mcr.microsoft.com/devcontainers/universal apt-get update fails due to Yarn repo NO_PUBKEY

[mdahshan]

Hi,

I’m hitting an apt-get update failure when building a Codespaces devcontainer based on the Microsoft “universal” image, which then causes Features that run apt-get update (e.g. desktop-lite) to fail during installation.

Summary

mcr.microsoft.com/devcontainers/universal:5 (Ubuntu Noble) includes a Yarn APT repo entry (https://dl.yarnpkg.com/debian). During apt-get update, APT fails with:

NO_PUBKEY 62D54FD4003F6525
E: The repository 'https://dl.yarnpkg.com/debian stable InRelease' is not signed.

This prevents installing Features that run apt-get update during their install scripts.

Environment

• GitHub Codespaces / devcontainers CLI
• Base image: mcr.microsoft.com/devcontainers/universal:5
• devcontainers CLI: 0.80.3
• Host kernel (Codespaces): linux 6.8.0-1030-azure x64

Repro steps

1. Create a repo with this .devcontainer/devcontainer.json:

{
  "features": {
    "ghcr.io/devcontainers/features/desktop-lite:1": {
      "password": "noPassword"
    }
  },
  "forwardPorts": [5901, 6080]
}

2. Build the devcontainer (Codespaces creation or devcontainer up).

Expected

apt-get update should succeed and the feature should install normally.

Actual

Feature installation fails during apt-get update because the Yarn repo key is missing:

Running apt-get update...
Err:1 https://dl.yarnpkg.com/debian stable InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 62D54FD4003F6525
...
W: GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 62D54FD4003F6525
E: The repository 'https://dl.yarnpkg.com/debian stable InRelease' is not signed.
ERROR: Feature "Light-weight Desktop" (ghcr.io/devcontainers/features/desktop-lite) failed to install!

Notes / workaround

If I remove/disable the Yarn APT source (anything referencing dl.yarnpkg.com/debian) prior to apt-get update, the build proceeds. However, this is hard to do cleanly in Codespaces when relying on Features (without switching to a Dockerfile/custom image).

Request

Could the universal image be updated to:

• include the correct Yarn APT signing key for the configured repo, or
• remove/disable the Yarn APT source by default (if Yarn isn’t intended to be installed via that repo), or
• switch to the current recommended Yarn repo configuration (keyring + signed-by=) so apt-get update works out-of-the-box?

If helpful, I can provide a complete Codespaces creation log, but the snippet above is the key failure.

Thanks!
Mostafa

[debuglevel]

Maybe removing yarn would be an idea. They seem to break apt on a regular basis: #370

[korryu3]

After the error occurs, running a Full Rebuild should fix the issue.

It seems this has already been fixed in the latest v5 devcontainers/universal images (#1752 (comment)), but Codespaces may still use a cached older image:

Alternatively, you can explicitly specify the latest version, for example: devcontainers/universal:5.1.4.

[abdurriq]

@mdahshan That is strange, since we patched this a while ago in the universal image. Perhaps you haven't rebuilt your DevContainer, or it was built before that patch was applied?

[clarkbreyman]

@abdurriq - I've done fresh rebuilds today on Codespaces and still seeing this issue.

[mdahshan]

@abdurriq I tried to create a new Codespace with the following devcontainer.json file

{
    "image": "mcr.microsoft.com/devcontainers/universal",
    "features": {
        "ghcr.io/devcontainers/features/desktop-lite:1": {
            "password": "noPassword"
        }
    },
    "forwardPorts": [5901, 6080]
}

I am still encountering the same error.

[abdurriq]

@clarkbreyman / @mdahshan Could you try using mcr.microsoft.com/devcontainers/universal:5.1-linux instead; that might fix it until we can resolve it upstream (likely a Codespaces cache issue).