[Bug] Dockerfile.noble build fails - GPG key error for Jetson repo (NO_PUBKEY 0D296FFB880FB004)

[khj1222]

Environment

• Platform: Jetson Thor (aarch64)
• JetPack: 7.1
• OS: Ubuntu 24.04 (Noble)
• isaac-ros-cli: release-4.0

Description

isaac-ros activate --build-local fails during Docker image build at Dockerfile.noble:229. The
NVIDIA Jetson apt repository GPG key cannot be verified.

Error Log

#19 5.567 W: GPG error: https://repo.download.nvidia.com/jetson/common r38.2 InRelease:
The following signatures couldn't be verified because the public key is not available:
NO_PUBKEY 0D296FFB880FB004
#19 5.567 E: The repository 'http://repo.download.nvidia.com/jetson/common r38.2 InRelease' is not
signed.

ERROR: failed to solve: process "/bin/bash -c apt-key adv --fetch-key
https://repo.download.nvidia.com/jetson/jetson-ota-public.asc ; ..." did not complete
successfully: exit code: 100

Root Cause

Dockerfile.noble (line 229) uses apt-key adv --fetch-key to import the Jetson repo GPG key. This
method is deprecated in Ubuntu 24.04 (Noble) and does not properly register the key, causing
apt-get update to fail signature verification.

Current (broken)

RUN --mount=type=cache,target=/var/cache/apt \
apt-key adv --fetch-key https://repo.download.nvidia.com/jetson/jetson-ota-public.asc ; \
if [[ ${PLATFORM} == 'arm64' ]]; then \
add-apt-repository "deb http://repo.download.nvidia.com/jetson/common r38.2 main" ; \
...

Fix

Replace apt-key with the modern signed-by approach using a dearmored keyring file:

Fixed

RUN --mount=type=cache,target=/var/cache/apt \
curl -fsSL https://repo.download.nvidia.com/jetson/jetson-ota-public.asc | gpg --dearmor -o
/usr/share/keyrings/nvidia-jetson.gpg ; \
if [[ ${PLATFORM} == 'arm64' ]]; then \
echo "deb [signed-by=/usr/share/keyrings/nvidia-jetson.gpg]
http://repo.download.nvidia.com/jetson/common r38.2 main" >
/etc/apt/sources.list.d/nvidia-jetson.list ; \
elif [[ ${PLATFORM} == 'amd64' ]]; then \
echo "deb [signed-by=/usr/share/keyrings/nvidia-jetson.gpg]
http://repo.download.nvidia.com/jetson/x86_64/noble r38.2 main" >
/etc/apt/sources.list.d/nvidia-jetson.list ; \
else \
echo "Unrecognized platform: ${PLATFORM}" && exit 1 ; \
fi ; \
apt-get update

Workaround

Manually edit /etc/isaac-ros-cli/docker/Dockerfile.noble on the host and replace lines 229–238 with
the fixed version above, then re-run:

cd ~/workspaces/isaac_ros-dev && isaac-ros activate --build-local

References

• https://wiki.debian.org/DebianRepository/UseThirdParty
• File: /etc/isaac-ros-cli/docker/Dockerfile.noble (installed by isaac-ros-cli package

[jaiveersinghNV]

Thanks for filing this bug.

I agree that your solution will solve the problem, but I don't think the apt-key deprecation is the real root cause. While apt-key is certainly deprecated in Ubuntu 24.04, I believe it is expected to continue functioning for the lifetime of 24.04, with removal slated for the next LTS.

Do you have any network restrictions that might temporarily prevent you from fetching the key from the Jetson apt repository? You could try the debugging steps outlined in this forum thread:
https://forums.developer.nvidia.com/t/jetpack-7-0-isaac-ros-release-4-0-docker-build-fails-on-ubuntu-noble-due-to-unsigned-jetson-repository/358061/3

We'll keep an eye out and see if we see this problem anywhere else. If we do, then we may choose to adopt the 'modern' gpg --dearmor approach like you proposed.