I’m using lxc 1:3.1.0+really3.0.3-8 on Debian buster (oldstable). (Problem also seen in lxc 1:4.0.6-2 on Debian bullseye (stable).)
DOWNLOAD_KEYSERVER=hkp://keyserver.ubuntu.com lxc-create -n ken00 -o lxc-create.log -t download -B btrfs -l DEBUG -- -d debian -r buster -a amd64 --flush-cache
Setting up the GPG keyring
Downloading the image index
gpg: assuming signed data in '/tmp/tmp.zOwiFUFikz/index'
gpg: Signature made Fri 08 Oct 2021 02:29:49 AM EDT
gpg: using RSA key E7FB0CAEC8173D669066514CBAEFF88C22F6E216
gpg: BAD signature from "LXC pre-built images <lxc-devel@lists.linuxcontainers.org>" [unknown]
ERROR: Invalid signature for /tmp/tmp.zOwiFUFikz/index.asc
lxc-create: ken00: lxccontainer.c: create_run_template: 1617 Failed to create container from template
It is suspicious that index.asc is older than index.
$ ls -l /tmp/tmp.zOwiFUFikz/
total 40
drwx------ 1 kenlocal 100000 256 Oct 8 04:15 gpg
-rw-r--r-- 1 kenlocal 100000 35974 Oct 8 03:48 index
-rw-r--r-- 1 kenlocal 100000 833 Oct 8 02:29 index.asc
For completeness, note that I patched the lxc-download script to preserve information.
--- /tmp/lxc-download.orig 2019-04-14 09:46:47.000000000 -0400
+++ /usr/share/lxc/templates/lxc-download 2021-10-08 04:12:38.146612469 -0400
@@ -69,7 +69,8 @@
# Some useful functions
cleanup() {
if [ -d "${DOWNLOAD_TEMP}" ]; then
- rm -Rf "${DOWNLOAD_TEMP}"
+ # rm -Rf "${DOWNLOAD_TEMP}"
+ :
fi
}
@@ -158,7 +159,7 @@
return 0
fi
- if ! gpg --verify "$1" >/dev/null 2>&1; then
+ if ! gpg --verify "$1" ; then
echo "ERROR: Invalid signature for $1" 1>&2
exit 1
fi