josch/mmdebstrap
2
3
Fork 6
Code Issues 8 Pull requests 1 Projects Releases Wiki Activity

NO_PUBKEY failure when behind a proxy #36

New issue
Closed
opened 2023-04-24 18:19:52 +00:00 by ctuffli · 6 comments
ctuffli commented 2023-04-24 18:19:52 +00:00
Copy link

When running from my home machine (i.e., not behind a web proxy), mmdebstrap runs correctly, but at work, the same command errors out with several messages similar to:

W: GPG error: http://deb.debian.org/debian bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 605C66F00D6C9793
E: The repository 'http://deb.debian.org/debian bullseye InRelease' is not signed.

The command invocation at work does include --aptopt='Acquire::http::Proxy "http://web-proxy.XXX.net:8080/";'. Any ideas what might be wrong?

$ ./mmdebstrap --version
mmdebstrap 1.3.5
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 22.04.2 LTS
Release:        22.04
Codename:       jammy
$ sudo ./mmdebstrap --aptopt='Acquire::http::Proxy "http://web-proxy.XXX.net:8080/";' --aptopt='Acquire::https::Proxy "https://web-proxy.XXX.net:8080/";' --variant=apt bullseye ../bullseye.squashfs
I: automatically chosen mode: root
I: chroot architecture amd64 is equal to the host's architecture
I: automatically chosen format: squashfs
I: using /tmp/mmdebstrap.NFIQ3HDqAr as tempdir
W: tar2sqfs does not support extended attributes from the 'system' namespace
I: running apt-get update...
done
Get:1 http://security.debian.org/debian-security bullseye-security InRelease [48.4 kB]
Get:2 http://deb.debian.org/debian bullseye InRelease [116 kB]
Err:1 http://security.debian.org/debian-security bullseye-security InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853
Err:2 http://deb.debian.org/debian bullseye InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 605C66F00D6C9793
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Err:3 http://deb.debian.org/debian bullseye-updates InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
Reading package lists...
W: GPG error: http://security.debian.org/debian-security bullseye-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853
E: The repository 'http://security.debian.org/debian-security bullseye-security InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 605C66F00D6C9793
E: The repository 'http://deb.debian.org/debian bullseye InRelease' is not signed.
W: GPG error: http://deb.debian.org/debian bullseye-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9
E: The repository 'http://deb.debian.org/debian bullseye-updates InRelease' is not signed.
E: apt-get update --error-on=any -oAPT::Status-Fd=<$fd> -oDpkg::Use-Pty=false failed
I: main() received signal PIPE: waiting for setup...
I: removing tempdir /tmp/mmdebstrap.NFIQ3HDqAr...
E: mmdebstrap failed to run
$
When running from my home machine (i.e., not behind a web proxy), mmdebstrap runs correctly, but at work, the same command errors out with several messages similar to: ``` W: GPG error: http://deb.debian.org/debian bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 605C66F00D6C9793 E: The repository 'http://deb.debian.org/debian bullseye InRelease' is not signed. ``` The command invocation at work does include `--aptopt='Acquire::http::Proxy "http://web-proxy.XXX.net:8080/";'`. Any ideas what might be wrong? ``` $ ./mmdebstrap --version mmdebstrap 1.3.5 $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 22.04.2 LTS Release: 22.04 Codename: jammy $ sudo ./mmdebstrap --aptopt='Acquire::http::Proxy "http://web-proxy.XXX.net:8080/";' --aptopt='Acquire::https::Proxy "https://web-proxy.XXX.net:8080/";' --variant=apt bullseye ../bullseye.squashfs I: automatically chosen mode: root I: chroot architecture amd64 is equal to the host's architecture I: automatically chosen format: squashfs I: using /tmp/mmdebstrap.NFIQ3HDqAr as tempdir W: tar2sqfs does not support extended attributes from the 'system' namespace I: running apt-get update... done Get:1 http://security.debian.org/debian-security bullseye-security InRelease [48.4 kB] Get:2 http://deb.debian.org/debian bullseye InRelease [116 kB] Err:1 http://security.debian.org/debian-security bullseye-security InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853 Err:2 http://deb.debian.org/debian bullseye InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 605C66F00D6C9793 Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB] Err:3 http://deb.debian.org/debian bullseye-updates InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 Reading package lists... W: GPG error: http://security.debian.org/debian-security bullseye-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 112695A0E562B32A NO_PUBKEY 54404762BBB6E853 E: The repository 'http://security.debian.org/debian-security bullseye-security InRelease' is not signed. W: GPG error: http://deb.debian.org/debian bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 605C66F00D6C9793 E: The repository 'http://deb.debian.org/debian bullseye InRelease' is not signed. W: GPG error: http://deb.debian.org/debian bullseye-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 E: The repository 'http://deb.debian.org/debian bullseye-updates InRelease' is not signed. E: apt-get update --error-on=any -oAPT::Status-Fd=<$fd> -oDpkg::Use-Pty=false failed I: main() received signal PIPE: waiting for setup... I: removing tempdir /tmp/mmdebstrap.NFIQ3HDqAr... E: mmdebstrap failed to run $ ```
josch commented 2023-04-24 19:39:24 +00:00
Owner
Copy link

You are trying to create a Debian chroot on Ubuntu. This means that Ubuntu needs to know about recent Debian keyrings. Do you have a recent-enough debian-archive-keyring (or however it is called in Ubuntu) package installed?

You can try out if the problem is specific to mmdebstrap or specific to your apt installation by running this script from the mmdebstrap man page: https://manpages.debian.org/unstable/mmdebstrap/mmdebstrap.1.en.html#OPERATION

You only need the first part:

mkdir -p "$2/etc/apt" "$2/var/cache" "$2/var/lib"
cat << END > "$2/apt.conf"
Apt::Architecture "$(dpkg --print-architecture)";
Apt::Architectures "$(dpkg --print-architecture)";
Dir "$(cd "$2" && pwd)";
Dir::Etc::Trusted "$(eval "$(apt-config shell v Dir::Etc::Trusted/f)"; printf "$v")";
Dir::Etc::TrustedParts "$(eval "$(apt-config shell v Dir::Etc::TrustedParts/d)"; printf "$v")";
END
echo "deb http://deb.debian.org/debian/ $1 main" > "$2/etc/apt/sources.list"
APT_CONFIG="$2/apt.conf" apt-get update

Then run this as sudo ./ministrap.sh bullseye rootdir. What is the output?

You are trying to create a Debian chroot on Ubuntu. This means that Ubuntu needs to know about recent Debian keyrings. Do you have a recent-enough `debian-archive-keyring` (or however it is called in Ubuntu) package installed? You can try out if the problem is specific to mmdebstrap or specific to your apt installation by running this script from the mmdebstrap man page: https://manpages.debian.org/unstable/mmdebstrap/mmdebstrap.1.en.html#OPERATION You only need the first part: ```sh mkdir -p "$2/etc/apt" "$2/var/cache" "$2/var/lib" cat << END > "$2/apt.conf" Apt::Architecture "$(dpkg --print-architecture)"; Apt::Architectures "$(dpkg --print-architecture)"; Dir "$(cd "$2" && pwd)"; Dir::Etc::Trusted "$(eval "$(apt-config shell v Dir::Etc::Trusted/f)"; printf "$v")"; Dir::Etc::TrustedParts "$(eval "$(apt-config shell v Dir::Etc::TrustedParts/d)"; printf "$v")"; END echo "deb http://deb.debian.org/debian/ $1 main" > "$2/etc/apt/sources.list" APT_CONFIG="$2/apt.conf" apt-get update ``` Then run this as `sudo ./ministrap.sh bullseye rootdir`. What is the output?
ctuffli commented 2023-04-25 21:50:16 +00:00
Author
Copy link
# ./ministrap.sh bullseye rootdir
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Err:1 http://deb.debian.org/debian bullseye InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 605C66F00D6C9793
Reading package lists... Error!
W: Unable to read /tank/rootdir/etc/apt/apt.conf.d/ - DirectoryExists (2: No such file or directory)
W: GPG error: http://deb.debian.org/debian bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 605C66F00D6C9793
E: The repository 'http://deb.debian.org/debian bullseye InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
E: flAbsPath on /tank/rootdir/var/lib/dpkg/status failed - realpath (2: No such file or directory)
E: Could not open file  - open (2: No such file or directory)
E: Problem opening
E: The package lists or status file could not be parsed or opened.
# tree rootdir/
rootdir/
├── apt.conf
├── etc
│   └── apt
│       └── sources.list
└── var
    ├── cache
    │   └── apt
    │       └── srcpkgcache.bin
    └── lib
        └── apt
            └── lists
                ├── auxfiles
                ├── lock
                └── partial
                    └── deb.debian.org_debian_dists_bullseye_InRelease

10 directories, 5 files
#

Notes:

  1. I get the same output even modifying the script to explicitly add the proxy to the apt.conf
  2. I get the same output after installing debian-archive-keyring
  3. After installing the Debian keyring, at least one of the NO_PUBKEY looks to exist (i.e., the "selfsig" below)
# gpg -v /usr/share/keyrings/debian-archive-bullseye-stable.gpg
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   rsa4096 2021-02-13 [SC] [expires: 2029-02-11]
      A4285295FC7B1A81600062A9605C66F00D6C9793
uid           Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org>
sig        605C66F00D6C9793 2021-02-13   [selfsig]
sig        C5CE5DC2C542CD59 2021-02-13   [User ID not found]
sig        5394479DD3524C51 2021-02-24   [User ID not found]
sig        196418AAEB74C8A1 2021-02-24   [User ID not found]
```console # ./ministrap.sh bullseye rootdir Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB] Err:1 http://deb.debian.org/debian bullseye InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 605C66F00D6C9793 Reading package lists... Error! W: Unable to read /tank/rootdir/etc/apt/apt.conf.d/ - DirectoryExists (2: No such file or directory) W: GPG error: http://deb.debian.org/debian bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 605C66F00D6C9793 E: The repository 'http://deb.debian.org/debian bullseye InRelease' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. E: flAbsPath on /tank/rootdir/var/lib/dpkg/status failed - realpath (2: No such file or directory) E: Could not open file - open (2: No such file or directory) E: Problem opening E: The package lists or status file could not be parsed or opened. # tree rootdir/ rootdir/ ├── apt.conf ├── etc │   └── apt │   └── sources.list └── var ├── cache │   └── apt │   └── srcpkgcache.bin └── lib └── apt └── lists ├── auxfiles ├── lock └── partial └── deb.debian.org_debian_dists_bullseye_InRelease 10 directories, 5 files # ``` Notes: 1. I get the same output even modifying the script to explicitly add the proxy to the apt.conf 2. I get the same output after installing `debian-archive-keyring` 3. After installing the Debian keyring, at least one of the NO_PUBKEY looks to exist (i.e., the "selfsig" below) ```console # gpg -v /usr/share/keyrings/debian-archive-bullseye-stable.gpg gpg: WARNING: no command supplied. Trying to guess what you mean ... pub rsa4096 2021-02-13 [SC] [expires: 2029-02-11] A4285295FC7B1A81600062A9605C66F00D6C9793 uid Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org> sig 605C66F00D6C9793 2021-02-13 [selfsig] sig C5CE5DC2C542CD59 2021-02-13 [User ID not found] sig 5394479DD3524C51 2021-02-24 [User ID not found] sig 196418AAEB74C8A1 2021-02-24 [User ID not found] ```
josch commented 2023-04-26 04:34:52 +00:00
Owner
Copy link

Thank you! Since you were able to reproduce the problem without mmdebstrap, the problem is not mmdebstrap but the keys that apt has access to. I see that you have /usr/share/keyrings/debian-archive-bullseye-stable.gpg but is apt actually making use of those? What is inside your /etc/apt/trusted.gpg.d?

Thank you! Since you were able to reproduce the problem without mmdebstrap, the problem is not mmdebstrap but the keys that apt has access to. I see that you have /usr/share/keyrings/debian-archive-bullseye-stable.gpg but is apt actually making use of those? What is inside your `/etc/apt/trusted.gpg.d`?
ctuffli commented 2023-04-26 22:19:33 +00:00
Author
Copy link

The debian-archive-keyring README file says:

The Ubuntu package does NOT place the keys in the APT keystore by default,
as enabling the Debian repositories on an Ubuntu system can easily lead to
breakage.

Assuming you know what you are doing, you can re-enable the Debian keyring in
APT using the following command:

ln -s /usr/share/keyrings/debian-archive-keyring.gpg /etc/apt/trusted.gpg.d/

After linking the keyring

# ls -l /etc/apt/trusted.gpg.d/
total 20
-rw-r--r-- 1 root root 1168 Dec 16 08:47 ansible-ubuntu-ansible.gpg
lrwxrwxrwx 1 root root   46 Apr 26 15:11 debian-archive-keyring.gpg -> /usr/share/keyrings/debian-archive-keyring.gpg
-rw-r--r-- 1 root root 7821 Apr 26 06:25 google-chrome.gpg
-rw-r--r-- 1 root root 2794 Mar 26  2021 ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Mar 26  2021 ubuntu-keyring-2018-archive.gpg

the NO_PUBKEY error goes away, but the script doesn't complete successfully:

# ./ministrap.sh bullseye rootdir
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://deb.debian.org/debian bullseye/main amd64 Packages [8,183 kB]
Get:3 http://deb.debian.org/debian bullseye/main Translation-en [6,240 kB]
Fetched 14.5 MB in 4s (3,543 kB/s)
Reading package lists... Error!
W: Unable to read /tank/rootdir/etc/apt/apt.conf.d/ - DirectoryExists (2: No such file or directory)
E: flAbsPath on /tank/rootdir/var/lib/dpkg/status failed - realpath (2: No such file or directory)
E: Could not open file  - open (2: No such file or directory)
E: Problem opening
E: The package lists or status file could not be parsed or opened.
The `debian-archive-keyring` README file says: > The Ubuntu package does NOT place the keys in the APT keystore by default, > as enabling the Debian repositories on an Ubuntu system can easily lead to > breakage. > > Assuming you know what you are doing, you can re-enable the Debian keyring in > APT using the following command: > > ln -s /usr/share/keyrings/debian-archive-keyring.gpg /etc/apt/trusted.gpg.d/ After linking the keyring ```console # ls -l /etc/apt/trusted.gpg.d/ total 20 -rw-r--r-- 1 root root 1168 Dec 16 08:47 ansible-ubuntu-ansible.gpg lrwxrwxrwx 1 root root 46 Apr 26 15:11 debian-archive-keyring.gpg -> /usr/share/keyrings/debian-archive-keyring.gpg -rw-r--r-- 1 root root 7821 Apr 26 06:25 google-chrome.gpg -rw-r--r-- 1 root root 2794 Mar 26 2021 ubuntu-keyring-2012-cdimage.gpg -rw-r--r-- 1 root root 1733 Mar 26 2021 ubuntu-keyring-2018-archive.gpg ``` the `NO_PUBKEY` error goes away, but the script doesn't complete successfully: ```console # ./ministrap.sh bullseye rootdir Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB] Get:2 http://deb.debian.org/debian bullseye/main amd64 Packages [8,183 kB] Get:3 http://deb.debian.org/debian bullseye/main Translation-en [6,240 kB] Fetched 14.5 MB in 4s (3,543 kB/s) Reading package lists... Error! W: Unable to read /tank/rootdir/etc/apt/apt.conf.d/ - DirectoryExists (2: No such file or directory) E: flAbsPath on /tank/rootdir/var/lib/dpkg/status failed - realpath (2: No such file or directory) E: Could not open file - open (2: No such file or directory) E: Problem opening E: The package lists or status file could not be parsed or opened. ```
josch commented 2023-04-26 23:38:20 +00:00
Owner
Copy link

Does your mmdebstrap invocation work now?

Does your mmdebstrap invocation work now?
ctuffli commented 2023-04-27 14:46:02 +00:00
Author
Copy link

It does! Thank you for helping me sort through this!

It does! Thank you for helping me sort through this!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
1.5.4
1.5.3
1.5.2
1.5.1
1.5.0
1.4.3
1.4.2
1.4.1
1.4.0
1.3.8
1.3.7
1.3.6
1.3.5
1.3.4
1.3.3
1.3.2
1.3.1
1.3.0
1.2.5
1.2.4
1.2.3
1.2.2
1.2.1
1.2.0
1.1.0
1.0.1
1.0.0
0.8.6
0.8.5
0.8.4
0.8.3
0.8.2
0.8.1
0.8.0
0.7.5
0.7.4
0.7.3
0.7.2
0.7.1
0.7.0
0.6.1
0.6.0
0.5.1
0.5.0
0.4.1
0.4.0
0.3.0
0.2.0
0.1.0
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: josch/mmdebstrap#36
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?