--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: pbuilder: Hard to avoid debootstrap failure, Release signed by unknown key (key id AED4B06F473041FA)
- From: Jack Bates <ms419@freezone.co.uk>
- Date: Fri, 18 Feb 2011 19:34:46 -0800
- Message-id: <20110219033446.23525.8618.reportbug@selene>
Package: pbuilder
Version: 0.199+nmu1
Severity: wishlist
My situation is that I'm trying to build some packages for Debian unstable, on
an Ubuntu system, using cowbuilder
To create base.cow image, I first tried,
$ sudo cowbuilder --create --distribution unstable --mirror http://mirrors.kernel.org/debian/
[...]
E: Release signed by unknown key (key id AED4B06F473041FA)
Guessing that I was missing the debian-archive-keyring package, I installed it
and tried again, with same result. I double checked that the
debian-archive-keyring package includes key id AED4B06F473041FA
By studying the debootstrap manpage I learned that, "By default, Release file
signatures are not checked". I used the cowbuilder "--debug" option to find the
"--keyring" option passed to debootstrap, and configured in
/usr/share/pbuilder/pbuilderrc
Next I tried to omit the debootstrap "--keyring" option using the cowbuilder
"--debootstrapopts" option, without success - it's apparently appended to value
from /usr/share/pbuilder/pbuilderrc, in pbuilder-checkparams
Next I tried to omit the debootstrap "--keyring" option using a ~/.pbuilderrc
file,
DEBOOTSTRAPOPTS=--variant=buildd
This failed because sudo resets the environment ($HOME),
W: /root/.pbuilderrc does not exist
Next I tried,
$ sudo sh -c "HOME=$HOME cowbuilder --create --distribution unstable --mirror http://mirrors.kernel.org/debian/"
[...]
E: Release signed by unknown key (key id AED4B06F473041FA)
This failed to omit the "--keyring" option. My bash knowledge isn't strong -
maybe it's possible to have two variables with same name, one a scalar and one
a "list"? I tried,
DEBOOTSTRAP=(--variant=buildd)
This worked! It omitted the "--keyring" option and the base.cow image built
successfully. However it's prohibitively difficult to figure out
If the "--debootstrapopts" option overrode DEBOOTSTRAPOPTS in
/usr/share/pbuilder/pbuilderrc, then it would be little easier to figure out.
If installing debian-archive-keyring was all that was required, I'd be done
after my first guess - maybe debootstrap could look in both keyrings? or in
some merged keyring? I dunno...
As I write this I found Ubuntu bug,
https://bugs.launchpad.net/ubuntu/+source/pbuilder/+bug/599695. Unfortunately I
didn't check the Ubuntu bug tracker before trying to debug my issue - I did
check the Debian bug tracker but didn't find my issue mentioned
-- System Information:
Debian Release: 6.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages pbuilder depends on:
ii coreutils 8.5-1 GNU core utilities
ii debconf [debconf-2.0] 1.5.38 Debian configuration management sy
ii debianutils 3.4.3 Miscellaneous utilities specific t
ii debootstrap 1.0.26 Bootstrap a basic Debian system
ii wget 1.12-2.1 retrieves files from the web
Versions of packages pbuilder recommends:
ii devscripts 2.10.69 scripts to make the life of a Debi
ii fakeroot 1.14.5-1 Gives a fake root environment
ii sudo 1.7.4p4-6 Provide limited super user privile
Versions of packages pbuilder suggests:
ii cowdancer 0.62+nmu2 Copy-on-write directory tree utili
ii gdebi-core 0.6.4 Simple tool to install deb files
pn pbuilder-uml <none> (no description available)
-- debconf information:
pbuilder/mirrorsite: http://mirrors.kernel.org/debian/
pbuilder/nomirror:
pbuilder/rewrite: false
--- End Message ---
--- Begin Message ---
- To: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>, 614029-done@bugs.debian.org
- Subject: Re: Bug#614029: pbuilder: Hard to avoid debootstrap failure, Release signed by unknown key (key id AED4B06F473041FA)
- From: Julien Cristau <jcristau@debian.org>
- Date: Sun, 13 Nov 2016 17:56:38 -0800
- Message-id: <20161114015638.oqpfxshaaoljkbqk@tomate.cristau.org>
- In-reply-to: <20120604161322.27705.87162.reportbug@localhost.localdomain>
- References: <20120604161322.27705.87162.reportbug@localhost.localdomain>
On Mon, Jun 04, 2012 at 06:13:22PM +0200, John Paul Adrian Glaubitz wrote:
> Package: pbuilder
> Version: 0.210
> Followup-For: Bug #614029
>
> reassign: 614029 debootstrap
>
> Hi,
>
> the problem seems to result from the fact that debootstrap looks for the
> archive signing keys at the wrong place. The current version of debootstrap
> looks for these key in /etc/apt/trusted.gpg. However, the keys for the
> Debian archives have been moved into the subdirectory /etc/apt/trusted.gpg.d
> with the upcoming Debian Wheezy.
>
As far as I can tell debootstrap has been looking at
/usr/share/keyrings/debian-archive-keyring.gpg ever since gpg
verification was added, so I'm not sure where the above comes from.
Closing.
Cheers,
Julien
--- End Message ---