Bug#1038915: marked as done (Bookworm APT-GET Security Public Keys)

To: David Kalnischkies <david@kalnischkies.de>

Subject: Bug#1038915: marked as done (Bookworm APT-GET Security Public Keys)

From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Date: Fri, 23 Jun 2023 05:24:03 +0000

Message-id: <[🔎] handler.1038915.D1038915.16874976043780339.ackdone@bugs.debian.org>

References: <20230623051951.xie2fdq4eawj2mmu@crossbow> <BY5PR09MB5668DCC9500B59E7F3B6F7699D23A@BY5PR09MB5668.namprd09.prod.outlook.com>

Your message dated Fri, 23 Jun 2023 07:19:51 +0200 with message-id <20230623051951.xie2fdq4eawj2mmu@crossbow> and subject line Re: Bug#1038915: Bookworm APT-GET Security Public Keys has caused the Debian Bug report #1038915, regarding Bookworm APT-GET Security Public Keys to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1038915: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1038915 Debian Bug Tracking System Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: "submit@bugs.debian.org" <submit@bugs.debian.org>
Subject: Bookworm APT-GET Security Public Keys
From: "Shahi, Shreyas (CDC/DDPHSS/CSELS/DHIS) (CTR)" <tuj8@cdc.gov>
Date: Fri, 23 Jun 2023 02:03:15 +0000
Message-id: <BY5PR09MB5668DCC9500B59E7F3B6F7699D23A@BY5PR09MB5668.namprd09.prod.outlook.com>

Package: apt

Version: 2.6.1

X-Debbugs-CC: lzi2@cdc.gov, ptd2@cdc.gov, tyf3@cdc.gov, oez2@cdc.gov

When I attempt to deploy a container while using the debian:latest (Bookworm) image, I execute the apt-get update command which gives me an error message involving the absence of a certain group of public keys.

Step 14/30 : RUN apt-get -y update

---> Running in eb6228890f3c

Get:1 http://deb.debian.org/debian bookworm InRelease [147 kB]

Get:2 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB]

Err:1 http://deb.debian.org/debian bookworm InRelease

The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY F8D2585B8783D481

Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]

Err:2 http://deb.debian.org/debian bookworm-updates InRelease

The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131

Err:3 http://deb.debian.org/debian-security bookworm-security InRelease

The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8

Reading package lists...

W: GPG error: http://deb.debian.org/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 648ACFD622F3D138 NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY F8D2585B8783D481

E: The repository 'http://deb.debian.org/debian bookworm InRelease' is not signed.

W: GPG error: http://deb.debian.org/debian bookworm-updates InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131

E: The repository 'http://deb.debian.org/debian bookworm-updates InRelease' is not signed.

W: GPG error: http://deb.debian.org/debian-security bookworm-security InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 54404762BBB6E853 NO_PUBKEY BDE6D2B9216EC7A8

E: The repository 'http://deb.debian.org/debian-security bookworm-security InRelease' is not signed.

E: Problem executing scripts APT::Update::Post-Invoke 'rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true'

E: Sub-process returned an error code

The command '/bin/sh -c apt-get -y update' returned a non-zero code: 100

Cleaning up file based variables

00:00

ERROR: Job failed: exit code 100

I was not expecting to encounter this error. Instead, I was expecting for the apt package to successfully update itself.

Kernel Version: 5.4.17-2136.320.7.el7uek.x86_64 #2 SMP Mon Jun 5 15:18:50 PDT 2023 x86_64 GNU/Linux

Shared C Library: /lib/x86_64-linux-gnu/libc.so.6

Best,

Shreyas

--- End Message ---

--- Begin Message ---

To: "Shahi, Shreyas (CDC/DDPHSS/CSELS/DHIS) (CTR)" <tuj8@cdc.gov>, 1038915-done@bugs.debian.org
Subject: Re: Bug#1038915: Bookworm APT-GET Security Public Keys
From: David Kalnischkies <david@kalnischkies.de>
Date: Fri, 23 Jun 2023 07:19:51 +0200
Message-id: <20230623051951.xie2fdq4eawj2mmu@crossbow>
In-reply-to: <BY5PR09MB5668DCC9500B59E7F3B6F7699D23A@BY5PR09MB5668.namprd09.prod.outlook.com>
References: <BY5PR09MB5668DCC9500B59E7F3B6F7699D23A@BY5PR09MB5668.namprd09.prod.outlook.com>

On Fri, Jun 23, 2023 at 02:03:15AM +0000, Shahi, Shreyas (CDC/DDPHSS/CSELS/DHIS) (CTR) wrote:
> Package: apt
> Version: 2.6.1

Are you sure or is that just a guess on your part? As 2.6.1 is part of
bookworm you have a somewhat hard time to get it before upgrading to it…

> When I attempt to deploy a container while using the debian:latest (Bookworm) image, I execute the apt-get update command which gives me an error message involving the absence of a certain group of public keys.
> 
> Step 14/30 : RUN apt-get -y update

Your problem is not in Step 14 even if that one is the one spewing
errors. The mentioned keys are not shipped by apt, but by
debian-archive-keyring and as the archive is still (also) signed
by the 'Debian Archive Automatic Signing Key (10/buster)' from 2019
your base image (or whatever its called, I am not using Docker) is too
old to upgrade to bookworm (Debian does not support skipping releases,
especially not multiple ones from ??? -> skipping buster & bullseye
directly to -> bookworm).

If that is not it, it could of course also be that the image is broken;
the keys should be in /etc/apt/trusted.gpg.d with names like
debian-archive-bullseye-automatic.asc nowadays. Might be *.gpg in
older releases. Symlinks in even older ones.

> Kernel Version: 5.4.17-2136.320.7.el7uek.x86_64 #2 SMP Mon Jun 5 15:18:50 PDT 2023 x86_64 GNU/Linux

Lastly, having a casual browse through
https://github.com/debuerreotype/docker-debian-artifacts
(which is the source for the Debian docker images you are using)
especially in the [closed] issues is suggesting that docker is not as
isolated as you would hope – as in, newer images (that isn't specific to
Debian) might use newer syscalls than the host kernel provides or
docker (and related tools) support, especially in terms of seccomp
filtering. So you might need to upgrade your host first…
e.g. https://github.com/debuerreotype/docker-debian-artifacts/issues/187
although that triggers slightly different errors, but a whole lot of
different ones get basically the same response, so…

In either case, apts buglist is not a support forum for Docker nor for
Docker on Oracle Linux 7 (which seems to be your host based on the
kernel version), so I am closing as not a bug (in apt).

Best regards

David Kalnischkies

Attachment: signature.asc
Description: PGP signature

--- End Message ---

Reply to: