Docker build fails with MongoDB GPG SHA1 signature error #463
Description
Problem
When running docker compose up on Windows, the build fails with MongoDB GPG key signature error:
E: Release file for ... is not valid yet (invalid for another ... Release file created at: ...)
E: GPG error: ... The following signatures were invalid: ...
This occurs due to Debian's security policy update (February 2026) that rejects SHA1 signatures in GPG keys.
Environment
- OS: Windows 11
- Docker version 28.1.1
Impact
- Prevents new contributors from building the project
- Affects all three API services (core, ingestion, read)
Solution Implemented
Changed MongoDB installation method from apt repository to direct .deb package download to bypass GPG signature validation.
Also fixed:
- Startup script copying issue in multi-stage Dockerfile
- Windows CRLF line ending compatibility
- Alpine package installation retry logic for network resilience
Files Changed
opengin/core-api/docker/Dockerfileopengin/core-api/docker/Dockerfile.choreoopengin/ingestion-api/docker/Dockerfile.choreoopengin/read-api/docker/Dockerfile.choreo
Pull request with fix: #462