yarn 1.22.22 fails in cypress/factory

[kissifrot]

(new issue created from #1031 (comment))
Hello, when using cypress/factory Docker image with the following env vars

ARG NODE_VERSION='16.20.2'
ARG CYPRESS_VERSION='13.17.0'
ARG CHROME_VERSION='141.0.7390.107-1'
ARG YARN_VERSION='1.22.22'

In the building phase we are running into the following error:

+ for key in 6A010C5166006599AA17F08146C2130DFD2497F5
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys 6A010C5166006599AA17F08146C2130DFD2497F5
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: key 1646B01B86E50310: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1
+ curl -fsSLO --compressed https://yarnpkg.com/downloads/1.22.22/yarn-v1.22.22.tar.gz
+ curl -fsSLO --compressed https://yarnpkg.com/downloads/1.22.22/yarn-v1.22.22.tar.gz.asc
+ gpg --batch --verify yarn-v1.22.22.tar.gz.asc yarn-v1.22.22.tar.gz
gpg: Signature made Fri May 24 21:16:26 2024 UTC
gpg:                using RSA key 72ECF46A56B4AD39C907BBB71646B01B86E50310
gpg: Can't check signature: No public key

I guess key id used for signing check is not the new one mentioned in yarnpkg/yarn#9218

[MikeMcC399]

@kissifrot

Many thanks for your report!

I can reproduce the issue. I was following the issue yarnpkg/yarn#9216 and I tested it yesterday because of that, and I found it was still working.

It seems that the changes made overnight have broken the compatibility. I will take a look at getting this fixed.

---

Regarding your configuration:

Note that Node.js 16 reached end-of-life in September 2023 and is no longer supported by Cypress
Cypress also only supports the latest 3 major versions of Chrome
Yarn v1 is frozen since 2000 and is no longer recommended

[MikeMcC399]

Minimal steps to reproduce

cd $(mktemp -d)
cat > Dockerfile<<EOT
ARG YARN_VERSION='1.22.22'
FROM cypress/factory:7.2.1
EOT
docker build  -t cy-build-test .

Logs

docker build  -t cy-build-test .
[+] Building 11.2s (7/14)                                                                                                                                                   docker:default
 => [internal] load build definition from Dockerfile                                                                                                                                  0.0s
 => => transferring dockerfile: 91B                                                                                                                                                   0.0s
 => [internal] load metadata for docker.io/cypress/factory:7.2.1                                                                                                                      2.0s
 => [auth] cypress/factory:pull token for registry-1.docker.io                                                                                                                        0.0s
 => [internal] load .dockerignore                                                                                                                                                     0.0s
 => => transferring context: 2B                                                                                                                                                       0.0s
 => [1/1] FROM docker.io/cypress/factory:7.2.1@sha256:391977af99d171e9a3bddd22cb0e462a2754347e69eb4b38cad509461fb02eb9                                                                0.0s
 => => resolve docker.io/cypress/factory:7.2.1@sha256:391977af99d171e9a3bddd22cb0e462a2754347e69eb4b38cad509461fb02eb9                                                                0.0s
 => CACHED [ 2/21] ONBUILD RUN bash /opt/installScripts/node/install-node-version.sh 24.13.0                                                                                          0.0s
 => ERROR [ 3/21] ONBUILD RUN node /opt/installScripts/yarn/install-yarn-version.js 1.22.22                                                                                           9.0s
------
 > [ 3/21] ONBUILD RUN node /opt/installScripts/yarn/install-yarn-version.js 1.22.22:
0.377 Installing Yarn version:  1.22.22
0.388 ++ apt-mark showmanual
0.433 + savedAptMark='bzip2
0.433 ca-certificates
0.433 curl
0.433 dirmngr
0.433 git
0.433 gnupg
0.433 libasound2t64
0.433 libatk-bridge2.0-0t64
0.433 libatk1.0-0t64
0.433 libc6
0.433 libcups2t64
0.433 libgbm1
0.433 libgcc-s1
0.433 libglib2.0-0t64
0.433 libgtk-3-0t64
0.433 libnss3
0.433 libstdc++6
0.433 openssh-client
0.433 openssl
0.433 procps
0.433 unzip
0.433 wget
0.433 xvfb
0.433 zstd'
0.433 + apt-get update
0.908 Get:1 http://deb.debian.org/debian trixie InRelease [140 kB]
1.247 Get:2 http://deb.debian.org/debian trixie-updates InRelease [47.3 kB]
1.568 Get:3 http://deb.debian.org/debian-security trixie-security InRelease [43.4 kB]
1.708 Get:4 http://deb.debian.org/debian trixie/main amd64 Packages [9670 kB]
4.168 Get:5 http://deb.debian.org/debian trixie-updates/main amd64 Packages [5412 B]
4.226 Get:6 http://deb.debian.org/debian-security trixie-security/main amd64 Packages [98.2 kB]
4.777 Fetched 10.0 MB in 4s (2317 kB/s)
4.777 Reading package lists...
5.212 + apt-get install -y ca-certificates curl wget gnupg dirmngr --no-install-recommends
5.219 Reading package lists...
5.638 Building dependency tree...
5.747 Reading state information...
5.896 ca-certificates is already the newest version (20250419).
5.896 curl is already the newest version (8.14.1-2+deb13u2).
5.896 wget is already the newest version (1.25.0-2).
5.896 gnupg is already the newest version (2.4.7-21+deb13u1).
5.896 dirmngr is already the newest version (2.4.7-21+deb13u1+b1).
5.896 0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
5.896 + rm -rf /var/lib/apt/lists/auxfiles /var/lib/apt/lists/deb.debian.org_debian-security_dists_trixie-security_InRelease /var/lib/apt/lists/deb.debian.org_debian-security_dists_trixie-security_main_binary-amd64_Packages.lz4 /var/lib/apt/lists/deb.debian.org_debian_dists_trixie-updates_InRelease /var/lib/apt/lists/deb.debian.org_debian_dists_trixie-updates_main_binary-amd64_Packages.lz4 /var/lib/apt/lists/deb.debian.org_debian_dists_trixie_InRelease /var/lib/apt/lists/deb.debian.org_debian_dists_trixie_main_binary-amd64_Packages.lz4 /var/lib/apt/lists/lock /var/lib/apt/lists/partial
5.901 ++ [[ -n '' ]]
5.901 ++ echo ''
5.901 + keyserverOptions=
5.901 + for key in 6A010C5166006599AA17F08146C2130DFD2497F5
5.901 + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys 6A010C5166006599AA17F08146C2130DFD2497F5
5.914 gpg: directory '/root/.gnupg' created
5.915 gpg: keybox '/root/.gnupg/pubring.kbx' created
6.698 gpg: key 1646B01B86E50310: new key but contains no user ID - skipped
6.698 gpg: Total number processed: 1
6.698 gpg:           w/o user IDs: 1
6.700 + curl -fsSLO --compressed https://yarnpkg.com/downloads/1.22.22/yarn-v1.22.22.tar.gz
7.856 + curl -fsSLO --compressed https://yarnpkg.com/downloads/1.22.22/yarn-v1.22.22.tar.gz.asc
8.870 + gpg --batch --verify yarn-v1.22.22.tar.gz.asc yarn-v1.22.22.tar.gz
8.882 gpg: Signature made Fri May 24 21:16:26 2024 UTC
8.882 gpg:                using RSA key 72ECF46A56B4AD39C907BBB71646B01B86E50310
8.882 gpg: Can't check signature: No public key
8.884 child process exited with code 2
------
Dockerfile:2
--------------------
   1 |     ARG YARN_VERSION='1.22.22'
   2 | >>> FROM cypress/factory:7.2.1
   3 |
--------------------
ERROR: failed to build: failed to solve: process "/bin/sh -c node /opt/installScripts/yarn/install-yarn-version.js ${YARN_VERSION}" did not complete successfully: exit code: 2

[MikeMcC399]

This issue is a showstopper for publishing Cypress Docker images, as any jobs in circle.ym that attempt to include Yarn are now failing.

[MikeMcC399]

@kissifrot

• PR fix: make Yarn v1 GPG signing key retrieval more robust #1470 should fix this issue

[kissifrot]

@kissifrot

* PR [fix: make Yarn v1 GPG signing key retrieval more robust #1470](https://github.com/cypress-io/cypress-docker-images/pull/1470) should fix this issue

I tested it on our CI, it passed, thanks ! 👍

[MikeMcC399]

@kissifrot

I tested it on our CI, it passed, thanks ! 👍

Well done and thanks for cross-checking!

I'd like to leave this issue open until the PR is reviewed and merged. There may be other users hitting the same issue and it would be better to have an open visible issue for them to refer to until a solution has been published to Docker Hub.

[MikeMcC399]

The root cause of this issue is very similar to #1376

The Yarn PGP key 6A010C5166006599AA17F08146C2130DFD2497F5 associated with Yarn Packaging yarn@dan.cx no longer works on hkps://keys.openpgp.org

gpg --delete-keys 6A010C5166006599AA17F08146C2130DFD2497F5
gpg --keyserver hkps://keys.openpgp.org --recv-keys 6A010C5166006599AA17F08146C2130DFD2497F5
gpg --fingerprint 6A010C5166006599AA17F08146C2130DFD2497F5

shows

gpg: error reading key: No public key

Due to the restriction https://keys.openpgp.org/about/faq/ "Can I verify more than one key for some email address?"

and the fact a new key has been uploaded to https://keys.openpgp.org using "Yarn Packaging yarn@dan.cx"

$ gpg --keyserver hkps://keys.openpgp.org --search-keys yarn@dan.cx
gpg: data source: https://keys.openpgp.org:443
(1)     Yarn Packaging (2026) <yarn@dan.cx>
          256 bit EDDSA key B42879CC6B38E118, created: 2026-01-28
Keys 1-1 of 1 for "yarn@dan.cx".  Enter number(s), N)ext, or Q)uit > 1
gpg: key B42879CC6B38E118: public key "Yarn Packaging (2026) <yarn@dan.cx>" imported
gpg: Total number processed: 1
gpg:               imported: 1

gpg --delete-keys 4EF8150F4F2D7DE44F1DFF0BB42879CC6B38E118
gpg --keyserver hkps://keys.openpgp.org --recv-keys 4EF8150F4F2D7DE44F1DFF0BB42879CC6B38E118
gpg --fingerprint 4EF8150F4F2D7DE44F1DFF0BB42879CC6B38E118

gpg: key B42879CC6B38E118: public key "Yarn Packaging (2026) <yarn@dan.cx>" imported
gpg: Total number processed: 1
gpg:               imported: 1
pub   ed25519 2026-01-28 [SC]
      4EF8 150F 4F2D 7DE4 4F1D  FF0B B428 79CC 6B38 E118
uid           [ unknown] Yarn Packaging (2026) <yarn@dan.cx>
sub   ed25519 2026-01-28 [S] [expires: 2030-01-27]

The PR #1470 allows the script to detect the error using hkps://keys.openpgp.org and allows it to use keyserver.ubuntu.com which does not have the restriction about reuse of e-mail addresses, and so it succeeds.

cc: @Daniel15

[Daniel15]

I can change the email address if that helps?

…

On January 29, 2026 11:46:35 PM PST, Mike McCready ***@***.***> wrote: MikeMcC399 left a comment (cypress-io/cypress-docker-images#1469) The root cause of this issue is very similar to #1376 The Yarn PGP key 6A010C5166006599AA17F08146C2130DFD2497F5 associated with Yarn Packaging ***@***.***> no longer works on hkps://keys.openpgp.org ```shell gpg --delete-keys 6A010C5166006599AA17F08146C2130DFD2497F5 gpg --keyserver hkps://keys.openpgp.org --recv-keys 6A010C5166006599AA17F08146C2130DFD2497F5 gpg --fingerprint 6A010C5166006599AA17F08146C2130DFD2497F5 ``` shows ```text gpg: error reading key: No public key ``` Due to the restriction https://keys.openpgp.org/about/faq/ "Can I verify more than one key for some email address?" and the fact a new key has been uploaded to https://keys.openpgp.org using "Yarn Packaging ***@***.***>" ```text $ gpg --keyserver hkps://keys.openpgp.org --search-keys ***@***.*** gpg: data source: https://keys.openpgp.org:443 (1) Yarn Packaging (2026) ***@***.***> 256 bit EDDSA key B42879CC6B38E118, created: 2026-01-28 Keys 1-1 of 1 for ***@***.***". Enter number(s), N)ext, or Q)uit > 1 gpg: key B42879CC6B38E118: public key "Yarn Packaging (2026) ***@***.***>" imported gpg: Total number processed: 1 gpg: imported: 1 ``` ```shell gpg --delete-keys 4EF8150F4F2D7DE44F1DFF0BB42879CC6B38E118 gpg --keyserver hkps://keys.openpgp.org --recv-keys 4EF8150F4F2D7DE44F1DFF0BB42879CC6B38E118 gpg --fingerprint 4EF8150F4F2D7DE44F1DFF0BB42879CC6B38E118 ``` ```text gpg: key B42879CC6B38E118: public key "Yarn Packaging (2026) ***@***.***>" imported gpg: Total number processed: 1 gpg: imported: 1 pub ed25519 2026-01-28 [SC] 4EF8 150F 4F2D 7DE4 4F1D FF0B B428 79CC 6B38 E118 uid [ unknown] Yarn Packaging (2026) ***@***.***> sub ed25519 2026-01-28 [S] [expires: 2030-01-27] ``` The PR #1470 allows the script to detect the error using `hkps://keys.openpgp.org` and allows it to use `keyserver.ubuntu.com` which does not have the restriction about reuse of e-mail addresses, and so it succeeds. cc: @Daniel15 -- Reply to this email directly or view it on GitHub: #1469 (comment) You are receiving this because you were mentioned. Message ID: ***@***.***>

[MikeMcC399]

@Daniel15

I can change the email address if that helps?

Thanks for the offer, however I suspect that might cause unexpected effects elsewhere and I would ask you not to do that!

This is a known issue with hkps://keys.openpgp.org and it was already mitigated in the reference Node.js Docker repo through nodejs/docker-node#2252 in July 2025.

PR #1470 applies the same change to the Cypress Docker repo for Yarn. Previously I had only applied the fix to pulling Node.js, not to Yarn, since it appeared that Yarn wasn't broken.