Package: mmdebstrap
Version: 1.3.1-2
Severity: normal
X-Debbugs-Cc: none, Dima Kogan <dko...@debian.org>
Hi. I'm using mmdebstrap to bootstrap an install that uses the normal
Debian repos AND my own repo. My repo is signed with a key that lives in
$PWD/keys/something.gpg. I pass --keyring=$PWD/keys as suggested in the
docs, but this doesn't work for some mysterious reason. No clear
diagnostics are avaible, with --verbose saying nothing extra. This is
what I see:
$ sudo mmdebstrap \
--architectures=arm64 \
--keyring=$PWD/keys \
--aptopt 'Acquire::https::MY_REPO_DOMAIN::Verify-Peer "false"' \
bookworm \
bookworm-tst \
http://deb.debian.org/debian \
http://MY_REPO_DOMAIN/public/debian/bookworm
I: automatically chosen mode: root
I: arm64 cannot be executed natively, but transparently using qemu-user
binfmt emulation
I: finding correct signed-by value...
I: automatically chosen format: directory
I: running apt-get update...
Get:1 https://MY_REPO_DOMAIN/public/debian/bookworm bookworm InRelease [5136
B]
Get:2 http://deb.debian.org/debian bookworm InRelease [177 kB]
Err:1 https://MY_REPO_DOMAIN/public/debian/bookworm bookworm InRelease
The following signatures couldn't be verified because the public key is not
available: NO_PUBKEY 221CA67104340B68
Get:3 http://deb.debian.org/debian bookworm/main arm64 Packages [8909 kB]
Reading package lists...
W: GPG error: https://MY_REPO_DOMAIN/public/debian/bookworm bookworm
InRelease: The following signatures couldn't be verified because the public key
is not available: NO_PUBKEY 221CA67104340B68
E: The repository 'http://MY_REPO_DOMAIN/public/debian/bookworm bookworm
InRelease' is not signed.
E: apt-get update --error-on=any -oAPT::Status-Fd=<$fd> -oDpkg::Use-Pty=false
failed
I: main() received signal PIPE: waiting for setup...
E: mmdebstrap failed to run
This should work, but it doesn't. I used sysdig to confirm that
something is indeed looking in $PWD/keys/ and something is indeed
calling read() on the relevant key. I have also confirmed that if I copy
my keys to /etc/apt/trusted.gpg.d/ then it does work properly. But I
don't want to do that. Ideally I'd like mmdebstrap to grab all the keys
in $PWD/keys and add them to /etc/apt/trusted.gpg.d/ in the chroot, but
NOT on the host machine. Any clear way to do that? Any debugging tricks
I'm missing?
Thanks!
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (800, 'unstable'), (700, 'testing'), (500, 'unstable-debug'),
(500, 'stable')
merged-usr: no
Architecture: amd64 (x86_64)
Foreign Architectures: armhf, armel
Kernel: Linux 6.1.0-2-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages mmdebstrap depends on:
ii apt 2.5.2
ii perl 5.36.0-4
ii python3 3.10.6-1
Versions of packages mmdebstrap recommends:
pn arch-test <none>
pn fakechroot <none>
ii fakeroot 1.29-1
ii gpg 2.2.35-3
ii libdistro-info-perl 1.1
ii libdpkg-perl 1.21.19
ii mount 2.38.1-1
pn uidmap <none>
Versions of packages mmdebstrap suggests:
pn apt-transport-tor <none>
ii apt-utils 2.5.2
ii binfmt-support 2.2.2-1
ii ca-certificates 20211016
ii debootstrap 1.0.127
ii distro-info-data 0.54
ii dpkg-dev 1.21.19
pn genext2fs <none>
ii perl-doc 5.36.0-4
pn qemu-user <none>
ii qemu-user-static 1:7.0+dfsg-7+b1
pn squashfs-tools-ng <none>
-- no debconf information
