Apt-get update NO_PUBKEY

As of this morning, a build using the circleci/aws-ecr orb and python:3.11 is giving the following error when trying to run aws-ecr/build-and-push-image.

This pipeline has been working without issues previously. Any help would be appreciated.

Get:1 http://deb.debian.org/debian bookworm InRelease [147 kB]
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Err:1 http://deb.debian.org/debian bookworm InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY F8D2585B8783D481
Err:2 http://deb.debian.org/debian bookworm-updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
Err:3 http://deb.debian.org/debian-security bookworm-security InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8
Reading package lists...
W: GPG error: http://deb.debian.org/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY F8D2585B8783D481
E: The repository 'http://deb.debian.org/debian bookworm InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian bookworm-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131
E: The repository 'http://deb.debian.org/debian bookworm-updates InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian-security bookworm-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8
E: The repository 'http://deb.debian.org/debian-security bookworm-security InRelease' is not signed.
E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true'
E: Sub-process returned an error code

Also have the exact same issue since yesterday. Any ideas on the cause yet?

It may be that the Debian repo keys have been cycled for some reason, so the current CircleCI images are not out of date. I’m in no position to make changes to the CircleCI image, but the following write up may provide a way to add the correct keys via your config.yml script

https://chrisjean.com/fix-apt-get-update-the-following-signatures-couldnt-be-verified-because-the-public-key-is-not-available/

I updated the remote docker version I had set to the latest (20.10.18) and this resolved the issue for me.

@garybutton can you elaborate on how you updated the remote docker version?

There’s a related issue on the Python docker image github with a suggestion to update docker on the host, but I don’t know how to do that with Circle CI.

EDIT : I can’t post the link for some reason, but the repo is docker-library/python and the issue is 837

@laurent-leconte see here: https://support.circleci.com/hc/en-us/articles/115013849727-Available-Docker-versions

Defining version with setup_remote_docker in my config file.

same issue here - unfortunately specifying docker version did not solve for me. any other ideas?

If you’re using any base python image, it seems the fix is to specify to use bullseye instead of bookworm.
For eg., I used FROM python:3.8-slim i’ve changed it to FROM python:3.8-slim-bullseye and it started working.