apt update fails on unprivileged docker arm container due to invalid gpg signature

The root cause of the problem [is in libseccomp
When][1]. The newer version fixes the problem, but it is not yet available in Debian's stable repos. There are two way to fix this problem:

**Method 1**

Start the container with `--privileged`. This bypasses docker's security measures, so it is not recommended.

**Method 2**

Upgrade libseccomp manually. Dowload version from unstable repos (I tested with 2.4.3-1) [here][2].

Uninstall the current version:

`sudo dpkg --force-all -P libseccomp2`

Install the new version:

`sudo dpkg -i libseccomp2_2.4.3-1+b1_armhf.deb`

  [1]: https://github.com/moby/moby/issues/40734
  [2]: https://packages.debian.org/sid/libseccomp2

Status changed to 'Confirmed' because the bug affects multiple users.

Thanks Anthony for the workaround.

Unfortunately #Method 1 won't work when building a docker image as --privileged is not available on build :( But can be a useful workaround in some cases.
Might try #Method 2 but i'm not really into doing a package mess on my stable arm build server...

So i guess i wait some more before distributing ubuntu focal .deb packages for my software. Stuck since April with libseccomp2 issues. Maybe i'll release focal packages for aarch64 and amd64 as i'm not sure if otherwise i'll be able to release something before ubuntu 20.10.

I can confirm the issues also happens on other hardware than raspberry/raspbian. Could reproduce it on another Arm64v8 CPU running plain aarch64 Debian Buster.

Bug is probably invalid, as this is a problem on the non-Ubuntu host?

I have also tried this on ubuntu:20.10, ubuntu:20.04 and ubuntu:18.04 and it produces the same error there, too.
I think it is an issue with the system clock reporting Jan 1st 1970. The system clock on the host system is correct though.

I could only find two ways to change the system clock in the ubuntu docker image:
"date -s" requires --privileged (which isn't available in docker build)
hwclock, which doesn't work on raspberry pi:

root@8f7355a71bca:/# hwclock --verbose
hwclock from util-linux 2.34
System Time: 0.-00001
Trying to open: /dev/rtc0
Trying to open: /dev/rtc
Trying to open: /dev/misc/rtc
No usable clock interface found.
hwclock: Cannot access the Hardware Clock via any known method.

other means like ntp don't work because they aren't preinstalled and cannot be installed because apt-get doesn't work (which is the topic of this bugreport)

I was also not able to update libseccomp2, because wget and curl aren't preinstalled and cannot be installed either, because apt-get doesn't work.

So now I manually downloaded libseccomp2_2.5.0-3_armhf.deb, copied it into the container and tried to install it from there. This didn't work either:

Step 7/27 : RUN dpkg --force-all -P libseccomp2
 ---> Running in bf8c3eba1b94
dpkg: libseccomp2:armhf: dependency problems, but removing anyway as you requested:
 apt depends on libseccomp2 (>= 2.4.2).

(Reading database ... 4115 files and directories currently installed.)
Removing libseccomp2:armhf (2.4.3-1ubuntu3.20.04.3) ...
Processing triggers for libc-bin (2.31-0ubuntu9.1) ...
Removing intermediate container bf8c3eba1b94
 ---> 46d72c3e2384
Step 8/27 : RUN dpkg -i /libseccomp2_2.5.0-3_armhf.deb
 ---> Running in 2636514aa37f
tar: ./control: Cannot utime: Operation not permitted
tar: ./md5sums: Cannot utime: Operation not permitted
tar: ./shlibs: Cannot utime: Operation not permitted
tar: ./symbols: Cannot utime: Operation not permitted
tar: ./triggers: Cannot utime: Operation not permitted
tar: .: Cannot utime: Operation not permitted
tar: Exiting with failure status due to previous errors
dpkg-deb: error: tar subprocess returned error exit status 2
dpkg: error processing archive /libseccomp2_2.5.0-3_armhf.deb (--install):
 dpkg-deb --control subprocess returned error exit status 2
Errors were encountered while processing:
 /libseccomp2_2.5.0-3_armhf.deb
The command '/bin/sh -c dpkg -i /libseccomp2_2.5.0-3_armhf.deb' returned a non-zero code: 1

I have verified that the date is indeed the problem. When I run an ubuntu container privileged, the container has the correct date and apt update succeeds. But when I run the container privileged and set the date to 1971, then I get that same error message from apt update.

Therefore, this bug is a duplicate of bug #1896443

pi@raspberrypi:~ $ docker run --privileged -it ubuntu bash
root@ad897025c4b7:/# date "+%Y-%m-%d %H:%M:%S" -s "1971-01-01 00:00:00"
1971-01-01 00:00:00
root@ad897025c4b7:/# apt update
Get:1 http://ports.ubuntu.com/ubuntu-ports focal InRelease [265 kB]
Get:2 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease [111 kB]
Get:3 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease [98.3 kB]
Get:4 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease [107 kB]
Reading package lists... Done
E: Release file for http://ports.ubuntu.com/ubuntu-ports/dists/focal/InRelease is not valid yet (invalid for another 18010d 17h 33min 0s). Updates for this repository will not be applied.
E: Release file for http://ports.ubuntu.com/ubuntu-ports/dists/focal-updates/InRelease is not valid yet (invalid for another 18222d 10h 50min 54s). Updates for this repository will not be applied.
E: Release file for http://ports.ubuntu.com/ubuntu-ports/dists/focal-backports/InRelease is not valid yet (invalid for another 18222d 10h 51min 16s). Updates for this repository will not be applied.
E: Release file for http://ports.ubuntu.com/ubuntu-ports/dists/focal-security/InRelease is not valid yet (invalid for another 18222d 10h 50min 42s). Updates for this repository will not be applied.

no, wait, that is a different error message. When I run unprivileged, I get

Err:1 http://ports.ubuntu.com/ubuntu-ports focal InRelease
  At least one invalid signature was encountered.
Err:2 http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease
  At least one invalid signature was encountered.
Err:3 http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease
  At least one invalid signature was encountered.
Err:4 http://ports.ubuntu.com/ubuntu-ports focal-security InRelease
  At least one invalid signature was encountered.
Reading package lists... Done
W: GPG error: http://ports.ubuntu.com/ubuntu-ports focal InRelease: At least one invalid signature was encountered.
E: The repository 'http://ports.ubuntu.com/ubuntu-ports focal InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease: At least one invalid signature was encountered.
E: The repository 'http://ports.ubuntu.com/ubuntu-ports focal-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease: At least one invalid signature was encountered.
E: The repository 'http://ports.ubuntu.com/ubuntu-ports focal-backports InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://ports.ubuntu.com/ubuntu-ports focal-security InRelease: At least one invalid signature was encountered.
E: The repository 'http://ports.ubuntu.com/ubuntu-ports focal-security InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

For the privileged/unprivileged issue mentioned in comment #6, these upstream comments appears to be pertinent, suggesting patches that may be worth backporting:
  https://github.com/moby/moby/issues/40734#issuecomment-614259072
  https://github.com/moby/moby/issues/40734#issuecomment-680250761

As to the gpg errors in comment #8, I suspect those are unrelated. Those types of errors can crop up for a wide variety of reasons, including insufficient disk space, networking glitches, gpg problems, etc. all mostly unrelated to the package itself, so I would suggest looking to regular support channels for help there, for example see https://superuser.com/questions/1059346/apt-get-update-not-working-signing-verification-errors which suggests several solutions. If not, let us know.

However, it's possible that the gpg error is hiding the earlier error, and potentially once its resolved the earlier error will come back. So I'll leave this issue open for now.