pbuilder always passes Ubuntu keyring, even when creating e.g. Debian environments

Right, I raised this in a followup to Debian #579028. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579028#59

Basically, to switch between Debian and Ubuntu, one usually had to set:
- distribution (sid, maverick)
- mirror (ftp.xx.debian.org/debian, archive.ubuntu.com/ubuntu)
- optionally components (main contrib non-free, main universe restricted multiverse)

Now one also needs to set the keyring pieces which are hidden in DEBOOTSTRAPOPTS.

It would be nicer to have a separate variable for the debootstrap keyring, and it would be nicer if pbuilder could figure out which keyring to use for which dists. I think this latter part needs deeper fixes in pbuilder than I can commit to right now, personally.

OK so this commit fixes pbuilder for Ubuntu chroots but its broken for Debian... I've re-installed Lucid so I can do work in Debian chroots! but will keep tabs on this ;-)

Hmm... interesting reading on http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579028

I thought we were suppose to "get along" sad really...

So if you want to get the old behavior back of "not checking anything" security-wise, there is a new flag now and unsetting DEBOOTSTRAPOPTS in /etc/pbuilderrc will remove the new keyring bits.

Alternatively, to still get security, you can switch manually in /etc/pbuilderrc, or point pbuilder as alternate pbuilderrcs e.g. /etc/pbuilderrc-debian including the usual one but setting different DEBOOTSTRAPOPTS. Finally, you can pass --debootstrapopts directly too.

The proper solution is much longer to implement correctly.

After some thought, I'm now using Debian (sid) to continue my work on package building. As no one else is complaining about this I'm changing the status to incomplete.

I think it's a valid bug, it's just a pain to fix it properly :-)

Yes I do agree but for me the easiest fix was to use Debian!

Sent from my HTC Desire
> I think it's a valid bug, it's just a pain to fix it properly :-)
>
> ** Changed in: pbuilder (Ubuntu)
> Status: Incomplete => Confirmed
>
> --
> pbuilder error: Release signed by unknown key (key id 9AA38DCD55BE302B)
> https://bugs.launchpad.net/bugs/599695
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “pbuilder” package in Ubuntu: Confirmed
>
> Bug description:
> Binary package hint: pbuilder
>
>
> Firstly this is not a duplicate of Bug #599394 but is very similar in that
now the chroot fails to create for Debian
>
> Ubuntu chroots create fine, and that was fixed in Bug #599394
>
> $ sudo DIST=sid pbuilder create --debug
> [sudo] password for scott:
> ++ shift
> ++ '[' -n '' ']'
> ++ BUILDPLACE=/var/cache/pbuilder/build/
> ++ BASEBUILDPLACE=/var/cache/pbuilder/build/
> ++ '[' '' '!=' yes -a no '!=' yes ']'
> ++ BUILDPLACE=/var/cache/pbuilder/build//6105
> ++ '[' -z '' ']'
> ++ CHROOTEXEC='chroot /var/cache/pbuilder/build//6105 '
> ++ '[' sid = experimental ']'
> ++ EXPERIMENTAL=
> ++ case "$PBCURRENTCOMMANDLINEOPERATION" in
> ++ '[' noninteractive = noninteractive -o noninteractive = Noninteractive
']'
> ++ exec
> ++ FORCE_CONFNEW[0]=-o
> ++ FORCE_CONFNEW[1]=DPkg::Options::=--force-confnew
> ++ '[' -n /var/cache/pbuilder/ccache ']'
> ++ '[' -d /var/cache/pbuilder/ccache ']'
> ++ BINDMOUNTS='/var/cache/pbuilder/ccache /var/cache/pbuilder/ccache'
> ++ export
PATH=/usr/lib/ccache:/usr/lib/ccache:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
> ++
PATH=/usr/lib/ccache:/usr/lib/ccache:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
> +++ for i in '$BINDMOUNTS'
> +++ echo /var/cache/pbuilder/ccache
> +++ for i in '$BINDMOUNTS'
> +++ sort -u
> +++ echo /var/cache/pbuilder/ccache
> ++ BINDMOUNTS=/var/cache/pbuilder/ccache
> + . /usr/lib/pbuilder/pbuilder-runhooks
> ++ hooks=tmp/hooks
> + '[' -z sid ']'
> + log 'I: Distribution is sid.'
> + case "$*" in
> + echo 'I: Distribution is sid.'
> I: Distribution is sid.
> + '[' yes = yes ']'
> + TRAP='echo ignoring trap '
> + cleanbuildplace
> + '[' 0 -ne 0 ']'
> + '[' '' '!=' yes ']'
> + '[' -d /var/cache/pbuilder/build//6105 ']'
> + log 'I: Building the build environment'
> + case "$*" in
> + echo 'I: Building the build environment'
> I: Building the build environment
> + mkdir -p /var/cache/pbuilder/build//6105
> + '[' '!' -d /var/cache/pbuilder/build//6105 ']'
> + echo ignoring trap cleanbuildplace exit
> ignoring trap cleanbuildplace exit
> + log 'I: running debootstrap'
> + case "$*" in
> + echo 'I: running debootstrap'
> I: running debootstrap
> + unset DEBOOTSTRAPSCRIPT
> + '[' -n '' ']'
> + which debootstrap
> /usr/sbin/debootstrap
> + :
> + cd /var/cache/pbuilder/build//6105
> + debootstrap --include=apt --arch amd64 --arch amd64 --variant=buildd
--keyring /usr/share/keyrings/ubuntu-archive-keyring.gpg sid .
http://mirror.internode.on.net/pub/debian/
> I: Retrieving Release
> I: Retrieving Release.gpg
> I: Checking Release signature
> E: Release signed by unknown key (key id 9AA38DCD55BE302B)
> + log 'E: debootstrap failed'
> + case "$*" in
> + echo 'E: deboots...

Just install debian-archive-keyring , and edit /etc/pbuilderrc to add

DEBOOTSTRAPOPTS=(
    '--variant=buildd'
    '--keyring' '/usr/share/keyrings/debian-archive-keyring.gpg'
    )

Note: The default one is

DEBOOTSTRAPOPTS=(
    '--variant=buildd'
    '--keyring' '/usr/share/keyrings/ubuntu-archive-keyring.gpg'
    )

It is NOT a bug, but a new feature.

Sorry, no, it's a bug; pbuilder has enough information to select the right keyring or revert to the old behavior when one selects to create a Debian environment from an Ubuntu host or vice-versa.

This should be solved by pbuilder selecting the keyring based on the target release rather than having a hardcoded default keyring which gets used for all pbuilder create runs.

This also breaks the relationship between Debian & Ubuntu. It is this type
of response "its a feature not a bug" that had made me stop using Ubuntu.

Remember if it wasn't for Debian, there is no Ubuntu! If this is the stance
being taken by Ubuntu developers then its time to rethink the relationship.

Truly this example only deepens the divide...

Scott, vent off elsewhere; this place should be used to discuss the technical issue. This bug is completely symmetric since Debian's pbuilder also breaks when creating Ubuntu environments.

Ubuntu's packages should not be have huge difference from debian one.

Since the debian's packages can only have 1 key, ubuntu should have 2 -- it will make a lot of ubuntu delta.
This have more break the relationship with debian.

For package maintors, it is not a problem to modify pbuilder's config file.

Someone should update the https://wiki.ubuntu.com/PbuilderHowto to explain how to fit the keyring parameter there.

IMNHSO this should be fixed in debootstrap, since it already has per-distro scripts.

I have updated the https://wiki.ubuntu.com/PbuilderHowto with the keyring parameter included, as a workaround.

I did an "apt-get install debian-archive-keyring", and modified the script from the wiki page above to read:

if $(echo ${DEBIAN_SUITES[@]} | grep -q $DIST); then
....
    DEBOOTSTRAPOPTS=( "${DEBOOTSTRAPOPTS[@]/ubuntu-archive-keyring.gpg/debian-archive-keyring.gpg}" )
elif $(echo ${UBUNTU_SUITES[@]} | grep -q $DIST); then
....

This is failing for me in exactly the same way:

+ cd /var/cache/pbuilder/build//8189
+ debootstrap --include=apt --arch amd64 --variant=buildd --keyring /usr/share/keyrings/debian-archive-keyring.gpg sid . http://debian.osuosl.org/debian/
I: Retrieving Release
I: Retrieving Release.gpg
I: Checking Release signature
E: Invalid Release signature (key id 9AA38DCD55BE302B)
+ log 'E: debootstrap failed'

As a sanity check, running the debootstrap command line as shown above also fails, so it's not my script changes :)

It appears that the debian-archive-keyring.gpg does not contain the current key used by Debian to sign!

Most probably the change of new stable distribution in Debian resulted in a new key that it is not yet included in the package.

I had the same problem (I use pbuilder in Ubuntu Karmic, with the configuration outlined at the pbuilder howto wiki) and I did the following:

1. I got the key from the Ubuntu keyserver with gpg2. Procedure:

In the search box of page http://keyserver.ubuntu.com:11371/ enter 'debian archive' and select the key with data:

  pub 4096R/473041FA 2010-08-27
  uid Debian Archive Automatic Signing Key (6.0/squeeze) <email address hidden>

Write down the key id (473041FA)

2. I added the key to /etc/apt/trusted.gpg, with apt-key, Procedure (note the hyphen at the end for apt-key to use stdin):

  gpg2 -a --export 473041FA | sudo apt-key add -

3. I modified my ~/.pbuilderrc to use --keyring=/etc/apt/trusted.gpg for DEBOOTSTRAPOPTS when building with a Debian target.

NOTE: I see in the debian-archive-keyring package page ( https://launchpad.net/ubuntu/+source/debian-archive-keyring ) that the new Debian key is included only for Natty Narwhal. For other Ubuntu versions there is also a .deb file uploaded but it is in "proposed" state.

I think normal fix should be backported to LTS release at least since it's highly unlikely that adding debian gpg keys might break anything

This bug is still present, eventhough it's been silent for two and a half years.

I'm affected by it in a different way: I'm creating my own debootstrap script, that includes its own keyring, but pbuilder overrides it with ubuntu's keyring, unless I explicitly state the keyring. Which means that the keyring in the debootstrap script is completely ignored.

Please can you confirm that this bug applies to a currently supported release (i.e. Maya, Petra or Qiana)? If not, this bug should be closed.

This bug was fixed in the package pbuilder - 0.215ubuntu10

---------------
pbuilder (0.215ubuntu10) utopic; urgency=medium

  * Remove --keyring override from default pbuilderrc (LP: #599695)
 -- Phillip Susi <email address hidden> Wed, 11 Jun 2014 13:37:37 -0400