When running from my home machine (i.e., not behind a web proxy), mmdebstrap runs correctly, but at work, the same command errors out with several messages similar to:
W: GPG error: http://deb.debian.org/debian bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 605C66F00D6C9793
E: The repository 'http://deb.debian.org/debian bullseye InRelease' is not signed.
The command invocation at work does include --aptopt='Acquire::http::Proxy "http://web-proxy.XXX.net:8080/";'. Any ideas what might be wrong?
$ ./mmdebstrap --version
mmdebstrap 1.3.5
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.2 LTS
Release: 22.04
Codename: jammy
$ sudo ./mmdebstrap --aptopt='Acquire::http::Proxy "http://web-proxy.XXX.net:8080/";' --aptopt='Acquire::https::Proxy "https://web-proxy.XXX.net:8080/";' --variant=apt bullseye ../bullseye.squashfs
I: automatically chosen mode: root
I: chroot architecture amd64 is equal to the host's architecture
I: automatically chosen format: squashfs
I: using /tmp/mmdebstrap.NFIQ3HDqAr as tempdir
W: tar2sqfs does not support extended attributes from the 'system' namespace
I: running apt-get update...
done
Get:1 http://security.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Get:2 http://deb.debian.org/debian bullseye InRelease [116 kB]
Err:1 http://security.debian.org/debian-security bullseye-security InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853
Err:2 http://deb.debian.org/debian bullseye InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 605C66F00D6C9793
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Err:3 http://deb.debian.org/debian bullseye-updates InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
Reading package lists...
W: GPG error: http://security.debian.org/debian-security bullseye-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853
E: The repository 'http://security.debian.org/debian-security bullseye-security InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 605C66F00D6C9793
E: The repository 'http://deb.debian.org/debian bullseye InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian bullseye-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
E: The repository 'http://deb.debian.org/debian bullseye-updates InRelease' is not signed.
E: apt-get update --error-on=any -oAPT::Status-Fd=<$fd> -oDpkg::Use-Pty=false failed
I: main() received signal PIPE: waiting for setup...
I: removing tempdir /tmp/mmdebstrap.NFIQ3HDqAr...
E: mmdebstrap failed to run
$
When running from my home machine (i.e., not behind a web proxy), mmdebstrap runs correctly, but at work, the same command errors out with several messages similar to:
```
W: GPG error: http://deb.debian.org/debian bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 605C66F00D6C9793
E: The repository 'http://deb.debian.org/debian bullseye InRelease' is not signed.
```
The command invocation at work does include `--aptopt='Acquire::http::Proxy "http://web-proxy.XXX.net:8080/";'`. Any ideas what might be wrong?
```
$ ./mmdebstrap --version
mmdebstrap 1.3.5
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.2 LTS
Release: 22.04
Codename: jammy
$ sudo ./mmdebstrap --aptopt='Acquire::http::Proxy "http://web-proxy.XXX.net:8080/";' --aptopt='Acquire::https::Proxy "https://web-proxy.XXX.net:8080/";' --variant=apt bullseye ../bullseye.squashfs
I: automatically chosen mode: root
I: chroot architecture amd64 is equal to the host's architecture
I: automatically chosen format: squashfs
I: using /tmp/mmdebstrap.NFIQ3HDqAr as tempdir
W: tar2sqfs does not support extended attributes from the 'system' namespace
I: running apt-get update...
done
Get:1 http://security.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Get:2 http://deb.debian.org/debian bullseye InRelease [116 kB]
Err:1 http://security.debian.org/debian-security bullseye-security InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853
Err:2 http://deb.debian.org/debian bullseye InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 605C66F00D6C9793
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Err:3 http://deb.debian.org/debian bullseye-updates InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
Reading package lists...
W: GPG error: http://security.debian.org/debian-security bullseye-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853
E: The repository 'http://security.debian.org/debian-security bullseye-security InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 605C66F00D6C9793
E: The repository 'http://deb.debian.org/debian bullseye InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian bullseye-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
E: The repository 'http://deb.debian.org/debian bullseye-updates InRelease' is not signed.
E: apt-get update --error-on=any -oAPT::Status-Fd=<$fd> -oDpkg::Use-Pty=false failed
I: main() received signal PIPE: waiting for setup...
I: removing tempdir /tmp/mmdebstrap.NFIQ3HDqAr...
E: mmdebstrap failed to run
$
```
You are trying to create a Debian chroot on Ubuntu. This means that Ubuntu needs to know about recent Debian keyrings. Do you have a recent-enough debian-archive-keyring (or however it is called in Ubuntu) package installed?
Then run this as sudo ./ministrap.sh bullseye rootdir. What is the output?
You are trying to create a Debian chroot on Ubuntu. This means that Ubuntu needs to know about recent Debian keyrings. Do you have a recent-enough `debian-archive-keyring` (or however it is called in Ubuntu) package installed?
You can try out if the problem is specific to mmdebstrap or specific to your apt installation by running this script from the mmdebstrap man page: https://manpages.debian.org/unstable/mmdebstrap/mmdebstrap.1.en.html#OPERATION
You only need the first part:
```sh
mkdir -p "$2/etc/apt" "$2/var/cache" "$2/var/lib"
cat << END > "$2/apt.conf"
Apt::Architecture "$(dpkg --print-architecture)";
Apt::Architectures "$(dpkg --print-architecture)";
Dir "$(cd "$2" && pwd)";
Dir::Etc::Trusted "$(eval "$(apt-config shell v Dir::Etc::Trusted/f)"; printf "$v")";
Dir::Etc::TrustedParts "$(eval "$(apt-config shell v Dir::Etc::TrustedParts/d)"; printf "$v")";
END
echo "deb http://deb.debian.org/debian/ $1 main" > "$2/etc/apt/sources.list"
APT_CONFIG="$2/apt.conf" apt-get update
```
Then run this as `sudo ./ministrap.sh bullseye rootdir`. What is the output?
# ./ministrap.sh bullseye rootdir
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Err:1 http://deb.debian.org/debian bullseye InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 605C66F00D6C9793
Reading package lists... Error!
W: Unable to read /tank/rootdir/etc/apt/apt.conf.d/ - DirectoryExists (2: No such file or directory)
W: GPG error: http://deb.debian.org/debian bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 605C66F00D6C9793
E: The repository 'http://deb.debian.org/debian bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: flAbsPath on /tank/rootdir/var/lib/dpkg/status failed - realpath (2: No such file or directory)
E: Could not open file - open (2: No such file or directory)
E: Problem opening
E: The package lists or status file could not be parsed or opened.
# tree rootdir/
rootdir/
├── apt.conf
├── etc
│ └── apt
│ └── sources.list
└── var
├── cache
│ └── apt
│ └── srcpkgcache.bin
└── lib
└── apt
└── lists
├── auxfiles
├── lock
└── partial
└── deb.debian.org_debian_dists_bullseye_InRelease
10 directories, 5 files
#
Notes:
I get the same output even modifying the script to explicitly add the proxy to the apt.conf
I get the same output after installing debian-archive-keyring
After installing the Debian keyring, at least one of the NO_PUBKEY looks to exist (i.e., the "selfsig" below)
# gpg -v /usr/share/keyrings/debian-archive-bullseye-stable.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096 2021-02-13 [SC] [expires: 2029-02-11]
A4285295FC7B1A81600062A9605C66F00D6C9793
uid Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org>
sig 605C66F00D6C9793 2021-02-13 [selfsig]
sig C5CE5DC2C542CD59 2021-02-13 [User ID not found]
sig 5394479DD3524C51 2021-02-24 [User ID not found]
sig 196418AAEB74C8A1 2021-02-24 [User ID not found]
```console
# ./ministrap.sh bullseye rootdir
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Err:1 http://deb.debian.org/debian bullseye InRelease
The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 605C66F00D6C9793
Reading package lists... Error!
W: Unable to read /tank/rootdir/etc/apt/apt.conf.d/ - DirectoryExists (2: No such file or directory)
W: GPG error: http://deb.debian.org/debian bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 605C66F00D6C9793
E: The repository 'http://deb.debian.org/debian bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: flAbsPath on /tank/rootdir/var/lib/dpkg/status failed - realpath (2: No such file or directory)
E: Could not open file - open (2: No such file or directory)
E: Problem opening
E: The package lists or status file could not be parsed or opened.
# tree rootdir/
rootdir/
├── apt.conf
├── etc
│ └── apt
│ └── sources.list
└── var
├── cache
│ └── apt
│ └── srcpkgcache.bin
└── lib
└── apt
└── lists
├── auxfiles
├── lock
└── partial
└── deb.debian.org_debian_dists_bullseye_InRelease
10 directories, 5 files
#
```
Notes:
1. I get the same output even modifying the script to explicitly add the proxy to the apt.conf
2. I get the same output after installing `debian-archive-keyring`
3. After installing the Debian keyring, at least one of the NO_PUBKEY looks to exist (i.e., the "selfsig" below)
```console
# gpg -v /usr/share/keyrings/debian-archive-bullseye-stable.gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
pub rsa4096 2021-02-13 [SC] [expires: 2029-02-11]
A4285295FC7B1A81600062A9605C66F00D6C9793
uid Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org>
sig 605C66F00D6C9793 2021-02-13 [selfsig]
sig C5CE5DC2C542CD59 2021-02-13 [User ID not found]
sig 5394479DD3524C51 2021-02-24 [User ID not found]
sig 196418AAEB74C8A1 2021-02-24 [User ID not found]
```
Thank you! Since you were able to reproduce the problem without mmdebstrap, the problem is not mmdebstrap but the keys that apt has access to. I see that you have /usr/share/keyrings/debian-archive-bullseye-stable.gpg but is apt actually making use of those? What is inside your /etc/apt/trusted.gpg.d?
Thank you! Since you were able to reproduce the problem without mmdebstrap, the problem is not mmdebstrap but the keys that apt has access to. I see that you have /usr/share/keyrings/debian-archive-bullseye-stable.gpg but is apt actually making use of those? What is inside your `/etc/apt/trusted.gpg.d`?
The Ubuntu package does NOT place the keys in the APT keystore by default,
as enabling the Debian repositories on an Ubuntu system can easily lead to
breakage.
Assuming you know what you are doing, you can re-enable the Debian keyring in
APT using the following command:
the NO_PUBKEY error goes away, but the script doesn't complete successfully:
# ./ministrap.sh bullseye rootdir
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://deb.debian.org/debian bullseye/main amd64 Packages [8,183 kB]
Get:3 http://deb.debian.org/debian bullseye/main Translation-en [6,240 kB]
Fetched 14.5 MB in 4s (3,543 kB/s)
Reading package lists... Error!
W: Unable to read /tank/rootdir/etc/apt/apt.conf.d/ - DirectoryExists (2: No such file or directory)
E: flAbsPath on /tank/rootdir/var/lib/dpkg/status failed - realpath (2: No such file or directory)
E: Could not open file - open (2: No such file or directory)
E: Problem opening
E: The package lists or status file could not be parsed or opened.
The `debian-archive-keyring` README file says:
> The Ubuntu package does NOT place the keys in the APT keystore by default,
> as enabling the Debian repositories on an Ubuntu system can easily lead to
> breakage.
>
> Assuming you know what you are doing, you can re-enable the Debian keyring in
> APT using the following command:
>
> ln -s /usr/share/keyrings/debian-archive-keyring.gpg /etc/apt/trusted.gpg.d/
After linking the keyring
```console
# ls -l /etc/apt/trusted.gpg.d/
total 20
-rw-r--r-- 1 root root 1168 Dec 16 08:47 ansible-ubuntu-ansible.gpg
lrwxrwxrwx 1 root root 46 Apr 26 15:11 debian-archive-keyring.gpg -> /usr/share/keyrings/debian-archive-keyring.gpg
-rw-r--r-- 1 root root 7821 Apr 26 06:25 google-chrome.gpg
-rw-r--r-- 1 root root 2794 Mar 26 2021 ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Mar 26 2021 ubuntu-keyring-2018-archive.gpg
```
the `NO_PUBKEY` error goes away, but the script doesn't complete successfully:
```console
# ./ministrap.sh bullseye rootdir
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://deb.debian.org/debian bullseye/main amd64 Packages [8,183 kB]
Get:3 http://deb.debian.org/debian bullseye/main Translation-en [6,240 kB]
Fetched 14.5 MB in 4s (3,543 kB/s)
Reading package lists... Error!
W: Unable to read /tank/rootdir/etc/apt/apt.conf.d/ - DirectoryExists (2: No such file or directory)
E: flAbsPath on /tank/rootdir/var/lib/dpkg/status failed - realpath (2: No such file or directory)
E: Could not open file - open (2: No such file or directory)
E: Problem opening
E: The package lists or status file could not be parsed or opened.
```
When running from my home machine (i.e., not behind a web proxy), mmdebstrap runs correctly, but at work, the same command errors out with several messages similar to:
The command invocation at work does include
--aptopt='Acquire::http::Proxy "http://web-proxy.XXX.net:8080/";'
. Any ideas what might be wrong?You are trying to create a Debian chroot on Ubuntu. This means that Ubuntu needs to know about recent Debian keyrings. Do you have a recent-enough
debian-archive-keyring
(or however it is called in Ubuntu) package installed?You can try out if the problem is specific to mmdebstrap or specific to your apt installation by running this script from the mmdebstrap man page: https://manpages.debian.org/unstable/mmdebstrap/mmdebstrap.1.en.html#OPERATION
You only need the first part:
Then run this as
sudo ./ministrap.sh bullseye rootdir
. What is the output?Notes:
debian-archive-keyring
Thank you! Since you were able to reproduce the problem without mmdebstrap, the problem is not mmdebstrap but the keys that apt has access to. I see that you have /usr/share/keyrings/debian-archive-bullseye-stable.gpg but is apt actually making use of those? What is inside your
/etc/apt/trusted.gpg.d
?The
debian-archive-keyring
README file says:After linking the keyring
the
NO_PUBKEY
error goes away, but the script doesn't complete successfully:Does your mmdebstrap invocation work now?
It does! Thank you for helping me sort through this!