mmdebstrap fails on Debian bullseye when using a apt trusted ASCII-armored format gpg key #13

Debian buster supported only binary gpg keys (.gpg).

Debian bullseye supports supports both, binary gpg keys (.gpg) as well as ASCII-armored format gpg keys (.asc).

However, a key such as /etc/apt/trusted.gpg.d/derivative.asc that works perfectly with APT breaks mmdebstrap.

mmdebstrap --verbose --debug --variant=required --architectures=amd64 --aptopt=/home/user/whonix_binary/aptgetopt.conf --include=apt,sudo,devscripts,debhelper,strip-nondeterminism,fakeroot,apt-transport-tor,eatmydata,aptitude,cowdancer,fasttrack-archive-keyring --arch=amd64 bullseye /var/cache/pbuilder/base.cow_amd64

I: 11584 4459 automatically chosen mode: root
D: 11584 4602 Native architecture (outside): amd64
D: 11584 4603 Native architecture (inside): amd64
D: 11584 4605 Foreign architectures (inside): 
I: 11584 4775 chroot architecture amd64 is equal to the host's architecture
D: 11584 3952 suite bartholomea with keyring /usr/share/keyrings/tanglu-archive-keyring.gpg
D: 11584 3952 suite aequorea with keyring /usr/share/keyrings/tanglu-archive-keyring.gpg
D: 11584 3952 suite chromodoris with keyring /usr/share/keyrings/tanglu-archive-keyring.gpg
D: 11584 3952 suite dasyatis with keyring /usr/share/keyrings/tanglu-archive-keyring.gpg
D: 11584 3952 suite kali-dev with keyring /usr/share/keyrings/kali-archive-keyring.gpg
D: 11584 3952 suite kali-last-snapshot with keyring /usr/share/keyrings/kali-archive-keyring.gpg
D: 11584 3952 suite kali-bleeding-edge with keyring /usr/share/keyrings/kali-archive-keyring.gpg
D: 11584 3952 suite kali-rolling with keyring /usr/share/keyrings/kali-archive-keyring.gpg
D: 11584 3952 suite quantal with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite saucy with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite maverick with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite trusty with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite hardy with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite feisty with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite vivid with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite yakkety with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite xenial with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite disco with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite focal with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite cosmic with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite natty with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite intrepid with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite edgy with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite eoan with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite bionic with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite hirsute with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite oneiric with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite groovy with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite warty with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite raring with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite gutsy with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite karmic with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite jaunty with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite precise with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite wily with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite zesty with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite hoary with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite utopic with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite breezy with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite dapper with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite lucid with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite artful with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite impish with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg
D: 11584 3952 suite sarge with keyring /usr/share/keyrings/debian-archive-removed-keys.gpg
D: 11584 3952 suite experimental with keyring /usr/share/keyrings/debian-archive-keyring.gpg
D: 11584 3952 suite testing with keyring /usr/share/keyrings/debian-archive-keyring.gpg
D: 11584 3952 suite etch with keyring /usr/share/keyrings/debian-archive-removed-keys.gpg
D: 11584 3952 suite hamm with keyring /usr/share/keyrings/debian-archive-removed-keys.gpg
D: 11584 3952 suite unstable with keyring /usr/share/keyrings/debian-archive-keyring.gpg
D: 11584 3952 suite oldoldstable with keyring /usr/share/keyrings/debian-archive-keyring.gpg
D: 11584 3952 suite stable with keyring /usr/share/keyrings/debian-archive-keyring.gpg
D: 11584 3952 suite bo with keyring /usr/share/keyrings/debian-archive-removed-keys.gpg
D: 11584 3952 suite lenny with keyring /usr/share/keyrings/debian-archive-removed-keys.gpg
D: 11584 3952 suite potato with keyring /usr/share/keyrings/debian-archive-removed-keys.gpg
D: 11584 3952 suite ascii with keyring /usr/share/keyrings/debian-archive-keyring.gpg
D: 11584 3952 suite slink with keyring /usr/share/keyrings/debian-archive-removed-keys.gpg
D: 11584 3952 suite squeeze with keyring /usr/share/keyrings/debian-archive-keyring.gpg
D: 11584 3952 suite bullseye with keyring /usr/share/keyrings/debian-archive-keyring.gpg
D: 11584 3952 suite buster with keyring /usr/share/keyrings/debian-archive-keyring.gpg
D: 11584 3952 suite trixie with keyring /usr/share/keyrings/debian-archive-keyring.gpg
D: 11584 3952 suite rex with keyring /usr/share/keyrings/debian-archive-removed-keys.gpg
D: 11584 3952 suite beowulf with keyring /usr/share/keyrings/debian-archive-keyring.gpg
D: 11584 3952 suite ceres with keyring /usr/share/keyrings/debian-archive-keyring.gpg
D: 11584 3952 suite oldstable with keyring /usr/share/keyrings/debian-archive-keyring.gpg
D: 11584 3952 suite bookworm with keyring /usr/share/keyrings/debian-archive-keyring.gpg
D: 11584 3952 suite stretch with keyring /usr/share/keyrings/debian-archive-keyring.gpg
D: 11584 3952 suite buzz with keyring /usr/share/keyrings/debian-archive-removed-keys.gpg
D: 11584 3952 suite woody with keyring /usr/share/keyrings/debian-archive-removed-keys.gpg
D: 11584 3952 suite sid with keyring /usr/share/keyrings/debian-archive-keyring.gpg
D: 11584 3952 suite jessie with keyring /usr/share/keyrings/debian-archive-keyring.gpg
D: 11584 3952 suite wheezy with keyring /usr/share/keyrings/debian-archive-keyring.gpg
D: 11584 3952 suite jessie-kfreebsd with keyring /usr/share/keyrings/debian-archive-keyring.gpg
gpg: [don't know]: invalid packet (ctb=2d)
gpg: keydb_search_next failed: Invalid packet
E: gpg failed at /usr/bin/mmdebstrap line 170.
	main::error("gpg failed") called at /usr/bin/mmdebstrap line 4915
	main::main() called at /usr/bin/mmdebstrap line 5796

Debian `buster` supported only binary gpg keys (`.gpg`). Debian `bullseye` supports supports both, binary gpg keys (`.gpg`) as well as ASCII-armored format gpg keys (`.asc`). However, a key such as `/etc/apt/trusted.gpg.d/derivative.asc` that works perfectly with APT breaks `mmdebstrap`. ``` mmdebstrap --verbose --debug --variant=required --architectures=amd64 --aptopt=/home/user/whonix_binary/aptgetopt.conf --include=apt,sudo,devscripts,debhelper,strip-nondeterminism,fakeroot,apt-transport-tor,eatmydata,aptitude,cowdancer,fasttrack-archive-keyring --arch=amd64 bullseye /var/cache/pbuilder/base.cow_amd64 ``` ``` I: 11584 4459 automatically chosen mode: root D: 11584 4602 Native architecture (outside): amd64 D: 11584 4603 Native architecture (inside): amd64 D: 11584 4605 Foreign architectures (inside): I: 11584 4775 chroot architecture amd64 is equal to the host's architecture D: 11584 3952 suite bartholomea with keyring /usr/share/keyrings/tanglu-archive-keyring.gpg D: 11584 3952 suite aequorea with keyring /usr/share/keyrings/tanglu-archive-keyring.gpg D: 11584 3952 suite chromodoris with keyring /usr/share/keyrings/tanglu-archive-keyring.gpg D: 11584 3952 suite dasyatis with keyring /usr/share/keyrings/tanglu-archive-keyring.gpg D: 11584 3952 suite kali-dev with keyring /usr/share/keyrings/kali-archive-keyring.gpg D: 11584 3952 suite kali-last-snapshot with keyring /usr/share/keyrings/kali-archive-keyring.gpg D: 11584 3952 suite kali-bleeding-edge with keyring /usr/share/keyrings/kali-archive-keyring.gpg D: 11584 3952 suite kali-rolling with keyring /usr/share/keyrings/kali-archive-keyring.gpg D: 11584 3952 suite quantal with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite saucy with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite maverick with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite trusty with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite hardy with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite feisty with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite vivid with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite yakkety with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite xenial with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite disco with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite focal with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite cosmic with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite natty with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite intrepid with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite edgy with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite eoan with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite bionic with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite hirsute with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite oneiric with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite groovy with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite warty with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite raring with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite gutsy with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite karmic with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite jaunty with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite precise with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite wily with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite zesty with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite hoary with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite utopic with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite breezy with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite dapper with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite lucid with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite artful with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite impish with keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg D: 11584 3952 suite sarge with keyring /usr/share/keyrings/debian-archive-removed-keys.gpg D: 11584 3952 suite experimental with keyring /usr/share/keyrings/debian-archive-keyring.gpg D: 11584 3952 suite testing with keyring /usr/share/keyrings/debian-archive-keyring.gpg D: 11584 3952 suite etch with keyring /usr/share/keyrings/debian-archive-removed-keys.gpg D: 11584 3952 suite hamm with keyring /usr/share/keyrings/debian-archive-removed-keys.gpg D: 11584 3952 suite unstable with keyring /usr/share/keyrings/debian-archive-keyring.gpg D: 11584 3952 suite oldoldstable with keyring /usr/share/keyrings/debian-archive-keyring.gpg D: 11584 3952 suite stable with keyring /usr/share/keyrings/debian-archive-keyring.gpg D: 11584 3952 suite bo with keyring /usr/share/keyrings/debian-archive-removed-keys.gpg D: 11584 3952 suite lenny with keyring /usr/share/keyrings/debian-archive-removed-keys.gpg D: 11584 3952 suite potato with keyring /usr/share/keyrings/debian-archive-removed-keys.gpg D: 11584 3952 suite ascii with keyring /usr/share/keyrings/debian-archive-keyring.gpg D: 11584 3952 suite slink with keyring /usr/share/keyrings/debian-archive-removed-keys.gpg D: 11584 3952 suite squeeze with keyring /usr/share/keyrings/debian-archive-keyring.gpg D: 11584 3952 suite bullseye with keyring /usr/share/keyrings/debian-archive-keyring.gpg D: 11584 3952 suite buster with keyring /usr/share/keyrings/debian-archive-keyring.gpg D: 11584 3952 suite trixie with keyring /usr/share/keyrings/debian-archive-keyring.gpg D: 11584 3952 suite rex with keyring /usr/share/keyrings/debian-archive-removed-keys.gpg D: 11584 3952 suite beowulf with keyring /usr/share/keyrings/debian-archive-keyring.gpg D: 11584 3952 suite ceres with keyring /usr/share/keyrings/debian-archive-keyring.gpg D: 11584 3952 suite oldstable with keyring /usr/share/keyrings/debian-archive-keyring.gpg D: 11584 3952 suite bookworm with keyring /usr/share/keyrings/debian-archive-keyring.gpg D: 11584 3952 suite stretch with keyring /usr/share/keyrings/debian-archive-keyring.gpg D: 11584 3952 suite buzz with keyring /usr/share/keyrings/debian-archive-removed-keys.gpg D: 11584 3952 suite woody with keyring /usr/share/keyrings/debian-archive-removed-keys.gpg D: 11584 3952 suite sid with keyring /usr/share/keyrings/debian-archive-keyring.gpg D: 11584 3952 suite jessie with keyring /usr/share/keyrings/debian-archive-keyring.gpg D: 11584 3952 suite wheezy with keyring /usr/share/keyrings/debian-archive-keyring.gpg D: 11584 3952 suite jessie-kfreebsd with keyring /usr/share/keyrings/debian-archive-keyring.gpg gpg: [don't know]: invalid packet (ctb=2d) gpg: keydb_search_next failed: Invalid packet E: gpg failed at /usr/bin/mmdebstrap line 170. main::error("gpg failed") called at /usr/bin/mmdebstrap line 4915 main::main() called at /usr/bin/mmdebstrap line 5796 ```

@rockdrilla was fixing this in !1 -- maybe they have some input?

This line of mmdebstrap's code is failing:

                    open my $fh, '-|', @gpgcmd, @keyringopts, '--with-colons',
                      '--list-keys' // error "failed to fork(): $!";

To manualy reproduce the gpg issue:

gpg --quiet --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/mmdebstrap.gpghome.f2YASqj8wY1t --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg.d/derivative.asc --with-colons --list-keys

gpg: [don't know]: invalid packet (ctb=2d)
gpg: keydb_search_first failed: Invalid packet
tru:t:0:0:0:0:0:0

This line of mmdebstrap's code is failing: ``` open my $fh, '-|', @gpgcmd, @keyringopts, '--with-colons', '--list-keys' // error "failed to fork(): $!"; ``` To manualy reproduce the gpg issue: ``` gpg --quiet --ignore-time-conflict --no-options --no-default-keyring --homedir /tmp/mmdebstrap.gpghome.f2YASqj8wY1t --no-auto-check-trustdb --trust-model always --keyring /etc/apt/trusted.gpg.d/derivative.asc --with-colons --list-keys ``` ``` gpg: [don't know]: invalid packet (ctb=2d) gpg: keydb_search_first failed: Invalid packet tru:t:0:0:0:0:0:0 ```

Can you try the version from git and see if that fixes your problem?

Thank you for swift reply! :)

Do you think you could use the following gpg command style instead?

(Simplified.)

gpg --with-colons --import-options show-only --import --fingerprint /etc/apt/trusted.gpg.d/derivative.asc

It produces the same format as the currently used command but is compatible with both versions (ASCII-armored or not).

Credits:
https://unix.stackexchange.com/questions/468647/how-do-i-get-the-fingerprint-of-an-ascii-armored-pgp-secret-key-with-gpg

Thank you for swift reply! :) Do you think you could use the following gpg command style instead? (Simplified.) ``` gpg --with-colons --import-options show-only --import --fingerprint /etc/apt/trusted.gpg.d/derivative.asc ``` It produces the same format as the currently used command but is compatible with both versions (ASCII-armored or not). Credits: https://unix.stackexchange.com/questions/468647/how-do-i-get-the-fingerprint-of-an-ascii-armored-pgp-secret-key-with-gpg

Why? Does the fix from ccd4b5c163 not work for you?

Why? Does the fix from ccd4b5c163d322045c92f734f43bb5e1945fa774 not work for you?

Can you try the version from git and see if that fixes your problem?

It has a good chance that it would work since it uses --show-keys, which works for me on the command line. Will test now.

> Can you try the version from git and see if that fixes your problem? It has a good chance that it would work since it uses `--show-keys`, which works for me on the command line. Will test now.

Works for me.

Why? Does the fix from ccd4b5c163 not work for you?

Replied before I was reading that.

Thank you very much for quick help!

Works for me. > Why? Does the fix from ccd4b5c163d322045c92f734f43bb5e1945fa774 not work for you? Replied before I was reading that. Thank you very much for quick help!

Labels Milestones

mmdebstrap fails on Debian bullseye when using a apt trusted ASCII-armored format gpg key #13