fix: GPG error on DOCA repository

[rollandf]

No description provided.

[github-actions]

Thanks for your PR,
To run vendors CIs, Maintainers can use one of:

• /test-all: To run all tests for all vendors.
• /test-e2e-all: To run all E2E tests for all vendors.
• /test-e2e-nvidia-all: To run all E2E tests for NVIDIA vendor.

To skip the vendors CIs, Maintainers can use one of:

• /skip-all: To skip all tests for all vendors.
• /skip-e2e-all: To skip all E2E tests for all vendors.
• /skip-e2e-nvidia-all: To skip all E2E tests for NVIDIA vendor.
  Best regards.

[e0ne]

@rollandf please add a commend why we need to add AllowInsecureRepositories=true

[greptile-apps]

Greptile Summary

This PR upgrades the DOCA base image from 3.1.0 to 3.2.1 and works around a GPG key issue in NVIDIA's DOCA repository by disabling cryptographic verification during package installation.

Key changes:

• Bumps DOCA base image to version 3.2.1
• Adds Acquire::AllowInsecureRepositories=true to bypass GPG verification
• Adds --allow-unauthenticated flag to apt-get install to allow unverified packages
• Masks apt-get update failures with || true
• Adds --no-same-owner to tar extraction for MFT installation

Critical security concern:
The approach taken completely disables package authentication, making the build vulnerable to supply chain attacks. Previous review comments correctly identified this as a significant security risk. The proper solution would be to import the missing GPG key (A024F6F0E6D6A281) or coordinate with NVIDIA to resolve the repository signing issue.

Confidence Score: 1/5

• This PR introduces significant security vulnerabilities by completely disabling package authentication
• The PR disables GPG verification for apt packages, allowing unauthenticated package installation from NVIDIA's DOCA repository. This exposes the container build to man-in-the-middle attacks and compromised packages. Additionally, masking apt-get update failures with || true could hide legitimate update problems. While the PR functionally solves the immediate GPG error, it trades security for convenience rather than properly addressing the root cause by importing the missing GPG key.
• Pay close attention to Dockerfile.sriov-network-config-daemon.nvidia - the security bypass needs proper resolution

Important Files Changed

Filename	Overview
Dockerfile.sriov-network-config-daemon.nvidia	Upgrades DOCA image to 3.2.1 and bypasses GPG verification due to missing public key, introducing significant security risks

Sequence Diagram

sequenceDiagram
    participant Builder as Build Stage (golang:1.25)
    participant DOCA as DOCA Base Image (3.2.1)
    participant Apt as apt-get (DOCA repos)
    participant Mellanox as Mellanox Downloads
    participant Container as Final Container

    Builder->>Builder: Build sriov-network-config-daemon binary
    
    Note over DOCA,Apt: Base image from nvcr.io/nvidia/doca/doca:3.2.1-base-rt-host
    DOCA->>Apt: apt-get update (with GPG bypass flags)
    Note over Apt: -o Acquire::AllowInsecureRepositories=true
    Note over Apt: Errors masked with || true
    Apt-->>DOCA: Update package lists (no GPG verification)
    
    DOCA->>Apt: apt-get install --allow-unauthenticated
    Note over Apt: Installs: hwdata, pciutils, curl, mstflint
    Apt-->>DOCA: Packages installed without cryptographic verification
    
    DOCA->>Mellanox: Download MFT package via curl
    Mellanox-->>DOCA: mft-4.33.0-169 tarball
    DOCA->>DOCA: Extract with --no-same-owner flag
    DOCA->>DOCA: Install MFT without kernel modules
    
    DOCA->>DOCA: Replace mstconfig/mstfwreset with mlx symlinks
    Builder->>Container: Copy daemon binary
    DOCA->>Container: Copy bindata and sources
    Container->>Container: Ready to run sriov-network-config-daemon

Loading

[greptile-apps]

_{1 file reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

logic: Disabling GPG verification (Acquire::AllowInsecureRepositories=true and --allow-unauthenticated) is a significant security risk. This allows installation of packages without cryptographic verification, making the build vulnerable to man-in-the-middle attacks and tampered packages.

The proper fix would be to:

1. Import the DOCA repository's GPG key before running apt-get update
2. Or contact NVIDIA to resolve the GPG key issues with their DOCA repository

Example proper fix:

RUN curl -fsSL https://path-to-doca-gpg-key.asc | apt-key add - && \
    apt-get update && \
    apt-get install -y hwdata pciutils curl mstflint && \
    apt-get clean && rm -rf /var/lib/apt/lists/*

[greptile-apps]

logic: Using || true masks failures from apt-get update. If the update fails for reasons other than GPG errors, the build will continue silently and potentially install outdated or missing packages.