Ubuntu
apt package

ubuntu 18.04.5 LTS apt update "Unknown error executing apt-key"

Bug #1936299 reported by Raj Basnet
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

I have some machines AWS with Ubuntu 18.04.5 LTS but unable to update the repository on servers. When I'm trying to update the repo it throwing an error with Unkown Keys error.

root# apt update
Get:1 http://deb.debian.org/debian unstable InRelease [161 kB]
Get:2 https://artifacts.elastic.co/packages/7.x/apt stable InRelease [10.4 kB]
Err:1 http://deb.debian.org/debian unstable InRelease
  Unknown error executing apt-key
Err:2 https://artifacts.elastic.co/packages/7.x/apt stable InRelease
  Unknown error executing apt-key
Get:3 http://ppa.launchpad.net/deadsnakes/ppa/ubuntu bionic InRelease [15.9 kB]
Get:4 http://apt.postgresql.org/pub/repos/apt bionic-pgdg InRelease [110 kB]
Err:3 http://ppa.launchpad.net/deadsnakes/ppa/ubuntu bionic InRelease
  Unknown error executing apt-key
Get:5 http://us.archive.ubuntu.com/ubuntu bionic InRelease [242 kB]
Get:6 http://security.ubuntu.com/ubuntu bionic-security InRelease [88.7 kB]
Err:4 http://apt.postgresql.org/pub/repos/apt bionic-pgdg InRelease
  Unknown error executing apt-key
Err:6 http://security.ubuntu.com/ubuntu bionic-security InRelease
  Unknown error executing apt-key
Err:5 http://us.archive.ubuntu.com/ubuntu bionic InRelease
  Unknown error executing apt-key
Get:7 https://repos.citusdata.com/community/ubuntu bionic InRelease [23.2 kB]
Err:7 https://repos.citusdata.com/community/ubuntu bionic InRelease
  Unknown error executing apt-key
Reading package lists... Done
W: GPG error: http://deb.debian.org/debian unstable InRelease: Unknown error executing apt-key
E: The repository 'http://deb.debian.org/debian unstable InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: https://artifacts.elastic.co/packages/7.x/apt stable InRelease: Unknown error executing apt-key
E: The repository 'http://ppa.launchpad.net/deadsnakes/ppa/ubuntu bionic InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://apt.postgresql.org/pub/repos/apt bionic-pgdg InRelease: Unknown error executing apt-key
E: The repository 'http://apt.postgresql.org/pub/repos/apt bionic-pgdg InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://security.ubuntu.com/ubuntu bionic-security InRelease: Unknown error executing apt-key
E: The repository 'http://us.archive.ubuntu.com/ubuntu bionic InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease: Unknown error executing apt-key
E: The repository 'http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease' is not signed.
N: Updating from such a repository can't be done securely and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: GPG error: https://repos.citusdata.com/community/ubuntu bionic InRelease: Unknown error executing apt-key
E: The repository 'https://repos.citusdata.com/community/ubuntu bionic InRelease' is not signed.
N: Updating from such a repository can't be done securely and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

All servers are on AWS and facing the same issue on multiple servers. unable to update server. I have spent many days troubleshooting this issue. but did not find a solution.

but at Last, i got this command

echo 'APT::Sandbox::User "root";' >/etc/apt/apt.conf.d/00temp
it works and now i can update repository.

Q.1 Why I have to run this command? anyone knows the exact reason behind this.
Q.2 Is this a type of security hole?

Raj Basnet (rajkumarbasnet)
tags: added: dist-upgrade patch upgrade-software-version
tags: added: bionic
Revision history for this message
Julian Andres Klode (juliank) wrote :

Make sure that _apt user can read all files in /etc/apt/trusted.gpg.d and /etc/apt/trusted.gpg and any key files you might have specified via signed-by in sources.list.

By disabling the sandboxing, it makes it easier for an attacker that controls the http server to make use of vulnerabilities in the HTTP, TLS, GPG stacks as they process this untrusted data as root instead of an unprivileged user (ok, there is another APT-specific escape hatch in the sandbox that also needs fixing, but still, improves security somewhat).

Changed in apt (Ubuntu):
status: New → Incomplete
Revision history for this message
Raj Basnet (rajkumarbasnet) wrote (last edit ):

Could you explain the exact meaning of disabling the sandboxing? I'm not getting it.
yes, _apt user has read access. can read all files

root@ip-10-0-0-144:/etc/apt/trusted.gpg.d# ls -l *
-rw-r--r-- 1 root root 2796 Mar 29 14:33 ubuntu-keyring-2012-archive.gpg
-rw-r--r-- 1 root root 2794 Mar 29 14:33 ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Mar 29 14:33 ubuntu-keyring-2018-archive.gpg
root@ip-10-0-0-144:/etc/apt/trusted.gpg.d# ls -l /etc/apt/trusted.gpg
-rw-r--r-- 1 root root 40254 Jul 15 07:26 /etc/apt/trusted.gpg
root@ip-10-0-0-144:/etc/apt/trusted.gpg.d#

It's a serious issue please help if anyone faced this issue.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for apt (Ubuntu) because there has been no activity for 60 days.]

Changed in apt (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.