Fix Codespaces prebuild failure due to Yarn GPG key expiration#7
Open
mitchdenny wants to merge 1 commit intomainfrom
Open
Fix Codespaces prebuild failure due to Yarn GPG key expiration#7mitchdenny wants to merge 1 commit intomainfrom
mitchdenny wants to merge 1 commit intomainfrom
Conversation
The base image includes a Yarn apt repository with an expired/rotated GPG key, causing apt-get update to fail during Docker-in-Docker feature installation. This adds a Dockerfile that removes the unused Yarn repository before features are installed. Fixes: devcontainers/images#1752
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The Codespaces prebuild CI will fail on the next run with:
The last successful prebuild was on December 10, 2025 — before the Yarn GPG key expired in January 2026.
Root Cause
The base image
mcr.microsoft.com/devcontainers/dotnet:dev-10.0-nobleincludes a Yarn apt repository with an expired/rotated GPG key (NO_PUBKEY 62D54FD4003F6525). When the Docker-in-Docker feature runsapt-get update, the invalid signature causes the entire build to fail.Why We Need Our Own Dockerfile
We don't use Yarn - This devcontainer is for .NET Aspire development. Node.js is provided via the
ghcr.io/devcontainers/features/node:1feature which includes npm. Yarn is not needed.Yarn v1 is no longer actively developed - Per the Yarn maintainers: "Development of Yarn v1 is finished now (no new work is planned)." The GPG key was extended to 2030, but there's discussion about removing the apt repository from base images entirely.
This has happened before - The Yarn GPG key expiration issue previously occurred in 2023 (Yarn GPG key expiry prevents running apt devcontainers/images#370). Using a Dockerfile to remove the unused repository protects us from future key rotations.
No ETA on upstream fix - The issue is tracked at GPG key for Yarn has expired, devcontainers/images#1752 (opened Jan 23, 2026). While maintainers have patched some images, the
dotnet:dev-10.0-nobleimage hasn't been rebuilt yet. There's no committed timeline for when all images will be updated.The fix runs too late otherwise - Using
onCreateCommandto remove the repository doesn't work because devcontainer features (like Docker-in-Docker) are installed beforeonCreateCommandruns. A Dockerfile is the only way to fix apt before feature installation.Changes
.devcontainer/Dockerfilethat removes/etc/apt/sources.list.d/yarn.list.devcontainer/devcontainer.jsonto use the Dockerfile instead of direct image referenceReferences