mmdebstrap stretch fails with NO_PUBKEY AA8E81B4331F7F50 NO_PUBKEY 112695A0E562B32A #2

Open
opened 3 years ago by zerodeux · 26 comments

Hello,

I have an automated base image running every day which suddenly stopped working from apr, 3rd. And I can't figure out the reason why it fails on those keys. The log is :

I: chroot architecture amd64 is equal to the host's architecture
I: automatically chosen format: tar
I: using /tmp/mmdebstrap.NKg6JhkdNn as tempdir
I: running --setup-hook in shell: sh -c 'systemd-machine-id-setup --root $1' exec /tmp/mmdebstrap.NKg6JhkdNn
Initializing machine ID from random generator.
I: running apt-get update...
done
Get:1 http://security.debian.org/debian-security stretch/updates InRelease [53.0 kB]
Ign:2 http://deb.debian.org/debian stretch InRelease
Get:3 http://deb.debian.org/debian stretch-updates InRelease [93.6 kB]
Get:4 http://deb.debian.org/debian stretch Release [118 kB]
Get:5 http://deb.debian.org/debian stretch Release.gpg [2410 B]
Err:1 http://security.debian.org/debian-security stretch/updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA8E81B4331F7F50 NO_PUBKEY 112695A0E562B32A
Err:3 http://deb.debian.org/debian stretch-updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD622F3D138
Get:6 http://deb.debian.org/debian stretch/main amd64 Packages [7080 kB]
Reading package lists...
W: GPG error: http://security.debian.org/debian-security stretch/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA8E81B4331F7F50 NO_PUBKEY 112695A0E562B32A
E: The repository 'http://security.debian.org/debian-security stretch/updates InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian stretch-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD622F3D138
E: The repository 'http://deb.debian.org/debian stretch-updates InRelease' is not signed.
E: apt-get update -oAPT::Status-Fd=<$fd> -oDpkg::Use-Pty=false failed
W: listening on child socket failed: 
I: removing tempdir /tmp/mmdebstrap.NKg6JhkdNn...
Hello, I have an automated base image running every day which suddenly stopped working from apr, 3rd. And I can't figure out the reason why it fails on those keys. The log is : ``` I: chroot architecture amd64 is equal to the host's architecture I: automatically chosen format: tar I: using /tmp/mmdebstrap.NKg6JhkdNn as tempdir I: running --setup-hook in shell: sh -c 'systemd-machine-id-setup --root $1' exec /tmp/mmdebstrap.NKg6JhkdNn Initializing machine ID from random generator. I: running apt-get update... done Get:1 http://security.debian.org/debian-security stretch/updates InRelease [53.0 kB] Ign:2 http://deb.debian.org/debian stretch InRelease Get:3 http://deb.debian.org/debian stretch-updates InRelease [93.6 kB] Get:4 http://deb.debian.org/debian stretch Release [118 kB] Get:5 http://deb.debian.org/debian stretch Release.gpg [2410 B] Err:1 http://security.debian.org/debian-security stretch/updates InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA8E81B4331F7F50 NO_PUBKEY 112695A0E562B32A Err:3 http://deb.debian.org/debian stretch-updates InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD622F3D138 Get:6 http://deb.debian.org/debian stretch/main amd64 Packages [7080 kB] Reading package lists... W: GPG error: http://security.debian.org/debian-security stretch/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA8E81B4331F7F50 NO_PUBKEY 112695A0E562B32A E: The repository 'http://security.debian.org/debian-security stretch/updates InRelease' is not signed. W: GPG error: http://deb.debian.org/debian stretch-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD622F3D138 E: The repository 'http://deb.debian.org/debian stretch-updates InRelease' is not signed. E: apt-get update -oAPT::Status-Fd=<$fd> -oDpkg::Use-Pty=false failed W: listening on child socket failed: I: removing tempdir /tmp/mmdebstrap.NKg6JhkdNn... ```

Hi there! Take a look at #1.

Hi there! Take a look at #1.
josch commented 3 years ago
Owner

Can you share your invocation? This works for me:

mmdebstrap stretch /dev/null
Can you share your invocation? This works for me: mmdebstrap stretch /dev/null
Poster

I can reproduce the problem with the bare invocation :

$ cat /etc/debian_version 
10.9
$ ./mmdebstrap/mmdebstrap --version
mmdebstrap 0.7.5
$ ./mmdebstrap/mmdebstrap stretch /dev/null 
...
Err:1 http://security.debian.org/debian-security stretch/updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA8E81B4331F7F50 NO_PUBKEY 112695A0E562B32A
Err:3 http://deb.debian.org/debian stretch-updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD622F3D138
...

My exact invocation is :

packages="
linux-image-amd64
apt-transport-https
ca-certificates
curl
wget
debian-security-support
aptitude
postfix
postfix-pcre
libsasl2-modules
bsd-mailx
file
acl
systemd-sysv
less
rsync
screen
vim
emacs-nox
debian-goodies
host
openssh-client
netcat
net-tools
pwgen
git
htop
molly-guard
xz-utils
bzip2
zip
unzip
ncdu
strace
lsof
nocache
bash-completion
locales
man-db
python
"
packages_list=$(echo $packages |sed 's/ \+/,/g')

mmdebstrap/mmdebstrap \
  --mode=unshare \
  --aptopt='Acquire::http { Proxy "http://proxy:8080"; }' \
  --setup-hook='systemd-machine-id-setup --root $1' \
  --include $packages_list \
  stretch $target

I've tried without my caching proxy, same problem.

Should I try with the patch in #1 ?

I can reproduce the problem with the bare invocation : ``` $ cat /etc/debian_version 10.9 $ ./mmdebstrap/mmdebstrap --version mmdebstrap 0.7.5 $ ./mmdebstrap/mmdebstrap stretch /dev/null ... Err:1 http://security.debian.org/debian-security stretch/updates InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA8E81B4331F7F50 NO_PUBKEY 112695A0E562B32A Err:3 http://deb.debian.org/debian stretch-updates InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD622F3D138 ... ``` My exact invocation is : ``` packages=" linux-image-amd64 apt-transport-https ca-certificates curl wget debian-security-support aptitude postfix postfix-pcre libsasl2-modules bsd-mailx file acl systemd-sysv less rsync screen vim emacs-nox debian-goodies host openssh-client netcat net-tools pwgen git htop molly-guard xz-utils bzip2 zip unzip ncdu strace lsof nocache bash-completion locales man-db python " packages_list=$(echo $packages |sed 's/ \+/,/g') mmdebstrap/mmdebstrap \ --mode=unshare \ --aptopt='Acquire::http { Proxy "http://proxy:8080"; }' \ --setup-hook='systemd-machine-id-setup --root $1' \ --include $packages_list \ stretch $target ``` I've tried without my caching proxy, same problem. Should I try with the patch in #1 ?
Poster

And I was mistaken, it started to fail on 03/30 (it worked on 03/29).

And I was mistaken, it started to fail on 03/30 (it worked on 03/29).

Should I try with the patch in #1 ?

issue following commands (in case you're using git):

git remote add rockdrilla https://gitlab.mister-muffin.de/rockdrilla/mmdebstrap.git
git remote update -p
git checkout rockdrilla/gpg-handle-ascii-keyrings

and then try your setup again.

> Should I try with the patch in #1 ? issue following commands (in case you're using git): ``` git remote add rockdrilla https://gitlab.mister-muffin.de/rockdrilla/mmdebstrap.git git remote update -p git checkout rockdrilla/gpg-handle-ascii-keyrings ``` and then try your setup again.
Poster
...
HEAD is now at ccd4b5c gpg: handle ASCII-armored keyrings as well
$ ./mmdebstrap stretch /dev/null 
I: automatically chosen mode: unshare
I: chroot architecture amd64 is equal to the host's architecture
gpg: Fatal: can't open '/tmp/mmdebstrap.gpghome.0FCXNc1FTGcJ/trustdb.gpg': No such file or directory
E: gpg failed
``` ... HEAD is now at ccd4b5c gpg: handle ASCII-armored keyrings as well $ ./mmdebstrap stretch /dev/null I: automatically chosen mode: unshare I: chroot architecture amd64 is equal to the host's architecture gpg: Fatal: can't open '/tmp/mmdebstrap.gpghome.0FCXNc1FTGcJ/trustdb.gpg': No such file or directory E: gpg failed ```

What says dpkg-query --show --showformat='${Version}\n' gnupg ?
On my machine: 2.2.27-2.

What says `dpkg-query --show --showformat='${Version}\n' gnupg` ? On my machine: `2.2.27-2`.
Poster

I gest Buster's release :

$ dpkg-query --show --showformat='${Version}\n' gnupg
2.2.12-1+deb10u1

Should I pull buster-backport's one ?

I gest Buster's release : ``` $ dpkg-query --show --showformat='${Version}\n' gnupg 2.2.12-1+deb10u1 ``` Should I pull buster-backport's one ?

Should I pull buster-backport's one ?

No, you shouldn't. I've been working on this issue.

> Should I pull buster-backport's one ? No, you shouldn't. I've been working on this issue.

I've been able to hit same error using "buster" container:

./mmdebstrap --verbose --mode=fakeroot stretch /dev/null

Dunno how to fix it ASAP and is it mmdebstrap bug or something else had broken.

Also, @josch, should i modify my MR with respect of "stretch" as host (it has old gnupg without --show-keys support)?

I've been able to hit same error using "buster" container: ``` ./mmdebstrap --verbose --mode=fakeroot stretch /dev/null ``` Dunno how to fix it ASAP and is it mmdebstrap bug or something else had broken. Also, @josch, should i modify my MR with respect of "stretch" as host (it has old gnupg without `--show-keys` support)?
josch commented 3 years ago
Owner

I'm still unable to reproduce this. You say you are running mmdebstrap from git on Debian buster? This works for me:

mmdebstrap buster --include=git,ca-certificates \
    --customize-hook='chroot "$1" git clone https://gitlab.mister-muffin.de/josch/mmdebstrap.git' \
    --customize-hook='chroot "$1" ./mmdebstrap/mmdebstrap --mode=unshare stretch /dev/null' \
    /dev/null

@rockdrilla no, mmdebstrap from git only has to work with what is currently Debian stable -- oldstable is not supported, especially now that it will soon become oldoldstable.

I'm still unable to reproduce this. You say you are running mmdebstrap from git on Debian buster? This works for me: ``` mmdebstrap buster --include=git,ca-certificates \ --customize-hook='chroot "$1" git clone https://gitlab.mister-muffin.de/josch/mmdebstrap.git' \ --customize-hook='chroot "$1" ./mmdebstrap/mmdebstrap --mode=unshare stretch /dev/null' \ /dev/null ``` @rockdrilla no, mmdebstrap from git only has to work with what is currently Debian stable -- oldstable is not supported, especially now that it will soon become oldoldstable.
Poster

Your latest invocation works, but the bare one does not. The host is indeed an up-to-date Buster.

My latest runs :

$ git clone https://gitlab.mister-muffin.de/josch/mmdebstrap.git
$ cd mmdebstrap
$ ./mmdebstrap buster --include=git,ca-certificates \
>     --customize-hook='chroot "$1" git clone https://gitlab.mister-muffin.de/josch/mmdebstrap.git' \
>     --customize-hook='chroot "$1" ./mmdebstrap/mmdebstrap --mode=unshare stretch /dev/null' \
>     /dev/null
[...]
I: success in 72.5681 seconds

$ ./mmdebstrap stretch /dev/null
I: automatically chosen mode: unshare
I: chroot architecture amd64 is equal to the host's architecture
gpg: Fatal: can't open '/tmp/mmdebstrap.gpghome.biE95w2R4h_l/trustdb.gpg': No such file or directory
E: gpg failed

It's a build host with stretch/buster/bullseye APT sources and their trusted keys, maybe this context is important.

Your latest invocation works, but the bare one does not. The host is indeed an up-to-date Buster. My latest runs : ``` $ git clone https://gitlab.mister-muffin.de/josch/mmdebstrap.git $ cd mmdebstrap $ ./mmdebstrap buster --include=git,ca-certificates \ > --customize-hook='chroot "$1" git clone https://gitlab.mister-muffin.de/josch/mmdebstrap.git' \ > --customize-hook='chroot "$1" ./mmdebstrap/mmdebstrap --mode=unshare stretch /dev/null' \ > /dev/null [...] I: success in 72.5681 seconds $ ./mmdebstrap stretch /dev/null I: automatically chosen mode: unshare I: chroot architecture amd64 is equal to the host's architecture gpg: Fatal: can't open '/tmp/mmdebstrap.gpghome.biE95w2R4h_l/trustdb.gpg': No such file or directory E: gpg failed ``` It's a build host with stretch/buster/bullseye APT sources and their trusted keys, maybe this context is important.
josch commented 3 years ago
Owner

If you are mixing stretch, buster and bullseye, then the context is indeed extremely important. What is also important is your apt configuration and which keys apt is trusting and not trusting in your specific setup. There are several ways forward:

a) show how to get from a clean install to a state that triggers the problem
b) tell us enough about your setup so that we can replicate it
c) find somebody else with the same problem and figure out the similarities between your setups

@rockdrilla says that they can reproduce the problem inside a buster container -- can you show us how to set up that container?

If you are mixing stretch, buster and bullseye, then the context is indeed extremely important. What is also important is your apt configuration and which keys apt is trusting and not trusting in your specific setup. There are several ways forward: a) show how to get from a clean install to a state that triggers the problem b) tell us enough about your setup so that we can replicate it c) find somebody else with the same problem and figure out the similarities between your setups @rockdrilla says that they can reproduce the problem inside a buster container -- can you show us how to set up that container?
## i prefer podman but you may use docker if you want to
podman run --rm -it --net host --tmpfs=/tmp debian:10-slim bash

## inside container:

apt update
apt -y --install-recommends install eatmydata
eatmydata apt -y upgrade
eatmydata apt -y --install-recommends install mmdebstrap git

git clone https://gitlab.mister-muffin.de/josch/mmdebstrap.git

## this one gonna fail due to missing (new) dependencies
./mmdebstrap/mmdebstrap --mode=fakeroot stretch /dev/null

## oops! need extra deps for mmdebstrap! :)
eatmydata apt -y --install-recommends install libdistro-info-perl gpg

## this one gonna fail due to wrong command line
## i'm sorry - this is my own fault (i've not checked own MR against buster)
./mmdebstrap/mmdebstrap --mode=fakeroot stretch /dev/null

rm -rf mmdebstrap
git clone -b wip-gpg-init-trustdb https://gitlab.mister-muffin.de/rockdrilla/mmdebstrap.git

## and finally - this one gonna fail due to mess with public keys
## as @zerodeux pointed out in https://gitlab.mister-muffin.de/josch/mmdebstrap/issues/2
./mmdebstrap/mmdebstrap --mode=fakeroot stretch /dev/null

``` ## i prefer podman but you may use docker if you want to podman run --rm -it --net host --tmpfs=/tmp debian:10-slim bash ## inside container: apt update apt -y --install-recommends install eatmydata eatmydata apt -y upgrade eatmydata apt -y --install-recommends install mmdebstrap git git clone https://gitlab.mister-muffin.de/josch/mmdebstrap.git ## this one gonna fail due to missing (new) dependencies ./mmdebstrap/mmdebstrap --mode=fakeroot stretch /dev/null ## oops! need extra deps for mmdebstrap! :) eatmydata apt -y --install-recommends install libdistro-info-perl gpg ## this one gonna fail due to wrong command line ## i'm sorry - this is my own fault (i've not checked own MR against buster) ./mmdebstrap/mmdebstrap --mode=fakeroot stretch /dev/null rm -rf mmdebstrap git clone -b wip-gpg-init-trustdb https://gitlab.mister-muffin.de/rockdrilla/mmdebstrap.git ## and finally - this one gonna fail due to mess with public keys ## as @zerodeux pointed out in https://gitlab.mister-muffin.de/josch/mmdebstrap/issues/2 ./mmdebstrap/mmdebstrap --mode=fakeroot stretch /dev/null ```
josch commented 3 years ago
Owner

Funny, I can reproduce it with podman but I cannot reproduce it with the exact same rootfs and a simple chroot to enter it.

EDIT Okay, now I can reproduce it even without fancy container software:

mmdebstrap buster --include=git,ca-certificates,mmdebstrap,libdistro-info-perl,gpg --customize-hook='chroot "$1" git clone https://gitlab.mister-muffin.de/josch/mmdebstrap.git' --customize-hook='chroot "$1" ./mmdebstrap/mmdebstrap --mode=unshare stretch /dev/null' /dev/null
Funny, I can reproduce it with podman but I cannot reproduce it with the exact same rootfs and a simple `chroot` to enter it. **EDIT** Okay, now I can reproduce it even without fancy container software: mmdebstrap buster --include=git,ca-certificates,mmdebstrap,libdistro-info-perl,gpg --customize-hook='chroot "$1" git clone https://gitlab.mister-muffin.de/josch/mmdebstrap.git' --customize-hook='chroot "$1" ./mmdebstrap/mmdebstrap --mode=unshare stretch /dev/null' /dev/null
josch commented 3 years ago
Owner

@rockdrilla do you see an easy way to support old gnupg versions without --show-keys?

@zerodeux what is the reason you use mmdebstrap from git instead of the version in buster?

@rockdrilla do you see an easy way to support old gnupg versions without `--show-keys`? @zerodeux what is the reason you use mmdebstrap from git instead of the version in buster?
Poster

@josch The reason is the Jessie support you added in 0.6.0 (Buster's is 0.4.1), I still need to build legacy Jessie stuff (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945119).

I have been using 0.6.0 since then, I only tried 0.7.5 and HEAD to see if this would fix this GPG key problem.

@josch The reason is the Jessie support you added in 0.6.0 (Buster's is 0.4.1), I still need to build legacy Jessie stuff (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=945119). I have been using 0.6.0 since then, I only tried 0.7.5 and HEAD to see if this would fix this GPG key problem.
josch commented 3 years ago
Owner

@zerodeux okay, I understand. Now the problem with HEAD is, that it uses a gpg option that is not available in buster. One workaround for you would be to not have the package libdistro-info-perl installed when using 0.7.5. Is that a possibility for you?

@zerodeux okay, I understand. Now the problem with HEAD is, that it uses a gpg option that is not available in buster. One workaround for you would be to not have the package `libdistro-info-perl` installed when using 0.7.5. Is that a possibility for you?
Poster

If you're talking about the host, I have already checked that it is installed (libdistro-info-perl 0.21), it does not fix the pb with 0.7.5 or HEAD.

If you're talking about the host, I have already checked that it is installed (libdistro-info-perl 0.21), it does not fix the pb with 0.7.5 or HEAD.
Poster

If you're talking about the host, I have already checked that it is installed (libdistro-info-perl 0.21), it does not fix the pb with 0.7.5 or HEAD.

If you're talking about the host, I have already checked that it is installed (libdistro-info-perl 0.21), it does not fix the pb with 0.7.5 or HEAD.
josch commented 3 years ago
Owner

Additionally, this boils down to apt not knowing about the keys anymore. For example if you try to build a jessie chroot with mmdebstrap HEAD on Debian unstable you will get:

./mmdebstrap --variant=apt jessie /dev/null
I: automatically chosen mode: unshare
I: chroot architecture amd64 is equal to the host's architecture
I: automatically chosen format: null
I: using /tmp/mmdebstrap.3dowNJd5nG as tempdir
I: running apt-get update...
done
Get:1 http://security.debian.org/debian-security jessie/updates InRelease [44.9 kB]
Ign:2 http://deb.debian.org/debian jessie InRelease
Get:3 http://deb.debian.org/debian jessie-updates InRelease [16.3 kB]
Get:4 http://deb.debian.org/debian jessie Release [77.3 kB]
Err:3 http://deb.debian.org/debian jessie-updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010
Get:5 http://deb.debian.org/debian jessie Release.gpg [1652 B]
Get:6 http://security.debian.org/debian-security jessie/updates/main amd64 Packages [781 kB]
Ign:5 http://deb.debian.org/debian jessie Release.gpg
Reading package lists...
W: GPG error: http://deb.debian.org/debian jessie-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010
E: The repository 'http://deb.debian.org/debian jessie-updates InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian jessie Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY CBF8D6FD518E17E1
E: The repository 'http://deb.debian.org/debian jessie Release' is not signed.
E: apt-get update -oAPT::Status-Fd=<$fd> -oDpkg::Use-Pty=false failed
W: listening on child socket failed: 
I: removing tempdir /tmp/mmdebstrap.3dowNJd5nG...

The workaround is to tell mmdebstrap about the location of the gpg key manually by passing a full apt sources.list line:

./mmdebstrap --variant=apt jessie /dev/null "deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://deb.debian.org/debian jessie main"

This is of course missing the security and updates mirror locations, so ideally, you'd want to create a sources.list file with content like this:

deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://deb.debian.org/debian jessie main
deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://deb.debian.org/debian jessie-updates main
deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://security.debian.org/debian-security jessie/updates main

And then run mmdebstrap like this:

./mmdebstrap jessie /dev/null sources.list

Alternatively, you can also let apt know about and trust /usr/share/keyrings/debian-archive-removed-keys.gpg by putting the keys into /etc/apt/trusted.gpg.d

Additionally, this boils down to apt not knowing about the keys anymore. For example if you try to build a jessie chroot with mmdebstrap HEAD on Debian unstable you will get: ``` ./mmdebstrap --variant=apt jessie /dev/null I: automatically chosen mode: unshare I: chroot architecture amd64 is equal to the host's architecture I: automatically chosen format: null I: using /tmp/mmdebstrap.3dowNJd5nG as tempdir I: running apt-get update... done Get:1 http://security.debian.org/debian-security jessie/updates InRelease [44.9 kB] Ign:2 http://deb.debian.org/debian jessie InRelease Get:3 http://deb.debian.org/debian jessie-updates InRelease [16.3 kB] Get:4 http://deb.debian.org/debian jessie Release [77.3 kB] Err:3 http://deb.debian.org/debian jessie-updates InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 Get:5 http://deb.debian.org/debian jessie Release.gpg [1652 B] Get:6 http://security.debian.org/debian-security jessie/updates/main amd64 Packages [781 kB] Ign:5 http://deb.debian.org/debian jessie Release.gpg Reading package lists... W: GPG error: http://deb.debian.org/debian jessie-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 E: The repository 'http://deb.debian.org/debian jessie-updates InRelease' is not signed. W: GPG error: http://deb.debian.org/debian jessie Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 7638D0442B90D010 NO_PUBKEY CBF8D6FD518E17E1 E: The repository 'http://deb.debian.org/debian jessie Release' is not signed. E: apt-get update -oAPT::Status-Fd=<$fd> -oDpkg::Use-Pty=false failed W: listening on child socket failed: I: removing tempdir /tmp/mmdebstrap.3dowNJd5nG... ``` The workaround is to tell mmdebstrap about the location of the gpg key manually by passing a full apt sources.list line: ./mmdebstrap --variant=apt jessie /dev/null "deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://deb.debian.org/debian jessie main" This is of course missing the security and updates mirror locations, so ideally, you'd want to create a sources.list file with content like this: ``` deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://deb.debian.org/debian jessie main deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://deb.debian.org/debian jessie-updates main deb [signed-by=/usr/share/keyrings/debian-archive-removed-keys.gpg] http://security.debian.org/debian-security jessie/updates main ``` And then run mmdebstrap like this: ./mmdebstrap jessie /dev/null sources.list Alternatively, you can also let apt know about and trust `/usr/share/keyrings/debian-archive-removed-keys.gpg` by putting the keys into `/etc/apt/trusted.gpg.d`
josch commented 3 years ago
Owner

If you're talking about the host, I have already checked that it is installed (libdistro-info-perl 0.21), it does not fix the pb with 0.7.5 or HEAD.

You misread. Did you try not having libdistro-info-perl installed?

> If you're talking about the host, I have already checked that it is installed (libdistro-info-perl 0.21), it does not fix the pb with 0.7.5 or HEAD. You misread. Did you try ***not*** having libdistro-info-perl installed?
Poster

Ohhh sorry. I can do that, it's not one of my dependency. It changes the error with something that obviously prompted me to install libdistro-info-perl in the first place :

$ ./mmdebstrap/mmdebstrap --version
mmdebstrap 0.7.5

$ ./mmdebstrap/mmdebstrap stretch >/dev/null 
I: automatically chosen mode: unshare
I: chroot architecture amd64 is equal to the host's architecture
I: automatically chosen format: tar
I: using /tmp/mmdebstrap.rqBUZU_hyU as tempdir
I: running apt-get update...
done
Get:1 http://security.debian.org/debian-security stretch/updates InRelease [53.0 kB]
Ign:2 http://deb.debian.org/debian stretch InRelease
Get:3 http://deb.debian.org/debian stretch-updates InRelease [93.6 kB]
Get:4 http://deb.debian.org/debian stretch Release [118 kB]
Get:5 http://deb.debian.org/debian stretch Release.gpg [2410 B]
Err:1 http://security.debian.org/debian-security stretch/updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA8E81B4331F7F50 NO_PUBKEY 112695A0E562B32A
Err:3 http://deb.debian.org/debian stretch-updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD622F3D138
Get:6 http://deb.debian.org/debian stretch/main amd64 Packages [7080 kB]
Reading package lists...
W: GPG error: http://security.debian.org/debian-security stretch/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA8E81B4331F7F50 NO_PUBKEY 112695A0E562B32A
E: The repository 'http://security.debian.org/debian-security stretch/updates InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian stretch-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD622F3D138
E: The repository 'http://deb.debian.org/debian stretch-updates InRelease' is not signed.
E: apt-get update -oAPT::Status-Fd=<$fd> -oDpkg::Use-Pty=false failed
W: listening on child socket failed: Can't locate Debian/DistroInfo.pm in @INC (you may need to install the Debian::DistroInfo module) (@INC contains: /home/cloud/perl5/lib/perl5/x86_64-linux-gnu-thread-multi /home/cloud/perl5/lib/perl5 /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.28.1 /usr/local/share/perl/5.28.1 /usr/lib/x86_64-linux-gnu/perl5/5.28 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.28 /usr/share/perl/5.28 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at ./mmdebstrap/mmdebstrap line 4026.

Alternatively, you can also let apt know about and trust /usr/share/keyrings/debian-archive-removed-keys.gpg by putting the keys into /etc/apt/trusted.gpg.d

This workaround does work for me and it's acceptable on my build VM. Thanks a lot !

Ohhh sorry. I can do that, it's not one of my dependency. It changes the error with something that obviously prompted me to install libdistro-info-perl in the first place : ``` $ ./mmdebstrap/mmdebstrap --version mmdebstrap 0.7.5 $ ./mmdebstrap/mmdebstrap stretch >/dev/null I: automatically chosen mode: unshare I: chroot architecture amd64 is equal to the host's architecture I: automatically chosen format: tar I: using /tmp/mmdebstrap.rqBUZU_hyU as tempdir I: running apt-get update... done Get:1 http://security.debian.org/debian-security stretch/updates InRelease [53.0 kB] Ign:2 http://deb.debian.org/debian stretch InRelease Get:3 http://deb.debian.org/debian stretch-updates InRelease [93.6 kB] Get:4 http://deb.debian.org/debian stretch Release [118 kB] Get:5 http://deb.debian.org/debian stretch Release.gpg [2410 B] Err:1 http://security.debian.org/debian-security stretch/updates InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA8E81B4331F7F50 NO_PUBKEY 112695A0E562B32A Err:3 http://deb.debian.org/debian stretch-updates InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD622F3D138 Get:6 http://deb.debian.org/debian stretch/main amd64 Packages [7080 kB] Reading package lists... W: GPG error: http://security.debian.org/debian-security stretch/updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY AA8E81B4331F7F50 NO_PUBKEY 112695A0E562B32A E: The repository 'http://security.debian.org/debian-security stretch/updates InRelease' is not signed. W: GPG error: http://deb.debian.org/debian stretch-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 04EE7237B7D453EC NO_PUBKEY 648ACFD622F3D138 E: The repository 'http://deb.debian.org/debian stretch-updates InRelease' is not signed. E: apt-get update -oAPT::Status-Fd=<$fd> -oDpkg::Use-Pty=false failed W: listening on child socket failed: Can't locate Debian/DistroInfo.pm in @INC (you may need to install the Debian::DistroInfo module) (@INC contains: /home/cloud/perl5/lib/perl5/x86_64-linux-gnu-thread-multi /home/cloud/perl5/lib/perl5 /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.28.1 /usr/local/share/perl/5.28.1 /usr/lib/x86_64-linux-gnu/perl5/5.28 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.28 /usr/share/perl/5.28 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base) at ./mmdebstrap/mmdebstrap line 4026. ``` > Alternatively, you can also let apt know about and trust /usr/share/keyrings/debian-archive-removed-keys.gpg by putting the keys into /etc/apt/trusted.gpg.d This workaround does work for me and it's acceptable on my build VM. Thanks a lot !
josch commented 3 years ago
Owner

Yeah, so the actual problem is, that there is really no good way to map a Debian distro to a gpg key file reliably. It breaks once new keys get uploaded and the distroinfo information becomes outdated. This will remain a problem for distros that are oldstable or oldoldstable until we have a reliable way to figure out keyring locations from a distro name.

Yeah, so the actual problem is, that there is really no good way to map a Debian distro to a gpg key file reliably. It breaks once new keys get uploaded and the distroinfo information becomes outdated. This will remain a problem for distros that are oldstable or oldoldstable until we have a reliable way to figure out keyring locations from a distro name.

@rockdrilla do you see an easy way to support old gnupg versions without --show-keys?

@josch, which releases i'm/we're targeting to support (in past)?

> @rockdrilla do you see an easy way to support old gnupg versions without `--show-keys`? @josch, which releases i'm/we're targeting to support (in past)?
josch commented 3 years ago
Owner

@rockdrilla mmdebstrap should work on the current stable and be able to create oldstable, stable, testing and unstable chroots. The version right now does not work on stable, which is okay because the next release will only happen once testing has become the new stable.

@rockdrilla mmdebstrap should work on the current stable and be able to create oldstable, stable, testing and unstable chroots. The version right now does not work on stable, which is okay because the next release will only happen once testing has become the new stable.
Sign in to join this conversation.
No Label
No Milestone
No project
No Assignees
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: josch/mmdebstrap#2
Loading…
There is no content yet.