Ubuntu

apt authentication failing when using config in chroot path

Reported by Wookey on 2010-09-24
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: apt

This procedure (actually generated by multistrap when doing multistrap --configfile=/usr/share/multistrap/ubuntu/armel.conf ) used to work fine with apt prior to v0.8.
Now it fails. Something has changed about how authentication works.

after sudo apt-get -y -o Apt::Architecture=amd64 -o Apt::Get::Download-Only=true -o Apt::Install-Recommends=false -o Dir=/var/lib/pdebuild-cross/build/ -o Dir::Etc=/var/lib/pdebuild-cross/build/etc/apt/ -o Dir::State=/var/lib/pdebuild-cross/build/var/lib/apt/ -o Dir::State::Status=/var/lib/pdebuild-cross/build/var/lib/dpkg/status -o Dir::Cache=/var/lib/pdebuild-cross/build/var/cache/apt/ update

this fails:
sudo apt-get -y -o Apt::Architecture=amd64 -o Apt::Get::Download-Only=true -o Apt::Install-Recommends=false -o Dir=/var/lib/pdebuild-cross/build/ -o Dir::Etc=/var/lib/pdebuild-cross/build/etc/apt/ -o Dir::State=/var/lib/pdebuild-cross/build/var/lib/apt/ -o Dir::State::Status=/var/lib/pdebuild-cross/build/var/lib/dpkg/status -o Dir::Cache=/var/lib/pdebuild-cross/build/var/cache/apt/ install aptitude

this is the subseqent output
Reading package lists... Done
Building dependency tree... Done
The following extra packages will be installed:
  apt coreutils debconf debconf-i18n dpkg findutils gcc-4.5-base libacl1 libattr1 libboost-iostreams1.42.0 libbz2-1.0 libc-bin libc6 libcwidget3 libept1
  libgcc1 liblocale-gettext-perl liblzma2 libncursesw5 libselinux1 libsigc++-2.0-0c2a libsqlite3-0 libstdc++6 libtext-charwidth-perl libtext-iconv-perl
  libtext-wrapi18n-perl libxapian15 perl-base tzdata xz-utils zlib1g
Suggested packages:
  dpkg-dev apt-doc bzip2 lzma python-apt aptitude-doc-en aptitude-doc tasksel debtags debconf-doc debconf-utils whiptail dialog gnome-utils
  libterm-readline-gnu-perl libgnome2-perl libnet-ldap-perl mlocate locate slocate glibc-doc locales libcwidget-dev xapian-tools
Recommended packages:
  ubuntu-keyring gpg sensible-utils apt-xapian-index libparse-debianchangelog-perl apt-utils libgpm2
The following NEW packages will be installed:
  apt aptitude coreutils debconf debconf-i18n dpkg findutils gcc-4.5-base libacl1 libattr1 libboost-iostreams1.42.0 libbz2-1.0 libc-bin libc6 libcwidget3
  libept1 libgcc1 liblocale-gettext-perl liblzma2 libncursesw5 libselinux1 libsigc++-2.0-0c2a libsqlite3-0 libstdc++6 libtext-charwidth-perl
  libtext-iconv-perl libtext-wrapi18n-perl libxapian15 perl-base tzdata xz-utils zlib1g
0 upgraded, 32 newly installed, 0 to remove and 0 not upgraded.
Need to get 15.9MB/19.9MB of archives.
After this operation, 68.8MB of additional disk space will be used.
WARNING: The following packages cannot be authenticated!
  libc-bin gcc-4.5-base libbz2-1.0 libselinux1 zlib1g libattr1 libacl1 coreutils liblzma2 xz-utils dpkg perl-base liblocale-gettext-perl libtext-iconv-perl
  libtext-charwidth-perl libtext-wrapi18n-perl debconf-i18n debconf tzdata findutils libc6 libgcc1 libstdc++6 apt libsqlite3-0 libncursesw5
  libboost-iostreams1.42.0 libsigc++-2.0-0c2a libcwidget3 libxapian15 libept1 aptitude
E: There are problems and -y was used without --force-yes

So for some reason apt is not able to authenticate packages

If we add the 'alloowunauthenticated' option then everything is fine:
sudo apt-get -y -o Apt::Get::AllowUnauthenticated=true -o Apt::Architecture=amd64 -o Apt::Get::Download-Only=true -o Apt::Install-Recommends=false -o Dir=/var/lib/pdebuild-cross/build/ -o Dir::Etc=/var/lib/pdebuild-cross/build/etc/apt/ -o Dir::State=/var/lib/pdebuild-cross/build/var/lib/apt/ -o Dir::State::Status=/var/lib/pdebuild-cross/build/var/lib/dpkg/status -o Dir::Cache=/var/lib/pdebuild-cross/build/var/cache/apt/ install aptitude
<proceeds and installs packages>

the referred-to config directories contains this:

$ ls -lR /var/lib/pdebuild-cross/build/etc/apt/
/var/lib/pdebuild-cross/build/etc/apt/:
total 8
drwxr-xr-x 2 root root 4096 Sep 23 23:28 preferences.d
drwxr-xr-x 2 root root 4096 Sep 23 23:28 sources.list.d

/var/lib/pdebuild-cross/build/etc/apt/preferences.d:
total 0

/var/lib/pdebuild-cross/build/etc/apt/sources.list.d:
total 8
-rw-r--r-- 1 root root 160 Sep 23 23:28 multistrap-ubuntu.list
-rw-r--r-- 1 root root 124 Sep 23 23:28 multistrap-ubuntutoolchains.list

$ ls -lR /var/lib/pdebuild-cross/build/var/
/var/lib/pdebuild-cross/build/var/:
total 8
drwxr-xr-x 3 root root 4096 Sep 23 23:28 cache
drwxr-xr-x 4 root root 4096 Sep 23 23:28 lib

/var/lib/pdebuild-cross/build/var/cache:
total 4
drwxr-xr-x 3 root root 4096 Sep 24 00:31 apt

/var/lib/pdebuild-cross/build/var/cache/apt:
total 32464
drwxr-xr-x 3 root root 4096 Sep 24 00:24 archives
-rw-r--r-- 1 root root 16626303 Sep 24 00:31 pkgcache.bin
-rw-r--r-- 1 root root 16626224 Sep 24 00:31 srcpkgcache.bin

/var/lib/pdebuild-cross/build/var/cache/apt/archives:
total 4
drwxr-xr-x 2 root root 4096 Sep 24 00:23 partial

/var/lib/pdebuild-cross/build/var/cache/apt/archives/partial:
total 0

/var/lib/pdebuild-cross/build/var/lib:
total 8
drwxr-xr-x 3 root root 4096 Sep 23 23:28 apt
drwxr-xr-x 6 root root 4096 Sep 23 23:28 dpkg

/var/lib/pdebuild-cross/build/var/lib/apt:
total 4
drwxr-xr-x 3 root root 4096 Sep 24 00:31 lists

/var/lib/pdebuild-cross/build/var/lib/apt/lists:
total 94652
-rw-r--r-- 1 root root 9358039 Sep 23 23:11 archive.ubuntu.com_ubuntu_dists_maverick_main_binary-amd64_Packages
-rw-r--r-- 1 root root 9356729 Sep 23 23:14 archive.ubuntu.com_ubuntu_dists_maverick_main_binary-i386_Packages
-rw-r--r-- 1 root root 3788437 Sep 23 23:17 archive.ubuntu.com_ubuntu_dists_maverick_main_source_Sources
-rw-r--r-- 1 root root 28653989 Sep 23 23:12 archive.ubuntu.com_ubuntu_dists_maverick_universe_binary-amd64_Packages
-rw-r--r-- 1 root root 28717920 Sep 23 23:15 archive.ubuntu.com_ubuntu_dists_maverick_universe_binary-i386_Packages
-rw-r--r-- 1 root root 17034589 Sep 23 23:19 archive.ubuntu.com_ubuntu_dists_maverick_universe_source_Sources
-rw-r----- 1 root root 0 Sep 24 00:31 lock
drwxr-xr-x 2 root root 4096 Sep 24 00:31 partial

/var/lib/pdebuild-cross/build/var/lib/apt/lists/partial:
total 60
-rw-r--r-- 1 root root 57251 Sep 23 23:19 archive.ubuntu.com_ubuntu_dists_maverick_Release
-rw-r--r-- 1 root root 198 Sep 23 23:19 archive.ubuntu.com_ubuntu_dists_maverick_Release.gpg

/var/lib/pdebuild-cross/build/var/lib/dpkg:
total 16
drwxr-xr-x 2 root root 4096 Sep 23 23:28 alternatives
-rw-r--r-- 1 root root 0 Sep 23 23:28 diversions
drwxr-xr-x 2 root root 4096 Sep 23 23:28 info
-rw-r--r-- 1 root root 0 Sep 23 23:28 lock
drwxr-xr-x 2 root root 4096 Sep 23 23:28 parts
-rw-r--r-- 1 root root 0 Sep 23 23:28 statoverride
-rw-r--r-- 1 root root 0 Sep 23 23:28 status
drwxr-xr-x 2 root root 4096 Sep 23 23:28 updates

/var/lib/pdebuild-cross/build/var/lib/dpkg/alternatives:
total 0

/var/lib/pdebuild-cross/build/var/lib/dpkg/info:
total 0

/var/lib/pdebuild-cross/build/var/lib/dpkg/parts:
total 0

/var/lib/pdebuild-cross/build/var/lib/dpkg/updates:
total 0

Adding a /var/lib/pdebuild-cross/build/etc/apt/trusted.gpg.d dir
and copying /etc/apt/trusted.gpg into /var/lib/pdebuild-cross/build/etc/apt/trusted.gpg
doesn't fix the problem.

So I'm not sure what's changed over the old apt version which means the command no longer works. Something about authentication, clearly. I guess some extra setting is needed or some copying/configuring of keys/keyrings into the target apt config?

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: apt 0.8.3ubuntu4
Uname: Linux 2.6.32-5-amd64 x86_64
NonfreeKernelModules: snd_seq_dummy tun sco parport_pc bridge ppdev stp lp parport bnep rfcomm l2cap input_polldev binfmt_misc uinput fuse ext3 jbd loop snd_hda_codec_conexant btusb bluetooth snd_hda_intel snd_hda_codec arc4 snd_hwdep ecb snd_pcm_oss snd_mixer_oss iwlagn snd_pcm iwlcore snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq i915 snd_timer snd_seq_device drm_kms_helper mac80211 drm snd cfg80211 soundcore thinkpad_acpi i2c_i801 i2c_algo_bit snd_page_alloc rfkill i2c_core led_class psmouse serio_raw pcspkr nvram video wmi output evdev button ac battery processor ext4 mbcache jbd2 crc16 sha256_generic aes_x86_64 aes_generic cbc dm_crypt dm_mod sd_mod crc_t10dif uhci_hcd ahci libata ehci_hcd scsi_mod thermal thermal_sys e1000e usbcore nls_base
Architecture: amd64
Date: Fri Sep 24 00:15:14 2010
ProcEnviron:
 SHELL=/bin/bash
 PATH=(custom, no user)
SourcePackage: apt

Wookey (wookey) wrote :
Wookey (wookey) wrote :

A possibly related problem is that if one uses the package/suite syntax that gives an error saying that the suite cannot be found:

sudo apt-get -y -o Apt::Get::AllowUnauthenticated=true -o Apt::Architecture=amd64 -o Apt::Get::Download-Only=true -o Apt::Install-Recommends=false -o Dir=/var/lib/pdebuild-cross/build/ -o Dir::Etc=/var/lib/pdebuild-cross/build/etc/apt/ -o Dir::State=/var/lib/pdebuild-cross/build/var/lib/apt/ -o Dir::State::Status=/var/lib/pdebuild-cross/build/var/lib/dpkg/status -o Dir::Cache=/var/lib/pdebuild-cross/build/var/cache/apt/ install aptitude/maverick
Reading package lists... Done
Building dependency tree... Done
E: Release 'maverick' for 'aptitude' was not found

the package/suite systax works fine outside the 'pointing apt at a chroot' context.

Wookey (wookey) wrote :

Thinking about this, the problem is presumably that the pointed-to apt config does not have any keys available. This makes me wonder how this worked with older versions of apt. Perhaps they fell back to the keys in the base config at /etc/apt? Maybe it was effectively a bug in old apt that it didn't require any necessary keys to be copied into the new config.

So, to go back to first principles: If we are trying to install a set of packages into an empty chroot, what does apt need in the pointed-to config in order to be satisfied about authentication? Does any tool doing this need to pre-download the necessary archive keyrings (or otherwise get the necessary keys) and then run apt-key add using the pointed-at apt config?

If so why was this not previously necessary?

Is there are simpler workaround in the case where the keys are already present in the main-system apt installation? Perhaps they could just be pointed-at with a config option or copied into the new chroot?

Advice most welcome, as all this is currently worked around with a lot of allowunauthenticaed and --force-yes in the tools, which isn't very satisfying.

Steve Langasek (vorlon) wrote :

> Thinking about this, the problem is presumably that the pointed-to apt config
> does not have any keys available.

Confirmed. I can avoid this error in one of two ways:
 - Add "-o Dir::Etc::Trusted=/etc/apt/trusted.gpg" to the apt commandline, to point at the system keyring
 - pre-populate the etc/apt/trusted.gpg in the chroot target directory before calling apt-get.

> This makes me wonder how this worked with older versions of apt.

I suspect (but have not confirmed) that in older versions of apt, the Dir::Etc::Trusted value did not inherit from Dir::Etc and therefore always used /etc/apt. Regardless of the details of the previous behavior, I don't see any way that the current behavior should be considered a bug.

> So, to go back to first principles: If we are trying to install a set of packages
> into an empty chroot, what does apt need in the pointed-to config in order
> to be satisfied about authentication? Does any tool doing this need to
> pre-download the necessary archive keyrings (or otherwise get the necessary
> keys) and then run apt-key add using the pointed-at apt config?

It needs to be pointed at a keyring containing the public keys for the archives you're trying to install. In the debootstrap case this is not an issue, because debootstrap doesn't invoke apt but instead wgets all of the files and verifies signatures and checksums internally. Multistrap, because it composes a new apt config for the initial bootstrapping, needs to have apt handle this itself.

So I don't think there's an actionable bug here; closing this report.

Changed in apt (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers