Skip to content

Remove Yarn repository to prevent expired GPG key failures #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mglaman merged 5 commits into from
Jan 23, 2026
Merged

Remove Yarn repository to prevent expired GPG key failures #7

mglaman merged 5 commits into from
Jan 23, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 23, 2026
edited
Loading

Yarn's GPG key (23E7166788B63E1E) expired in early 2024, causing apt-get operations to fail with EXPKEYSIG errors when the repository is present. This image uses npm/npx exclusively.

Changes

  • Added cleanup of Yarn repository files after Node.js installation:
    • Remove /etc/apt/sources.list.d/yarn.list
    • Remove /usr/share/keyrings/yarnkey.gpg
RUN curl -fsSL https://deb.nodesource.com/setup_24.x | bash - && \
    apt-get install -y --no-install-recommends nodejs && \
    rm -f /etc/apt/sources.list.d/yarn.list /usr/share/keyrings/yarnkey.gpg

The NodeSource setup script may add the Yarn repository. Removing these files immediately prevents subsequent apt operations from failing on the expired key.

Original prompt

on a different CI image I saw the following error. can you check if it is problematic for our image as well

Err:5 https://dl.yarnpkg.com/debian stable InRelease
The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging yarn@dan.cx
Get:9 https://deb.nodesource.com/node_20.x nodistro/main amd64 Packages [13.6 kB]
Reading package lists...
W: GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging yarn@dan.cx
E: The repository 'https://dl.yarnpkg.com/debian stable InRelease' is not signed.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 4 commits January 23, 2026 21:43
@mglaman
Add preventive fix for Yarn GPG key expiration issue
46eb76d 
Co-authored-by: mglaman <3698644+mglaman@users.noreply.github.com>
@mglaman
Address code review feedback - simplify Yarn repository cleanup
18c1268 
Co-authored-by: mglaman <3698644+mglaman@users.noreply.github.com>
@mglaman
Optimize Dockerfile by combining Yarn cleanup with Node.js installation
52237ac 
Co-authored-by: mglaman <3698644+mglaman@users.noreply.github.com>
@mglaman
Clarify comments about Yarn GPG key fix
650ef52 
Co-authored-by: mglaman <3698644+mglaman@users.noreply.github.com>
Copilot AI changed the title [WIP] Investigate Yarn signature error in CI image Remove Yarn repository to prevent expired GPG key failures Jan 23, 2026
Copilot AI requested a review from mglaman January 23, 2026 21:46
@mglaman mglaman marked this pull request as ready for review January 23, 2026 22:00
@mglaman mglaman merged commit 65006e1 into main Jan 23, 2026
1 check passed
@mglaman mglaman deleted the copilot/check-yarn-signature-error branch January 23, 2026 23:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@mglaman mglaman mglaman approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@mglaman mglaman

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mglaman