From 0c93be417ab71956d5c7adf6ff7ee91f5ba49b32 Mon Sep 17 00:00:00 2001 From: Jason Woltje Date: Mon, 16 Feb 2026 19:44:36 -0600 Subject: [PATCH] fix: clear stale APT lists before apt-get update in Dockerfiles Kaniko's layer extraction can leave base-image APT metadata with expired GPG signatures, causing "invalid signature" failures during apt-get update in CI builds. Adding rm -rf /var/lib/apt/lists/* before apt-get update ensures a clean state. Co-Authored-By: Claude Opus 4.6 --- apps/api/Dockerfile | 6 +++++- apps/coordinator/Dockerfile | 8 +++++--- apps/orchestrator/Dockerfile | 6 +++++- apps/web/Dockerfile | 6 +++++- 4 files changed, 20 insertions(+), 6 deletions(-) diff --git a/apps/api/Dockerfile b/apps/api/Dockerfile index b4ae23d..43143cd 100644 --- a/apps/api/Dockerfile +++ b/apps/api/Dockerfile @@ -61,7 +61,11 @@ FROM node:24-slim AS production RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx # Install dumb-init for proper signal handling -RUN apt-get update && apt-get install -y --no-install-recommends dumb-init \ +# Clear stale APT lists first — Kaniko's layer extraction can leave +# base-image metadata with expired GPG signatures (bookworm InRelease). +RUN rm -rf /var/lib/apt/lists/* \ + && apt-get update \ + && apt-get install -y --no-install-recommends dumb-init \ && rm -rf /var/lib/apt/lists/* # Create non-root user diff --git a/apps/coordinator/Dockerfile b/apps/coordinator/Dockerfile index 04d85a2..756bcd9 100644 --- a/apps/coordinator/Dockerfile +++ b/apps/coordinator/Dockerfile @@ -4,9 +4,11 @@ FROM python:3.11-slim AS builder WORKDIR /app # Install build dependencies -RUN apt-get update && \ - apt-get install -y --no-install-recommends \ - build-essential \ +# Clear stale APT lists first — Kaniko's layer extraction can leave +# base-image metadata with expired GPG signatures (bookworm InRelease). +RUN rm -rf /var/lib/apt/lists/* \ + && apt-get update \ + && apt-get install -y --no-install-recommends build-essential \ && rm -rf /var/lib/apt/lists/* # Copy dependency files and private registry config diff --git a/apps/orchestrator/Dockerfile b/apps/orchestrator/Dockerfile index 1ec9d4e..29ade11 100644 --- a/apps/orchestrator/Dockerfile +++ b/apps/orchestrator/Dockerfile @@ -73,7 +73,11 @@ LABEL org.opencontainers.image.description="Agent orchestration service for Mosa RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx # Install wget and dumb-init -RUN apt-get update && apt-get install -y --no-install-recommends wget dumb-init \ +# Clear stale APT lists first — Kaniko's layer extraction can leave +# base-image metadata with expired GPG signatures (bookworm InRelease). +RUN rm -rf /var/lib/apt/lists/* \ + && apt-get update \ + && apt-get install -y --no-install-recommends wget dumb-init \ && rm -rf /var/lib/apt/lists/* # Create non-root user diff --git a/apps/web/Dockerfile b/apps/web/Dockerfile index 7caec12..6fea2dc 100644 --- a/apps/web/Dockerfile +++ b/apps/web/Dockerfile @@ -86,7 +86,11 @@ RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx RUN corepack enable && corepack prepare pnpm@10.27.0 --activate # Install dumb-init for proper signal handling -RUN apt-get update && apt-get install -y --no-install-recommends dumb-init \ +# Clear stale APT lists first — Kaniko's layer extraction can leave +# base-image metadata with expired GPG signatures (bookworm InRelease). +RUN rm -rf /var/lib/apt/lists/* \ + && apt-get update \ + && apt-get install -y --no-install-recommends dumb-init \ && rm -rf /var/lib/apt/lists/* # Create non-root user