Ubuntu
apt-cacher-ng package

adding a PPA key in pbuilder fails

Bug #993426 reported by Rolf Leggewie
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apt-cacher-ng (Ubuntu)
New
Low
Unassigned

Bug Description

I am trying to add the GPG key for my "stable" PPA (https://launchpad.net/~r0lf/+archive/stable/) to one of my pbuilders This works fine outside the chroot but fails inside the pbuilder. Both the host and the pbuilder chroot are lucid. Here's what I do.

$ sudo pbuilder --login --save-after-login
[...] #pbuilder starts up
 # apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 15331454B72FD7EC
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyserver keyserver.ubuntu.com --recv-keys 15331454B72FD7EC
gpg: requesting key B72FD7EC from hkp server keyserver.ubuntu.com
gpgkeys: key 15331454B72FD7EC not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
# gpg import --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg /tmp/gpg.txt
gpg: fatal: can't create directory `/home/rolf/.gnupg': No such file or directory
secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768
# aptitude search ~i\!~M
i apt - Advanced front-end for dpkg
i aptitude - terminal-based package manager
i build-essential - Informational list of build-essential packages
i debhelper - helper programs for debian/rules
i dpkg-dev - Debian package development tools
i less - pager program similar to more
i libcapi20-3 - ISDN utilities - CAPI support libraries
i libcapi20-dev - ISDN utilities - CAPI development libraries
i nano - small, friendly text editor inspired by Pico
i sudo - Provide limited super user privileges to specific users

The second command was a desperate attempt to install the gpg key directly. The last command shows which packages are explicitly installed. My gut feeling tells me there is a package missing in a normal pbuilder installation for gpg to work and make a connection here, but of course, the problem could be elsewhere.

JFTR: The key exists of course on the keyserver in question. The apt-key command outside the pbuilder chroot works just fine. Try it!

Command in question run directly on the host:
$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 15331454B72FD7EC
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyserver keyserver.ubuntu.com --recv-keys 15331454B72FD7EC
gpg: requesting key B72FD7EC from hkp server keyserver.ubuntu.com
gpg: key B72FD7EC: public key "Launchpad PPA for Rolf Leggewie" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

Link to the key which of course is available
http://keyserver.ubuntu.com:11371/pks/lookup?search=0x14C966D8AC5F7A9119DD574315331454B72FD7EC&op=index

See original description
Rolf Leggewie (r0lf)
description: updated
Revision history for this message
Michael Bienia (geser) wrote :

I can't reproduce it.
As I didn't use my lucid pbuilder for some time, I updated it before I tried it (note: I use a precise host).

# apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 15331454B72FD7EC
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyserver keyserver.ubuntu.com --recv-keys 15331454B72FD7EC
gpg: keyring `/etc/apt/secring.gpg' created
gpg: requesting key B72FD7EC from hkp server keyserver.ubuntu.com
gpg: /etc/apt/trustdb.gpg: trustdb created
gpg: key B72FD7EC: public key "Launchpad PPA for Rolf Leggewie" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
# apt-key list
/etc/apt/trusted.gpg
--------------------
pub 1024D/437D05B5 2004-09-12
uid Ubuntu Archive Automatic Signing Key <email address hidden>
sub 2048g/79164387 2004-09-12

pub 1024R/B72FD7EC 2009-01-19
uid Launchpad PPA for Rolf Leggewie

Revision history for this message
Rolf Leggewie (r0lf) wrote :

Unfortunately, the situation is still unchanged and not improved here. Thanks for trying it out.

Revision history for this message
Rolf Leggewie (r0lf) wrote :

Situation is still the same. HELP, please!

Revision history for this message
Rolf Leggewie (r0lf) wrote :

Found the culprit: apt-cacher-ng which I use as a local cache

From the log:
Sun Mar 2 09:39:23 2014|Returning to last state, 1
Sun Mar 2 09:40:26 2014|Detected incoming connection from the TCP socket
Sun Mar 2 09:40:26 2014|Client name: ::1
Sun Mar 2 09:40:26 2014|Raw request URI: http://keyserver.ubuntu.com:11371/pks/lookup?op=get&options=mr&search=0x15331454B72FD7EC
Sun Mar 2 09:40:26 2014|Prepared response header for user:
HTTP/1.1 403 Prohibited port or config error (double proxy)
Content-Length: 216
Content-Type: text/html
Date: Sun Mar 2 01:40:26 2014
Server: Debian Apt-Cacher NG/0.7.2
Connection: close

apt-cacher-ng is version 0.7.2-1ubuntu2.1 from precise-updates

affects: gnupg (Ubuntu) → apt-cacher-ng (Ubuntu)
Revision history for this message
Rolf Leggewie (r0lf) wrote :

Here's the remedy for the next guy who runs into this issue, just run

http_proxy="" apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 15331454B72FD7EC

inside the pbuilder chroot.

Changed in apt-cacher-ng (Ubuntu):
importance: Undecided → Low
Revision history for this message
Rolf Leggewie (r0lf) wrote :

Eduard, should apt-cacher-ng allow downloading of gpg keys or should this one be dealt with differently?

Revision history for this message
Rubberneck (rubberneck) wrote :

apt-add-repository is also broken because it trys to add a key from keyserver.ubuntu.com.

command "apt-add-repository ppa:fo0bar/rpi2"
gpg: keyring `/tmp/tmpkwiw1gyj/secring.gpg' created
gpg: keyring `/tmp/tmpkwiw1gyj/pubring.gpg' created
gpg: requesting key A80602AF from hkp server keyserver.ubuntu.com
gpgkeys: key 727F27B6D2CFD561F5E93193AD99EC7BA80602AF can't be retrieved
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

The error log shows
1427482304|E|701|192.168.85.169|403 Forbidden file type or location: http://keyserver.ubuntu.com:80/pks/lookup?op=get&options=mr&search=0x727F27B6D2CFD561F5E93193AD99EC7BA80602AF

Revision history for this message
Rolf Leggewie (r0lf) wrote :

Rubberneck, to make sure you actually experiencing the same issue, are you indeed using apt-cacher-ng for your pbuilder chroots?

Revision history for this message
Eduard Bloch (edi-gmx) wrote :

It looks like a regular REST call so the probably easiest fix would be to extend the regex matching the volatile data URLs. If you have a recent version, add something like

VfilePatternEx: /pks/lookup.op.get

and for an older version, add a modified version of VfilePattern, maybe something like:

VfilePattern = (^|.*/)(Index|Packages(\\.gz|\\.bz2|\\.lzma|\\.xz)?|InRelease|Release|mirrors\\.txt|.*\\.gpg|NEWS\\.Debian|Sources(\\.gz|\\.bz2|\\.lzma|\\.xz)?|release|index\\.db-.*\\.gz|Contents-[^/]*(\\.gz|\\.bz2|\\.lzma|\\.xz)?|pkglist[^/]*\\.bz2|rclist[^/]*\\.bz2|meta-release[^/]*|Translation[^/]*(\\.gz|\\.bz2|\\.lzma|\\.xz)?|MD5SUMS|SHA256SUMS|SHA1SUMS|((setup|setup-legacy)(\\.ini|\\.bz2|\\.hint)(\\.sig)?)|mirrors\\.lst|repo(index|md)\\.xml(\\.asc|\\.key)?|directory\\.yast|products|content(\\.asc|\\.key)?|media|filelists\\.xml\\.gz|filelists\\.sqlite\\.bz2|repomd\\.xml|packages\\.[a-zA-Z][a-zA-Z]\\.gz|info\\.txt|license\\.tar\\.gz|license\\.zip|.*\\.(db|files|abs)(\\.tar(\\.gz|\\.bz2|\\.lzma|\\.xz))?|metalink\\?repo|.*prestodelta\\.xml\\.gz|repodata/.*\\.(xml|sqlite)(\\.gz|\\.bz2|\\.lzma|\\.xz)?|\\.treeinfo|vmlinuz|(initrd|product|squashfs|updates)\\.img)$|/dists/.*/installer-[^/]+/[^0-9][^/]+/images/.*|/pks/lookup.op.get

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.