Docker image fails apt-get update due to expired Yarn GPG key

[edgariscoding]

Issue Description

Describe the bug

The swacli/static-web-apps-cli:latest Docker image fails when attempting to run apt-get update due to an expired GPG signing key for the Yarn repository that's configured in the image.

Error Message:

Err:4 https://dl.yarnpkg.com/debian stable InRelease
  The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <yarn@dan.cx>
W: GPG error: https://dl.yarnpkg.com/debian stable InRelease: The following signatures were invalid: EXPKEYSIG 23E7166788B63E1E Yarn Packaging <yarn@dan.cx>
E: The repository 'https://dl.yarnpkg.com/debian stable InRelease' is not signed.

Impact

This issue breaks CI/CD pipelines that use the Docker image and need to install additional packages (e.g., Azure CLI). The failure started occurring approximately 2 days ago (around 2026-01-24) without any pipeline configuration changes, indicating the Yarn GPG key expired recently.

To Reproduce

1. Use the Docker image: docker pull swacli/static-web-apps-cli:latest
2. Run any command that triggers apt-get update:

   docker run swacli/static-web-apps-cli:latest bash -c "apt-get update"

3. Observe the GPG signature error for the Yarn repository

Expected behavior

The Docker image should either:

• Have an updated/valid Yarn GPG key, OR
• Not include the Yarn repository if it's not required by the CLI

Environment

• Docker Image: swacli/static-web-apps-cli:latest
• Image Digest: sha256:9c87921bcacfd1951407987e3a7da2d8fc8be103a373c9a595cfa5f0333f3510
• Base OS: Debian Bookworm
• Affected Context: GitLab CI/CD with shared runners

Suggested Fix

Update the Dockerfile to either:

1. Remove the Yarn repository if it's not needed:

   RUN rm -f /etc/apt/sources.list.d/yarn.list

2. Or update the Yarn GPG key:

   RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -

Workaround

For users affected by this issue, add this to your pipeline before any apt-get update commands:

sudo rm -f /etc/apt/sources.list.d/yarn.list

Additional context

This is blocking multiple development teams using GitLab CI/CD pipelines with this Docker image. Since Yarn is managed via npm/corepack in modern Node.js environments, the apt repository may no longer be necessary.

[cjk7989]

Verfied:

• /etc/apt/sources.list.d/yarn.list exists
• Yarn GPG public key exipred

docker run -it swacli/static-web-apps-cli:latest bash
swa-cli ➜ ~ $ ls -la /etc/apt/sources.list.d/
total 32
drwxr-xr-x 1 root root 4096 Jun 27  2024 .
drwxr-xr-x 1 root root 4096 Jun 27  2024 ..
-rw-r--r-- 1 root root  154 Jun 27  2024 archive_uri-https_download_docker_com_linux_debian-bookworm.list
-rw-r--r-- 1 root root   79 Jun 27  2024 azure-cli.list
-rw-r--r-- 1 root root  443 May 13  2024 debian.sources
-rw-r--r-- 1 root root   99 Jun 27  2024 dotnetdev.list
-rw-r--r-- 1 root root   89 Jun 27  2024 microsoft-prod.list
-rw-rw-r-- 1 root root  115 Jun 27  2024 yarn.list
swa-cli ➜ ~ $ cat /etc/apt/sources.list.d/yarn.list
deb [arch=amd64 signed-by=/usr/share/keyrings/yarn-archive-keyring.gpg] https://dl.yarnpkg.com/debian/ stable main

PS C:\Users\jikunchen> docker run --rm -it --user root swacli/static-web-apps-cli:latest bash
root ➜ /home/swa-cli $ gpg --show-keys /usr/share/keyrings/yarn-archive-keyring.gpg
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
pub   rsa4096 2016-10-05 [SC]
      72E--------------------------------------------310
uid                      Yarn Packaging <yarn@dan.cx>
sub   rsa4096 2016-10-05 [E]
sub   rsa4096 2016-10-05 [S] [expired: 2017-10-05]
sub   rsa4096 2016-10-30 [S] [expired: 2019-01-01]
sub   rsa4096 2017-09-10 [S] [expired: 2019-01-01]
sub   rsa4096 2019-01-02 [S] [expired: 2026-01-23]
sub   rsa4096 2019-01-11 [S] [expired: 2026-01-23]

[cjk7989]

@edgariscoding, thank you for reporting.

In our dockerfile, we download gpg public key via
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | gpg --dearmor > /usr/share/keyrings/yarn-archive-keyring.gpg

The yarn team has noticed the issue (yarnpkg/yarn#9216), and they mentioned The key at http://dl.yarnpkg.com/debian/pubkey.gpg will be updated shortly.