Closed Precision-Tech closed 2 years ago
Hi @Precision-Tech
Thanks for feeding this back.
I'm having problems reproducing this, probably as I only have a Franken-Pi available, and that seems to be working.
What are the contents of /etc/apt/sources.list
on your machine?
Thanks.
Here is the contents of /etc/apt/sources.list (it is the default):
deb http://raspbian.raspberrypi.org/raspbian/ bullseye main contrib non-free rpi
Under the hood it seems to direct you to one of their mirrors, and the two mirrors my Pi connects to are: http://raspbian.mirrors.lucidnetworks.net/raspbian/ https://mirrors.gigenet.com/raspbian/raspbian/
For just a little more detail after the script failed I tried to execute the following command: schroot -c pa-build-$USER -u root -- apt-get install -y sudo
This was the error: Reading package lists... Done Building dependency tree... Done E: Unable to locate package sudo
Next I ran: schroot -c pa-build-$USER -u root -- apt-get update
Here are the errors: Get:1 http://raspbian.raspberrypi.org/raspbian bullseye InRelease [15.0 kB] Err:1 http://raspbian.raspberrypi.org/raspbian bullseye InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9165938D90FDDD2E Reading package lists... Done W: GPG error: http://raspbian.raspberrypi.org/raspbian bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9165938D90FDDD2E E: The repository 'http://raspbian.raspberrypi.org/raspbian bullseye InRelease' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details.
Once the /etc/apt/trusted.gpg was copied into the $BUILDROOT everything seemed to work. It turns out coping the /etc/apt/trusted.gpg.d/ directory was not required.
It should not make a difference, but this was on a Raspberry Pi 4 (and given the issues I had just getting xrdp to work it may matter)
As a final side note (just in case you do get your hands on a Pi 4) to get xrdp to work I had to remove the pi user from the video and render groups. See https://raspberrypi.stackexchange.com/questions/133425/connection-problem-giving-up-on-xrdp-with-raspberry-pi-os-11-bullseye for details.
Don’t remove the users from the groups, that leads to unintended consequences, like e.g. not being able to use Mathematica, etc.
Instead directly work around the bug in the RasPi DRM kernel driver, and comment out the xrdp configuration statement that runs xrdp with DRM. (Removing users from the groups has indirectly the same effect).
In the file /etc/X11/xrdp/xorg.conf find the line in the Section “Device” that is ‘Option “DRMDevice”…’ and comment it out.
Ronald
Sent from my mobile device
On Feb 23, 2022, at 15:44, Precision-Tech @.***> wrote:
Here is the contents of /etc/apt/sources.list (it is the default): deb http://raspbian.raspberrypi.org/raspbian/ bullseye main contrib non-free rpi
Uncomment line below then 'apt-get update' to enable 'apt-get source'
deb-src http://raspbian.raspberrypi.org/raspbian/ bullseye main contrib non-free rpi
Under the hood it seems to direct you to one of their mirrors, and the two mirrors my Pi connects to are:http://raspbian.mirrors.lucidnetworks.net/raspbian/https://mirrors.gigenet.com/raspbian/raspbian/
For just a little more detail after the script failed I tried to execute the following command:schroot -c pa-build-$USER -u root -- apt-get install -y sudo This was the error: Reading package lists... Done Building dependency tree... Done E: Unable to locate package sudo Next I ran: schroot -c pa-build-$USER -u root -- apt-get update Here are the errors: Get:1 http://raspbian.raspberrypi.org/raspbian bullseye InRelease [15.0 kB] Err:1 http://raspbian.raspberrypi.org/raspbian bullseye InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9165938D90FDDD2E Reading package lists... Done W: GPG error: http://raspbian.raspberrypi.org/raspbian bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9165938D90FDDD2E E: The repository 'http://raspbian.raspberrypi.org/raspbian bullseye InRelease' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details.
Once the /etc/apt/trusted.gpg was copied into the $BUILDROOT everything seemed to work. It turns out coping the /etc/apt/trusted.gpg.d/ directory was not required. It should not make a difference, but this was on a Raspberry Pi 4 (and given the issues I had just getting xrdp to work it may matter)
As a final side note (just in case you do get your hands on a Pi 4) to get xrdp to work I had to remove the pi user from the video and render groups. See https://raspberrypi.stackexchange.com/questions/133425/connection-problem-giving-up-on-xrdp-with-raspberry-pi-os-11-bullseye for details.
On Wednesday, February 23, 2022, 03:44:20 AM MST, matt335672 @.***> wrote:
Hi @Precision-Tech
Thanks for feeding this back.
I'm having problems reproducing this, probably as I only have a Franken-Pi available, and that seems to be working.
What are the contents of /etc/apt/sources.list on your machine?
Thanks.
— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you were mentioned.Message ID: @.***> — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.
Thanks for the advice Ronald! I'll give the recommended changes a try this evening. I thought there had to be a better way but I didn't come across it in my quick Google searching
@Precision-Tech - Thanks for your assistance so far. I'm currently trying to see the best way to solve this.
What do these commands give you:-
lsb_release -cs
grep keyring /usr/share/debootstrap/scripts/`lsb_release -cs`
apt-key list
Thanks.
PS - see also neutrinolabs/xrdp#2060 for a more detailed analysis of @rcfa's suggestion above.
lsb_release -cs:
bullseye
grep keyring /usr/share/debootstrap/scripts/`lsb_release -cs:
keyring /usr/share/keyrings/debian-archive-keyring.gpg
apt-key list:
Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub rsa2048 2012-04-01 [SC]
A0DA 38D0 D76E 8B5D 6388 7281 9165 938D 90FD DD2E
uid [ unknown] Mike Thompson (Raspberry Pi Debian armhf ARMv6+VFP) <mpthompson@gmail.com>
sub rsa2048 2012-04-01 [E]
/etc/apt/trusted.gpg.d/raspberrypi-archive-stable.gpg
-----------------------------------------------------
pub rsa2048 2012-06-17 [SC]
CF8A 1AF5 02A2 AA2D 763B AE7E 82B1 2992 7FA3 303E
uid [ unknown] Raspberry Pi Archive Signing Key
sub rsa2048 2012-06-17 [E]
The problem seems to be related to /usr/share/debootstrap/scripts/bullseye
which on my system is a symlink to /usr/share/debootstrap/scripts/sid
.
This file is telling the debootstrap utility to use /usr/share/keyrings/debian-archive-keyring.gpg
. This is fine for a Debian bullseye machine, but not a PI, as the packages are signed with a different key.
Can you edit the original script, and make this change?
Replace this line (130):-
sudo debootstrap $distro $BUILDROOT >$log 2>&1 || {
with
sudo debootstrap --keyring=/etc/apt/trusted.gpg $distro $BUILDROOT >$log 2>&1 || {
I'm trying to come up with something which will work with other Debian derivatives.
Thanks again for your help with investigating this.
Happy to try and help!
Changing line 130 results in the following:
cat /var/tmp/pa-build-pi-debootstrap.log
I: Target architecture can be executed
I: Retrieving InRelease
I: Checking Release signature
E: Release signed by unknown key (key id 605C66F00D6C9793)
The specified keyring /etc/apt/trusted.gpg may be incorrect or out of date.
You can find the latest Debian release key at https://ftp-master.debian.org/keys.html
Maybe adding this to line 130 would help?
--no-check-gpg
Disables checking gpg signatures of retrieved Release files.
Changing line 130 to sudo debootstrap --keyring=/etc/apt/trusted.gpg --no-check-gpg $distro $BUILDROOT >$log 2>&1 || {
gets us past the error above. However, this is still an issue:
cat /var/tmp/pa-build-pi-schroot.log
Reading package lists...
Building dependency tree...
E: Unable to locate package sudo
E: Unable to locate package lsb-release
/bin/sh: 1: cannot create /etc/sudoers.d/nopasswd-pi: Directory nonexistent
chmod: cannot access '/etc/sudoers.d/nopasswd-pi': No such file or directory
/wrapped_script: 55: lsb_release: not found
/wrapped_script: 55: lsb_release: not found
We seem to be in a bit of a mess, as the handle bullseye
means two separate things:-
1) The Debian bullseye release
2) The Raspberry PI OS.
The debootstrap
command is defaulting to a Debian mirror http://deb.debian.org/debian
rather than the raspbian mirror. The URL is hard-coded in the command (which is a shell script). That explains your first error. The key 605C66F00D6C9793 is a (very) recent Debian signing key:-
$ gpg --search-key 605C66F00D6C9793
gpg: data source: http://162.213.33.9:11371
(1) Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.o
4096 bit RSA key 605C66F00D6C9793, created: 2021-02-13
I'm not keen on the --no-check-gpg
as you're downloading stuff from the Internet here (probably over vanilla http) which will run with privilege. It's probably OK on a company LAN.
Try this line 130:-
sudo debootstrap --keyring=/etc/apt/trusted.gpg $distro $BUILDROOT http://raspbian.raspberrypi.org/raspbian >$log 2>&1 || {
On my AMD64 machine I get past the error you had earlier, but then get E: Invalid Release file, no entry for main/binary-amd64/Packages
. I can see why!
I 100% agree that --no-check-gpg
was not an ideal solution.
Changing line 130 to:
sudo debootstrap --keyring=/etc/apt/trusted.gpg $distro $BUILDROOT http://raspbian.raspberrypi.org/raspbian >$log 2>&1 || {
did resolve the issue!
Seems like there might need to be some logic to check if bullseye
then check if is Raspbian for this to work in the general case, but this does work in the single use case of installing on Raspbian
Checking /etc/os-release
comes to mind, but I am not sure how reliable it is:
cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 11 (bullseye)"
NAME="Raspbian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"
What I might do is add some way to specify the mirror and keyring to the script, and then add a note on the Wiki.
That means less changes when a similar things happens for another SBC - there are quite a few of them.
Working on this here:-
https://github.com/matt335672/pulseaudio-module-xrdp/tree/specify_mirror
Direct download link to the update script is:-
Copy this over your existing script, then this should work:-
./install_pulseaudio_sources_apt_wrapper.sh --mirror=http://raspbian.raspberrypi.org/raspbian --keyring=/etc/apt/trusted.gpg
Let me know, then I can commit this and update the Wiki.
It works, thank you for all your support with this issue!
@Precision-Tech - thank you for raising this, and particularly in helping me find a good resolution. I've updated the Wiki for Raspberry PI OS now.
Received the follow errors in the
pa-build-pi-schroot.log
file when executing theinstall_pulseaudio_sources_apt_wrapper.sh
script on Raspbian GNU/Linux 11 (bullseye):Adding the follow code to the beginning of the
RunWrappedScript()
function allowed apt-get to find the required packages on Raspbian resulting in a successful build:Full code of
install_pulseaudio_sources_apt_wrapper.sh
for reference: