZOj4Pl3ZJNbq4yYxv0b1pkMqeGdjdCYhLU+LZ4wbQmpCk
SVe2prlLureigXtmZfkqevRz7FrIZiu9ky8wnCAPwC7/zmS18rgP/17bOtL4/iIz
QhxAAoAMWVrGyJivSkjhSGx1uCojsWfsTAm11P7jsruIL61ZzMUVE2aM3Pmj5G+W
9AcZ58Em+1WsVnAXdUR//bMmhyr8wL/G1YO1V3JEJTRdxsSxdYa4deGBBY/Adpsw
24jxhOJR+lsJpqIUeb999+R8euDhRHG9eFO7DRu6weatUJ6suupoDTRWtr/4yGqe
dKxV3qQhNLSnaAzqW/1nA3iUB4k7kCaKZxhdhDbClf9P37qaRW467BLCVO/coL3y
Vm50dwdrNtKpMBh3ZpbB1uJvgi9mXtyBOMJ3v8RZeDzFiG8HdCtg9RvIt/AIFoHR
H3S+U79NT6i0KPzLImDfs8T7RlpyuMc4Ufs8ggyg9v3Ae6cN3eQyxcK3w0cbBwsh
/nQNfsA6uu+9H7NhbehBMhYnpNZyrHzCmzyXkauwRAqoCbGCNykTRwsur9gS41TQ
M8ssD1jFheOJf3hODnkKU+HKjvMROl1DK7zdmLdNzA1cvtZH/nCC9KPj1z8QC47S
xx+dTZSx4ONAhwbS/LN3PoKtn8LPjY9NP9uDWI+TWYquS2U+KHDrBDlsgozDbs/O
jCxcpDzNmXpWQHEtHU7649OXHP7UeNST1mCUCH5qdank0V1iejF6/CfTFU4MfcrG
YT90qFF93M3v01BbxP+EIY2/9tiIPbrd
=0YYh
-----END PGP PUBLIC KEY BLOCK-----

[bligneri]

If I use the proposed changes, it works:

```apt update               
Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
Hit:2 https://download.docker.com/linux/debian bookworm InRelease                  
Hit:3 http://deb.debian.org/debian bookworm InRelease                              
Hit:4 http://deb.debian.org/debian bookworm-updates InRelease
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.

I can now install and maintain the docker packages

[bligneri]

This is a bare metal install and not an install pre-made by a cloud provider. It may explain why we have a different behaviour?

uname -a
Linux ligneris-cloud 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64 GNU/Linux

etc/debian_version 
12.7

[thaJeztah]

The PR with the current changes would fail, because it configures the repository with signed-by=/etc/apt/keyrings/docker.asc, but the key is stored with .gpg as extension.

What does the content of your /etc/apt/sources.list.d/docker.list look like?

[bligneri]

Good call.

This is my source file.

cat /etc/apt/sources.list.d/docker.list 
deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian   bookworm stable

Let me double check with the .asc file in the source.list.d file

It was not working when I installed initially following the instructions but I did debug on the machine itself.

[bligneri]

OK. This is really weird.
I changed it to docker.asc and now it works with only the /etc/apt/keyring/docker.asc file.

But I can confirm 💯 % that it was not working during the initial install ;-(

[bligneri]

From this: https://stackoverflow.com/questions/60137344/docker-how-to-solve-the-public-key-error-in-ubuntu-while-installing-docker

It looks like the default dir is nowe /usr/share/keyrings

Also in this directory on my debian 12, you can see that all the files are in gpg format.

ls /usr/share/keyrings/

debian-archive-bookworm-automatic.gpg		debian-archive-bullseye-security-automatic.gpg	debian-archive-buster-stable.gpg
debian-archive-bookworm-security-automatic.gpg	debian-archive-bullseye-stable.gpg		debian-archive-keyring.gpg
debian-archive-bookworm-stable.gpg		debian-archive-buster-automatic.gpg		debian-archive-removed-keys.gpg
debian-archive-bullseye-automatic.gpg		debian-archive-buster-security-automatic.gpg

[bligneri]

My proposal would be then to:

1. use the new location /usr/share/keyrings
2. use the .gpg extension as it seems to be the new default for debian (and ubuntu) ?

[bligneri]

Why it may happen?
It maybe a permission problem / umask problem (as explained in the stackoverflow above).

It did now work while I was in the original session on my new install immediately after the first reboot from the read-only install (USB stick).

=> Then after this, I did open new sessions (by SSH) and it is now a different session with updated env variable and all.

[bligneri]

I did update the file accordingly but I did not test by cut&pasting. I believe I need the deploy preview.

Also I think we could use apt instead of apt-get as it seems to be more and more the default.

I don't know enough about the doc build system to know if it will break thinks for older versions of debian.

[thaJeztah]

This is my source file.

cat /etc/apt/sources.list.d/docker.list 
deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian   bookworm stable

Thanks! Yes, that is referring to /etc/apt/keyrings/docker.gpg, which means that when trying to install a package from download.docker.com/linux/debian, it will look for /etc/apt/keyrings/docker.gpg. If that file is missing (which would be the case if it's stored as docker.asc), it won't find the file, and print an error.

From this: https://stackoverflow.com/questions/60137344/docker-how-to-solve-the-public-key-error-in-ubuntu-while-installing-docker

It looks like the default dir is nowe /usr/share/keyrings

That looks to be outdated information; (IIUC) the /usr/share/keyrings is intended for the distro's default keys, whereas /etc/apt/keyrings/ is to be used for keys that are referenced through the signed-by= directive; see

• Update to use "/etc/apt/keyrings" per APT maintainers recommendations #14813

The intent here is for "EPEL" repositories (like download.docker.com) to explicitly define the key to use, and those keys not to be put in the global store (which can be discovered automatically).

Also in this directory on my debian 12, you can see that all the files are in gpg format.

Either .gpg or .asc should be OK, but the file-extension should match the content; older versions of apt / apt-get required the GPG key to manually be converted from ASCII (.asc) to Binary (.gpg) through --dearmor. Current versions should be able to handle both, as long as the file-extension is correct; see

• Fix apt-get ascii GPG key #19138

It did now work while I was in the original session on my new install immediately after the first reboot from the read-only install (USB stick).

Not sure what happened there; wondering if you perhaps combined some "new" with "old" instructions, and used --dearmor for the file, but then stored it as .asc (in which case the file would've been stored in the correct location, but with the wrong format for the extension)?

Also I think we could use apt instead of apt-get as it seems to be more and more the default.

We use apt-get because, unlike apt, it has a stable ABI and for that reason is still the preferred one to use when scripting. While these instructions may be run manually by the user, they're also often used by users as a starting point for scripting these steps; if they do, it's good to already have the instructions using the variant that's most suitable for that. It's also the reasy why you'll find most (if not all) our examples that install packages as part of a Dockerfile to use apt-get.

Of course, you're welcome to adjust examples according to your preference / situation for your use.

[bligneri]

OK. I did another fresh bare metal install on the exact same hardware with the same Debian installer via USB ... and the instructions worked as expected.

I still don't know what went wrong, sorry for the noise.

I think we can close the issue.