This still seems to exist in the current release of Xenial; setting the
sandbox user to root bypasses the problem, leaving it at the default
means any cron job that calls 'apt-get update' breaks, because gpgv
exits with error 2 (unexpected error), which leads to a failure of the
'apt-key' action being executed.
The difference, as far as I can tell thus far, seems to be in that the
'_apt' user cannot read the 'pubring.gpg' file that is being created in
a temporary directory, which means that gpgv cannot access it when it
runs;
==
[pid 10149] stat("/etc/apt/trusted.gpg", {st_mode=S_IFREG|0644, st_size=12255,
...}) = 0
[pid 10149] faccessat(AT_FDCWD, "/etc/apt/trusted.gpg", R_OK) = 0
[pid 10149] open("/tmp/tmp.OcaWlGuT32/pubring.gpg", O_WRONLY|O_CREAT|O_APPEND,
0666) = -1 EACCES (Permission denied)
[pid 10149] write(2, "/usr/bin/apt-key: 309: /usr/bin/"..., 41) = 41
[pid 10149] write(2, "cannot create /tmp/tmp.OcaWlGuT3"..., 64) = 64
==
This problem does not occur when root is the sandbox user, set via
'APT::Sandbox::User "root";' in '/etc/apt/apt.conf'. It's the only
setting present. Disable that setting and the problem returns, while
running the same thing interactively works without any issues.
I'm a bit stumped, at this point, pausing my investigation for now, but
logging it here in case someone else runs into this.
The warning we're seeing looks as follows;
==
W: An error occurred during the signature verification. The repository is not
updated and the previous index files will be used. GPG error:
https://apt-cache.domain.example/cache/us-east-1.ec2.archive.ubuntu.com/ubuntu
xenial InRelease: Unknown error executing apt-key
==
Using the HTTPS transport to a local cache, fresh Xenial install based
on the official AMI, on AWS.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1577926
Title:
apt-key works fine, yet apt fails with "Could not execute 'apt-key'"
Status in apt package in Ubuntu:
Confirmed
Bug description:
Apt can fail to verify a Release file which verifies just fine when
calling apt-key directly.
Please advise how i can supply further debug information to help fix
the underlying bug.
Expected:
apt-get should only report that a repository is not signed when no such
signature was found.
If a signature was in fact successfully acquired but not verified, apt-get
should report failure to verify instead.
apt-get should have a meaningful error message when calling apt-key fails.
Bonus:
Calling apt-key should not fail when the same thing works fine on command
line.
A reference to "Debug::Acquire::gpgv" should be in apt-secure(8)
documentation.
Observed:
# uname -a
Linux hostname 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016
i686 i686 i686 GNU/Linux
# chroot reproducable
$ uname -a
Linux hostname 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016
armv7l armv7l armv7l GNU/Linux
$ lsb_release -a 2>/dev/null
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
$ apt-get -o "Debug::Acquire::gpgv=true" update
Get:1 http://ports.ubuntu.com xenial-security InRelease [92.2 kB]
0% [1 InRelease gpgv 92.2 kB]igners
Preparing to exec: /usr/bin/apt-key --quiet --readonly verify --status-fd 3
/tmp/apt.sig.jYGUCG /tmp/apt.data.uTkX1c
gpgv exited with status 111
Summary:
Good:
Bad:
Worthless:
SoonWorthless:
NoPubKey:
Ign:1 http://ports.ubuntu.com xenial-security InRelease
Fetched 92.2 kB in 1s (79.5 kB/s)
Reading package lists... Done
W: GPG error: http://ports.ubuntu.com xenial-security InRelease: Could not
execute 'apt-key' to verify signature (is gnupg installed?)
W: The repository 'http://ports.ubuntu.com xenial-security InRelease' is not
signed.
N: Data from such a repository can't be authenticated and is therefore
potentially dangerous to use.
N: See apt-secure(8) manpage for repository creation and user configuration
details.
$ /usr/bin/apt-key --quiet --readonly verify --status-fd /dev/stderr
/tmp/apt.sig.jYGUCG /tmp/apt.data.uTkX1c
gpgv: Signature made Tue May 3 19:02:17 2016 UTC using DSA key ID 437D05B5
[GNUPG:] SIG_ID e53PXRjA/EMb7CuZJtAicvvUm60 2016-05-03 1462302137
[GNUPG:] GOODSIG 40976EAF437D05B5 Ubuntu Archive Automatic Signing Key
<ftpmas...@ubuntu.com>
gpgv: Good signature from "Ubuntu Archive Automatic Signing Key
<ftpmas...@ubuntu.com>"
[GNUPG:] VALIDSIG 630239CC130E1A7FD81A27B140976EAF437D05B5 2016-05-03
1462302137 0 4 0 17 10 01 630239CC130E1A7FD81A27B140976EAF437D05B5
gpgv: Signature made Tue May 3 19:02:17 2016 UTC using RSA key ID C0B21F32
[GNUPG:] SIG_ID kCsrLo9VUm7YcYhhqQUw2fbWoY4 2016-05-03 1462302137
[GNUPG:] GOODSIG 3B4FE6ACC0B21F32 Ubuntu Archive Automatic Signing Key (2012)
<ftpmas...@ubuntu.com>
gpgv: Good signature from "Ubuntu Archive Automatic Signing Key (2012)
<ftpmas...@ubuntu.com>"
[GNUPG:] VALIDSIG 790BC7277767219C42C86F933B4FE6ACC0B21F32 2016-05-03
1462302137 0 4 0 1 10 01 790BC7277767219C42C86F933B4FE6ACC0B21F32
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1577926/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
