GitHub user Nickalus12 added a comment to the discussion: Can't build docker images based on slim-2.8.0 or higher
This is a classic symptom of the transition from Debian 11 (Bullseye) to Debian 12 (Bookworm). Airflow 2.7.3 images were Bullseye-based, but 2.8.0 shifted the default to Bookworm. The GPG "NO_PUBKEY" and "invalid signature" errors are usually a red herring in CI environments. The real issue is almost always that your GitLab runner's host is running an older version of Docker or `libseccomp` that doesn't support the syscalls (like `faccessat2` or `clone3`) that Bookworm’s `apt` and `gpg` now rely on. When the syscall is blocked by an outdated seccomp profile, `apt` fails to verify signatures and throws these misleading errors. You can usually fix this by updating your GitLab runner's Docker version (to 20.10.10+ at a minimum) or ensuring the `docker:dind` service version you're using in your `.gitlab-ci.yml` is current. I believe switching to `docker:24-dind` or `docker:27-dind` often resolves this immediately. If you can't touch the runner infrastructure, you might be able to work around it by temporarily using a more permissive security policy in your build command, though this depends on your runner's configuration: ```bash docker build --security-opt seccomp=unconfined . ``` Also, a quick check on your Dockerfile: make sure you're switching to `USER root` before running those `apt` commands. Airflow's slim images default to `USER airflow` (UID 50000), and while that usually causes a "Permission denied" error, it can occasionally cause weirdness with local keyrings during `apt-get update`. ```dockerfile FROM apache/airflow:slim-2.11.2-python3.10 USER root RUN apt-get update && apt-get install -y ... USER airflow ``` I'd bet on the Docker-in-Docker version/host compatibility being the primary culprit here, though. Bookworm is much pickier about the container runtime than Bullseye was. GitHub link: https://github.com/apache/airflow/discussions/64583#discussioncomment-16412645 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
