Dockerfile /openjdk/11/jdk/buster broken on gpg check

[paul-bormans]

When building the /openjdk/11/jdk/buster Dockerfile i ran into issue's with gpg:

Saving to: ‘openjdk.tgz.asc’

 0K                                    100% 16.9M=0s

2021-06-22 07:11:19 (16.9 MB/s) - ‘openjdk.tgz.asc’ saved [566/566]

• mktemp -d
• export GNUPGHOME=/tmp/tmp.dxqFdIU1qJ
• gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671
  gpg: keybox '/tmp/tmp.dxqFdIU1qJ/pubring.kbx' created
  gpg: keyserver receive failed: No name

Increased logging level:

HTTP request sent, awaiting response... 200 OK
Length: 566 [application/octet-stream]
Saving to: ‘openjdk.tgz.asc’

 0K                                    100% 8.58M=0s

2021-06-22 07:17:58 (8.58 MB/s) - ‘openjdk.tgz.asc’ saved [566/566]

• mktemp -d
• export GNUPGHOME=/tmp/tmp.qhWdAE1bau
• gpg --debug-level guru --batch --keyserver ha.pool.sks-keyservers.net --recv-keys EAC843EBD3EFDB98CC772FADA5CD6035332FA671
  gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog
  gpg: DBG: [not enabled in the source] start
  gpg: DBG: fd_cache_invalidate (/tmp/tmp.qhWdAE1bau/pubring.kbx)
  gpg: DBG: iobuf-1.0: open '/tmp/tmp.qhWdAE1bau/pubring.kbx' desc=file_filter(fd) fd=3
  gpg: DBG: iobuf-1.0: close 'file_filter(fd)'
  gpg: DBG: /tmp/tmp.qhWdAE1bau/pubring.kbx: close fd/handle 3
  gpg: DBG: fd_cache_close (/tmp/tmp.qhWdAE1bau/pubring.kbx) new slot created
  gpg: DBG: iobuf-.: ioctl '/tmp/tmp.qhWdAE1bau/pubring.kbx' invalidate
  gpg: DBG: fd_cache_invalidate (/tmp/tmp.qhWdAE1bau/pubring.kbx)
  gpg: DBG: did (/tmp/tmp.qhWdAE1bau/pubring.kbx)
  gpg: keybox '/tmp/tmp.qhWdAE1bau/pubring.kbx' created
  gpg: DBG: chan_3 <- # Home: /tmp/tmp.qhWdAE1bau
  gpg: DBG: chan_3 <- # Config: [none]
  gpg: DBG: chan_3 <- OK Dirmngr 2.2.12 at your service
  gpg: DBG: connection to the dirmngr established
  gpg: DBG: chan_3 -> GETINFO version
  gpg: DBG: chan_3 <- D 2.2.12
  gpg: DBG: chan_3 <- OK
  gpg: DBG: chan_3 -> KEYSERVER --clear hkp://ha.pool.sks-keyservers.net
  gpg: DBG: chan_3 <- OK
  gpg: DBG: chan_3 -> KS_GET -- 0xEAC843EBD3EFDB98CC772FADA5CD6035332FA671
  gpg: DBG: chan_3 <- ERR 167772380 No name
  gpg: keyserver receive failed: No name
  gpg: DBG: chan_3 -> BYE
  gpg: DBG: [not enabled in the source] stop
  gpg: keydb: handles=0 locks=0 parse=0 get=0
  gpg: build=0 update=0 insert=0 delete=0
  gpg: reset=0 found=0 not=0 cache=0 not=0
  gpg: kid_not_found_cache: count=0 peak=0 flushes=0
  gpg: sig_cache: total=0 cached=0 good=0 bad=0
  gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0
  outmix=0 getlvl1=0/0 getlvl2=0/0
  gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0
  gpg: secmem usage: 0/65536 bytes in 0 blocks

[wglambert]

See https://github.com/docker-library/faq#openpgp--gnupg-keys-and-verification (especially https://github.com/tianon/pgp-happy-eyeballs)

docker-library/official-images#4252 (comment)

TLDR; GPG servers are extremely flaky . . .

However in this instance that pool.sks-keyservers.net is no longer existent https://sks-keyservers.net/overview-of-pools.php
We don't run into this issue during builds because that address is just a stand-in that gets DNS hijacked to point at a running instance of https://github.com/tianon/pgp-happy-eyeballs which queries multiple keyservers at once to get the fastest successful result.

You could add more servers to try docker-library/php#586 (comment)

[yosifkit]

Related comment:

See https://github.com/docker-library/faq#openpgp--gnupg-keys-and-verification (especially https://github.com/tianon/pgp-happy-eyeballs) for why I haven't actually been affected by this directly, but yes, this should definitely be updated to a different keyserver now that SKS is dead.
-tianon/dockerfiles#121 (comment)

Fixed by 20e86db