Custom APT gpg public key in mkosi.skeleton is not detected

[ragazenta]

We use mkosi.skeleton directory to add custom APT repo with custom gpg public key.

mkosi.skeleton/
├── etc
│   └── apt
│       ├── auth.conf.d
│       │   └── customrepo.conf
│       ├── sources.list.d
│       │   └── customrepo.list
│       └── trusted.gpg.d
│           └── customrepo.asc
└── usr
    └── share
        └── keyrings
            └── customrepo.gpg

It used to be working, but after #2201, apt could not find the gpg public key.

‣  Installing Debian
Get:1 https://**********/debian bookworm InRelease [28.0 kB]
Err:1 https://**********/debian bookworm InRelease                                                            
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ********************

[DaanDeMeyer]

@ragazenta Can you run mkosi with --debug and post the full output in a github gist here? You can also add --debug-shell to end up in the sandbox and you can see whether the key can be found there or not

[DaanDeMeyer]

@ragazenta It would also be great if you could publish a repository with a minimal reproducer so I can reproduce the issue. This will make it much easier to figure out what the problem is.

[ragazenta]

Here is the output:

root@image:~/debian/fusbin# mkosi --debug build
‣ Including configuration file /root/debian/fusbin/mkosi.conf
‣ Removing output files…
‣ + mount --make-rslave /
‣ + mount --rbind /usr /usr --options ro
‣ + mount --rbind /etc /etc --options ro
‣ + mount --rbind /opt /opt --options ro
‣ + mount --rbind /srv /srv --options ro
‣ + mount --rbind /boot /boot --options ro
‣ + mount --rbind /efi /efi --options ro
‣ + mount --rbind /media /media --options ro
‣ + mount --rbind /mnt /mnt --options ro
‣ Building fusbin image
‣ + /usr/bin/ukify --version
‣ + /usr/bin/systemd-repart --version
‣ + mkdir --parents /root/debian/fusbin/mkosi.output
‣ + mkdir --parents /root/debian/fusbin/mkosi.cache
‣ + stat --file-system --format %T /root/.cache/mkosi-workspace8k8y4m66
‣  Copying in package manager file trees…
‣ + cp --recursive --no-dereference --preserve=mode,timestamps,links,xattr --reflink=auto /root/debian/fusbin/mkosi.skeleton /root/.cache/mkosi-workspace8k8y4m66/pkgmngr --no-target-directory
‣  Copying in skeleton file trees…
‣ + cp --recursive --no-dereference --preserve=mode,timestamps,links,xattr --reflink=auto /root/debian/fusbin/mkosi.skeleton /root/.cache/mkosi-workspace8k8y4m66/root --no-target-directory
‣  Installing Debian
‣ + bwrap --ro-bind /usr /usr --bind /var/tmp /var/tmp --bind /tmp /tmp --bind /root/debian/fusbin /root/debian/fusbin --chdir /root/debian/fusbin --unshare-pid --unshare-ipc --unshare-cgroup --die-with-parent --proc /proc --setenv SYSTEMD_OFFLINE 1 --dev /dev --symlink /usr/lib/systemd/systemd /init --symlink usr/lib /lib --symlink boot/vmlinuz-6.5.0-5-cloud-amd64 /vmlinuz --symlink boot/vmlinuz-6.5.0-5-cloud-amd64 /vmlinuz.old --symlink usr/sbin /sbin --symlink usr/bin /bin --symlink usr/lib64 /lib64 --bind /etc/resolv.conf /etc/resolv.conf --ro-bind /etc/ca-certificates /etc/ca-certificates --ro-bind /etc/pki /etc/pki --ro-bind /etc/ssl /etc/ssl --bind /root/.cache/mkosi-workspace8k8y4m66 /root/.cache/mkosi-workspace8k8y4m66 --bind /root/debian/fusbin/mkosi.cache /root/debian/fusbin/mkosi.cache --bind /root/debian/fusbin/mkosi.output /root/debian/fusbin/mkosi.output --setenv PATH :/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin sh -c 'chmod 1777 /dev/shm && exec $0 "$@"' env APT_CONFIG=/root/.cache/mkosi-workspace8k8y4m66/apt.conf DEBIAN_FRONTEND=noninteractive DEBCONF_INTERACTIVE_SEEN=true INITRD=No apt-get -o APT::Architecture=amd64 -o APT::Architectures=amd64 -o APT::Install-Recommends=false -o APT::Immediate-Configure=off -o APT::Get::Assume-Yes=true -o APT::Get::AutomaticRemove=true -o APT::Get::Allow-Change-Held-Packages=true -o APT::Get::Allow-Remove-Essential=true -o APT::Sandbox::User=root -o Dir::Cache=/root/debian/fusbin/mkosi.cache/apt -o Dir::State=/root/.cache/mkosi-workspace8k8y4m66/pkgmngr/var/lib/apt -o Dir::State::status=/root/.cache/mkosi-workspace8k8y4m66/root/var/lib/dpkg/status -o Dir::Etc::trusted=/usr/share/keyrings/debian-archive-keyring.gpg -o Dir::Etc::trustedparts=/root/.cache/mkosi-workspace8k8y4m66/pkgmngr/etc/apt/trusted.gpg.d -o Dir::Log=/root/.cache/mkosi-workspace8k8y4m66/pkgmngr/var/log/apt -o Dir::Bin::dpkg=/usr/bin/dpkg -o Debug::NoLocking=true -o DPkg::Options::=--root=/root/.cache/mkosi-workspace8k8y4m66/root -o DPkg::Options::=--log=/root/.cache/mkosi-workspace8k8y4m66/pkgmngr/var/log/apt/dpkg.log -o DPkg::Options::=--force-unsafe-io -o DPkg::Options::=--force-architecture -o DPkg::Options::=--force-depends -o Dpkg::Use-Pty=false -o DPkg::Install::Recursive::Minimum=1000 -o pkgCacheGen::ForceEssential=, update
Get:1 https://**********/debian bookworm InRelease [28.0 kB]
Err:1 https://**********/debian bookworm InRelease                                                            
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ********************
Get:2 http://deb.debian.org/debian bookworm InRelease [151 kB]                                        
Get:3 http://security.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:4 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB]
Get:5 http://security.debian.org/debian-security bookworm-security/contrib Sources [852 B]
Get:6 http://deb.debian.org/debian bookworm/non-free-firmware Sources [6168 B]
Get:7 http://deb.debian.org/debian bookworm/main Sources [9488 kB]
Get:8 http://security.debian.org/debian-security bookworm-security/main Sources [67.0 kB]
Get:9 http://security.debian.org/debian-security bookworm-security/non-free-firmware Sources [796 B]
Get:10 http://security.debian.org/debian-security bookworm-security/main amd64 Packages [130 kB]
Get:11 http://security.debian.org/debian-security bookworm-security/main Translation-en [76.5 kB]
Get:12 http://security.debian.org/debian-security bookworm-security/contrib amd64 Packages [644 B]
Get:13 http://security.debian.org/debian-security bookworm-security/contrib Translation-en [372 B]
Get:14 http://security.debian.org/debian-security bookworm-security/non-free-firmware amd64 Packages [688 B]
Get:15 http://security.debian.org/debian-security bookworm-security/non-free-firmware Translation-en [472 B]
Get:16 http://deb.debian.org/debian bookworm/contrib Sources [51.3 kB]                                
Get:17 http://deb.debian.org/debian bookworm/non-free Sources [77.9 kB]
Get:18 http://deb.debian.org/debian bookworm/main amd64 Packages [8787 kB]
Get:19 http://deb.debian.org/debian bookworm/main Translation-en [6109 kB]
Get:20 http://deb.debian.org/debian bookworm/contrib amd64 Packages [54.1 kB]
Get:21 http://deb.debian.org/debian bookworm/contrib Translation-en [48.7 kB]
Get:22 http://deb.debian.org/debian bookworm/non-free amd64 Packages [96.9 kB]
Get:23 http://deb.debian.org/debian bookworm/non-free Translation-en [66.8 kB]
Get:24 http://deb.debian.org/debian bookworm/non-free-firmware amd64 Packages [6208 B]
Get:25 http://deb.debian.org/debian bookworm/non-free-firmware Translation-en [20.8 kB]
Get:26 http://deb.debian.org/debian bookworm-updates/main Sources [16.4 kB]
Get:27 http://deb.debian.org/debian bookworm-updates/main amd64 Packages [11.3 kB]
Get:28 http://deb.debian.org/debian bookworm-updates/main Translation-en [12.9 kB]
Reading package lists... Done                                                                                          
W: GPG error: https://**********/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY ********************
E: The repository 'https://**********/debian bookworm InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: http://security.debian.org/debian-security/dists/bookworm-security/InRelease: Key is stored in legacy trusted.gpg keyring (/usr/share/keyrings/debian-archive-keyring.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://deb.debian.org/debian/dists/bookworm/InRelease: Key is stored in legacy trusted.gpg keyring (/usr/share/keyrings/debian-archive-keyring.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://deb.debian.org/debian/dists/bookworm-updates/InRelease: Key is stored in legacy trusted.gpg keyring (/usr/share/keyrings/debian-archive-keyring.gpg), see the DEPRECATION section in apt-key(8) for details.
‣ "env APT_CONFIG=/root/.cache/mkosi-workspace8k8y4m66/apt.conf DEBIAN_FRONTEND=noninteractive DEBCONF_INTERACTIVE_SEEN=true INITRD=No apt-get -o APT::Architecture=amd64 -o APT::Architectures=amd64 -o APT::Install-Recommends=false -o APT::Immediate-Configure=off -o APT::Get::Assume-Yes=true -o APT::Get::AutomaticRemove=true -o APT::Get::Allow-Change-Held-Packages=true -o APT::Get::Allow-Remove-Essential=true -o APT::Sandbox::User=root -o Dir::Cache=/root/debian/fusbin/mkosi.cache/apt -o Dir::State=/root/.cache/mkosi-workspace8k8y4m66/pkgmngr/var/lib/apt -o Dir::State::status=/root/.cache/mkosi-workspace8k8y4m66/root/var/lib/dpkg/status -o Dir::Etc::trusted=/usr/share/keyrings/debian-archive-keyring.gpg -o Dir::Etc::trustedparts=/root/.cache/mkosi-workspace8k8y4m66/pkgmngr/etc/apt/trusted.gpg.d -o Dir::Log=/root/.cache/mkosi-workspace8k8y4m66/pkgmngr/var/log/apt -o Dir::Bin::dpkg=/usr/bin/dpkg -o Debug::NoLocking=true -o DPkg::Options::=--root=/root/.cache/mkosi-workspace8k8y4m66/root -o DPkg::Options::=--log=/root/.cache/mkosi-workspace8k8y4m66/pkgmngr/var/log/apt/dpkg.log -o DPkg::Options::=--force-unsafe-io -o DPkg::Options::=--force-architecture -o DPkg::Options::=--force-depends -o Dpkg::Use-Pty=false -o DPkg::Install::Recursive::Minimum=1000 -o pkgCacheGen::ForceEssential=, update" returned non-zero exit code 100.
‣ + rm -rf -- /root/.cache/mkosi-workspace8k8y4m66
Traceback (most recent call last):
  File "/root/mkosi/mkosi/run.py", line 167, in uncaught_exception_handler
    yield
  File "/root/mkosi/mkosi/run.py", line 208, in fork_and_wait
    target()
  File "/root/mkosi/mkosi/__init__.py", line 3228, in target
    build_image(args, config)
  File "/root/mkosi/mkosi/__init__.py", line 2609, in build_image
    install_distribution(state)
  File "/root/mkosi/mkosi/__init__.py", line 137, in install_distribution
    state.config.distribution.install(state)
  File "/root/mkosi/mkosi/distributions/__init__.py", line 113, in install
    return self.installer().install(state)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/mkosi/mkosi/distributions/debian.py", line 115, in install
    cls.install_packages(state, [
  File "/root/mkosi/mkosi/distributions/debian.py", line 147, in install_packages
    invoke_apt(state, "apt-get", "update", apivfs=False)
  File "/root/mkosi/mkosi/installer/apt.py", line 112, in invoke_apt
    bwrap(state, cmd + apt_cmd(state, command) + [operation, *sort_packages(packages)],
  File "/root/mkosi/mkosi/bubblewrap.py", line 135, in bwrap
    raise e
  File "/root/mkosi/mkosi/bubblewrap.py", line 120, in bwrap
    result = run(
             ^^^^
  File "/root/mkosi/mkosi/run.py", line 309, in run
    raise e
  File "/root/mkosi/mkosi/run.py", line 290, in run
    return subprocess.run(
           ^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['bwrap', '--ro-bind', '/usr', '/usr', '--bind', '/var/tmp', '/var/tmp', '--bind', '/tmp', '/tmp', '--bind', '/root/debian/fusbin', '/root/debian/fusbin', '--chdir', '/root/debian/fusbin', '--unshare-pid', '--unshare-ipc', '--unshare-cgroup', '--die-with-parent', '--proc', '/proc', '--setenv', 'SYSTEMD_OFFLINE', '1', '--dev', '/dev', '--symlink', '/usr/lib/systemd/systemd', '/init', '--symlink', 'usr/lib', '/lib', '--symlink', 'boot/vmlinuz-6.5.0-5-cloud-amd64', '/vmlinuz', '--symlink', 'boot/vmlinuz-6.5.0-5-cloud-amd64', '/vmlinuz.old', '--symlink', 'usr/sbin', '/sbin', '--symlink', 'usr/bin', '/bin', '--symlink', 'usr/lib64', '/lib64', '--bind', '/etc/resolv.conf', '/etc/resolv.conf', '--ro-bind', '/etc/ca-certificates', '/etc/ca-certificates', '--ro-bind', '/etc/pki', '/etc/pki', '--ro-bind', '/etc/ssl', '/etc/ssl', '--bind', '/root/.cache/mkosi-workspace8k8y4m66', '/root/.cache/mkosi-workspace8k8y4m66', '--bind', '/root/debian/fusbin/mkosi.cache', '/root/debian/fusbin/mkosi.cache', '--bind', '/root/debian/fusbin/mkosi.output', '/root/debian/fusbin/mkosi.output', '--setenv', 'PATH', ':/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'sh', '-c', 'chmod 1777 /dev/shm && exec $0 "$@"', 'env', 'APT_CONFIG=/root/.cache/mkosi-workspace8k8y4m66/apt.conf', 'DEBIAN_FRONTEND=noninteractive', 'DEBCONF_INTERACTIVE_SEEN=true', 'INITRD=No', 'apt-get', '-o', 'APT::Architecture=amd64', '-o', 'APT::Architectures=amd64', '-o', 'APT::Install-Recommends=false', '-o', 'APT::Immediate-Configure=off', '-o', 'APT::Get::Assume-Yes=true', '-o', 'APT::Get::AutomaticRemove=true', '-o', 'APT::Get::Allow-Change-Held-Packages=true', '-o', 'APT::Get::Allow-Remove-Essential=true', '-o', 'APT::Sandbox::User=root', '-o', 'Dir::Cache=/root/debian/fusbin/mkosi.cache/apt', '-o', 'Dir::State=/root/.cache/mkosi-workspace8k8y4m66/pkgmngr/var/lib/apt', '-o', 'Dir::State::status=/root/.cache/mkosi-workspace8k8y4m66/root/var/lib/dpkg/status', '-o', 'Dir::Etc::trusted=/usr/share/keyrings/debian-archive-keyring.gpg', '-o', 'Dir::Etc::trustedparts=/root/.cache/mkosi-workspace8k8y4m66/pkgmngr/etc/apt/trusted.gpg.d', '-o', 'Dir::Log=/root/.cache/mkosi-workspace8k8y4m66/pkgmngr/var/log/apt', '-o', 'Dir::Bin::dpkg=/usr/bin/dpkg', '-o', 'Debug::NoLocking=true', '-o', 'DPkg::Options::=--root=/root/.cache/mkosi-workspace8k8y4m66/root', '-o', 'DPkg::Options::=--log=/root/.cache/mkosi-workspace8k8y4m66/pkgmngr/var/log/apt/dpkg.log', '-o', 'DPkg::Options::=--force-unsafe-io', '-o', 'DPkg::Options::=--force-architecture', '-o', 'DPkg::Options::=--force-depends', '-o', 'Dpkg::Use-Pty=false', '-o', 'DPkg::Install::Recursive::Minimum=1000', '-o', 'pkgCacheGen::ForceEssential=,', 'update']' returned non-zero exit status 100.
‣ + tput cnorm
‣ + tput smam

Here is the output when it work (checkout to previous commit before #2201):

root@image:~/debian/fusbin# mkosi --debug build
‣ Including configuration file /root/debian/fusbin/mkosi.conf
‣ Removing output files…
‣ + mount --make-rslave /
‣ + mount --rbind /usr /usr --options ro
‣ + mount --rbind /etc /etc --options ro
‣ + mount --rbind /opt /opt --options ro
‣ + mount --rbind /srv /srv --options ro
‣ + mount --rbind /boot /boot --options ro
‣ + mount --rbind /efi /efi --options ro
‣ + mount --rbind /media /media --options ro
‣ + mount --rbind /mnt /mnt --options ro
‣ Building fusbin image
‣ + /usr/bin/ukify --version
‣ + /usr/bin/systemd-repart --version
‣ + mkdir --parents /root/debian/fusbin/mkosi.output
‣ + mkdir --parents /root/debian/fusbin/mkosi.cache
‣ + stat --file-system --format %T /root/.cache/mkosi-workspacefrlr5iut
‣  Copying in package manager file trees…
‣ + cp --recursive --no-dereference --preserve=mode,timestamps,links,xattr --reflink=auto /root/debian/fusbin/mkosi.skeleton /root/.cache/mkosi-workspacefrlr5iut/pkgmngr --no-target-directory
‣  Copying in skeleton file trees…
‣ + cp --recursive --no-dereference --preserve=mode,timestamps,links,xattr --reflink=auto /root/debian/fusbin/mkosi.skeleton /root/.cache/mkosi-workspacefrlr5iut/root --no-target-directory
‣  Installing Debian
‣ + bwrap --dev-bind / / --chdir /root/debian/fusbin --unshare-pid --unshare-ipc --unshare-cgroup --die-with-parent --proc /proc --dev /dev --setenv SYSTEMD_OFFLINE 1 --setenv PATH :/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin sh -c 'chmod 1777 /dev/shm && exec $0 "$@"' env APT_CONFIG=/root/.cache/mkosi-workspacefrlr5iut/apt.conf DEBIAN_FRONTEND=noninteractive DEBCONF_INTERACTIVE_SEEN=true INITRD=No apt-get -o APT::Architecture=amd64 -o APT::Architectures=amd64 -o APT::Install-Recommends=false -o APT::Immediate-Configure=off -o APT::Get::Assume-Yes=true -o APT::Get::AutomaticRemove=true -o APT::Get::Allow-Change-Held-Packages=true -o APT::Get::Allow-Remove-Essential=true -o APT::Sandbox::User=root -o Dir::Cache=/root/debian/fusbin/mkosi.cache/apt -o Dir::State=/root/.cache/mkosi-workspacefrlr5iut/pkgmngr/var/lib/apt -o Dir::State::status=/root/.cache/mkosi-workspacefrlr5iut/root/var/lib/dpkg/status -o Dir::Etc::trusted=/usr/share/keyrings/debian-archive-keyring.gpg -o Dir::Etc::trustedparts=/root/.cache/mkosi-workspacefrlr5iut/pkgmngr/etc/apt/trusted.gpg.d -o Dir::Log=/root/.cache/mkosi-workspacefrlr5iut/pkgmngr/var/log/apt -o Dir::Bin::dpkg=/usr/bin/dpkg -o Debug::NoLocking=true -o DPkg::Options::=--root=/root/.cache/mkosi-workspacefrlr5iut/root -o DPkg::Options::=--log=/root/.cache/mkosi-workspacefrlr5iut/pkgmngr/var/log/apt/dpkg.log -o DPkg::Options::=--force-unsafe-io -o DPkg::Options::=--force-architecture -o DPkg::Options::=--force-depends -o Dpkg::Use-Pty=false -o DPkg::Install::Recursive::Minimum=1000 -o pkgCacheGen::ForceEssential=, update
Get:1 https://**********/debian bookworm InRelease [28.0 kB]
Get:2 https://**********/debian bookworm/main all Packages [3819 B]                                          
Get:3 https://**********/debian bookworm/main amd64 Packages [14.3 kB]                                        
Get:4 https://**********/debian bookworm/nightly amd64 Packages [927 B]                                       
Get:5 http://deb.debian.org/debian bookworm InRelease [151 kB]                                                         
Get:6 http://security.debian.org/debian-security bookworm-security InRelease [48.0 kB]                                
Get:7 http://security.debian.org/debian-security bookworm-security/main Sources [67.0 kB]

[DaanDeMeyer]

@ragazenta Can you try with latest git main? Note that you'll need to move your key from /usr/share/keyrings in the skeleton tree to /etc/apt/keyrings

[DaanDeMeyer]

@ragazenta With https://github.com/systemd/mkosi/pull/2212 you won't have to move your key to /etc/apt/keyrings

[ragazenta]

I've tried moving my .gpg to mkosi.skeleton/etc/apt/keyrings. Still same error.

Here is a repo to reproduce this issue: https://github.com/ragazenta/debiandotnet

[DaanDeMeyer]

@ragazenta I cannot reproduce the issue when running from the latest commit on mkosi's main branch. Can you try again with the latest commit on mkosi's main branch?

[ragazenta]

I still can reproduce it using latest commit main branch #2212. I thought it failed to find etc/apt/trusted.gpg.d/microsoft.asc

root@image:~/debian/dotnet# mkosi --debug build
‣ Including configuration file /root/debian/dotnet/mkosi.conf
‣ Removing output files…
‣ + mount --make-rslave /
‣ + mount --rbind /usr /usr --options ro
‣ + mount --rbind /etc /etc --options ro
‣ + mount --rbind /opt /opt --options ro
‣ + mount --rbind /srv /srv --options ro
‣ + mount --rbind /boot /boot --options ro
‣ + mount --rbind /efi /efi --options ro
‣ + mount --rbind /media /media --options ro
‣ + mount --rbind /mnt /mnt --options ro
‣ Building debiandotnet image
‣ + /usr/bin/ukify --version
‣ + /usr/bin/systemd-repart --version
‣ + mkdir --parents /root/debian/dotnet/mkosi.output
‣ + mkdir --parents /root/debian/dotnet/mkosi.cache
‣ + stat --file-system --format %T /root/.cache/mkosi-workspacezm258yqo
‣  Copying in package manager file trees…
‣ + cp --recursive --no-dereference --preserve=mode,timestamps,links,xattr --reflink=auto /root/debian/dotnet/mkosi.skeleton /root/.cache/mkosi-workspacezm258yqo/pkgmngr --no-target-directory
‣  Copying in skeleton file trees…
‣ + cp --recursive --no-dereference --preserve=mode,timestamps,links,xattr --reflink=auto /root/debian/dotnet/mkosi.skeleton /root/.cache/mkosi-workspacezm258yqo/root --no-target-directory
‣  Installing Debian
‣ + mount --no-mtab overlay /usr --types overlay --options lowerdir=/root/.cache/mkosi-workspacezm258yqo/pkgmngr/usr:/usr,upperdir=/root/.cache/mkosi-workspacezm258yqo/volatile-overlayqaxiopj9,workdir=/root/.cache/mkosi-workspacezm258yqo/volatile-overlayqaxiopj9-workdirjys4tulg,index=off,metacopy=off,userxattr
‣ + bwrap --ro-bind /usr /usr --ro-bind-try /nix/store /nix/store --bind /root/.cache/mkosi-workspacezm258yqo/pkgmngr/etc /etc --bind /var/tmp /var/tmp --bind /tmp /tmp --bind /root/debian/dotnet /root/debian/dotnet --chdir /root/debian/dotnet --unshare-pid --unshare-ipc --unshare-cgroup --die-with-parent --proc /proc --setenv SYSTEMD_OFFLINE 1 --dev /dev --symlink /usr/lib/systemd/systemd /init --symlink usr/lib /lib --symlink boot/vmlinuz-6.5.0-5-cloud-amd64 /vmlinuz --symlink boot/vmlinuz-6.5.0-5-cloud-amd64 /vmlinuz.old --symlink usr/sbin /sbin --symlink usr/bin /bin --symlink usr/lib64 /lib64 --bind /etc/resolv.conf /etc/resolv.conf --ro-bind /etc/ca-certificates /etc/ca-certificates --ro-bind /etc/pki /etc/pki --ro-bind /etc/ssl /etc/ssl --bind /root/.cache/mkosi-workspacezm258yqo /root/.cache/mkosi-workspacezm258yqo --bind /root/debian/dotnet/mkosi.cache /root/debian/dotnet/mkosi.cache --bind /root/debian/dotnet/mkosi.output /root/debian/dotnet/mkosi.output --setenv PATH :/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin sh -c 'chmod 1777 /dev/shm && exec $0 "$@"' env APT_CONFIG=/root/.cache/mkosi-workspacezm258yqo/apt.conf DEBIAN_FRONTEND=noninteractive DEBCONF_INTERACTIVE_SEEN=true INITRD=No apt-get -o APT::Architecture=amd64 -o APT::Architectures=amd64 -o APT::Install-Recommends=false -o APT::Immediate-Configure=off -o APT::Get::Assume-Yes=true -o APT::Get::AutomaticRemove=true -o APT::Get::Allow-Change-Held-Packages=true -o APT::Get::Allow-Remove-Essential=true -o APT::Sandbox::User=root -o Dir::Cache=/root/debian/dotnet/mkosi.cache/cache/apt -o Dir::State=/root/debian/dotnet/mkosi.cache/lib/apt -o Dir::State::Status=/root/.cache/mkosi-workspacezm258yqo/root/var/lib/dpkg/status -o Dir::Etc::Trusted=/usr/share/keyrings/debian-archive-keyring.gpg -o Dir::Log=/root/.cache/mkosi-workspacezm258yqo -o Dir::Bin::DPkg=/usr/bin/dpkg -o Debug::NoLocking=true -o DPkg::Options::=--root=/root/.cache/mkosi-workspacezm258yqo/root -o DPkg::Options::=--force-unsafe-io -o DPkg::Options::=--force-architecture -o DPkg::Options::=--force-depends -o DPkg::Use-Pty=false -o DPkg::Install::Recursive::Minimum=1000 -o pkgCacheGen::ForceEssential=, update
Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
Get:2 https://packages.microsoft.com/debian/12/prod bookworm InRelease [3617 B]                          
Hit:3 http://deb.debian.org/debian bookworm InRelease                                                    
Err:2 https://packages.microsoft.com/debian/12/prod bookworm InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EB3E94ADBE1229CF
Hit:4 http://deb.debian.org/debian bookworm-updates InRelease
Reading package lists... Done
W: http://security.debian.org/debian-security/dists/bookworm-security/InRelease: Key is stored in legacy trusted.gpg keyring (/usr/share/keyrings/debian-archive-keyring.gpg), see the DEPRECATION section in apt-key(8) for details.
W: GPG error: https://packages.microsoft.com/debian/12/prod bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY EB3E94ADBE1229CF
E: The repository 'https://packages.microsoft.com/debian/12/prod bookworm InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: http://deb.debian.org/debian/dists/bookworm/InRelease: Key is stored in legacy trusted.gpg keyring (/usr/share/keyrings/debian-archive-keyring.gpg), see the DEPRECATION section in apt-key(8) for details.
W: http://deb.debian.org/debian/dists/bookworm-updates/InRelease: Key is stored in legacy trusted.gpg keyring (/usr/share/keyrings/debian-archive-keyring.gpg), see the DEPRECATION section in apt-key(8) for details.
‣ + umount --no-mtab --lazy /usr
‣ "env APT_CONFIG=/root/.cache/mkosi-workspacezm258yqo/apt.conf DEBIAN_FRONTEND=noninteractive DEBCONF_INTERACTIVE_SEEN=true INITRD=No apt-get -o APT::Architecture=amd64 -o APT::Architectures=amd64 -o APT::Install-Recommends=false -o APT::Immediate-Configure=off -o APT::Get::Assume-Yes=true -o APT::Get::AutomaticRemove=true -o APT::Get::Allow-Change-Held-Packages=true -o APT::Get::Allow-Remove-Essential=true -o APT::Sandbox::User=root -o Dir::Cache=/root/debian/dotnet/mkosi.cache/cache/apt -o Dir::State=/root/debian/dotnet/mkosi.cache/lib/apt -o Dir::State::Status=/root/.cache/mkosi-workspacezm258yqo/root/var/lib/dpkg/status -o Dir::Etc::Trusted=/usr/share/keyrings/debian-archive-keyring.gpg -o Dir::Log=/root/.cache/mkosi-workspacezm258yqo -o Dir::Bin::DPkg=/usr/bin/dpkg -o Debug::NoLocking=true -o DPkg::Options::=--root=/root/.cache/mkosi-workspacezm258yqo/root -o DPkg::Options::=--force-unsafe-io -o DPkg::Options::=--force-architecture -o DPkg::Options::=--force-depends -o DPkg::Use-Pty=false -o DPkg::Install::Recursive::Minimum=1000 -o pkgCacheGen::ForceEssential=, update" returned non-zero exit code 100.
‣ + rm -rf -- /root/.cache/mkosi-workspacezm258yqo
Traceback (most recent call last):
  File "/root/mkosi/mkosi/run.py", line 167, in uncaught_exception_handler
    yield
  File "/root/mkosi/mkosi/run.py", line 208, in fork_and_wait
    target()
  File "/root/mkosi/mkosi/__init__.py", line 3233, in target
    build_image(args, config)
  File "/root/mkosi/mkosi/__init__.py", line 2611, in build_image
    install_distribution(state)
  File "/root/mkosi/mkosi/__init__.py", line 137, in install_distribution
    state.config.distribution.install(state)
  File "/root/mkosi/mkosi/distributions/__init__.py", line 113, in install
    return self.installer().install(state)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/root/mkosi/mkosi/distributions/debian.py", line 115, in install
    cls.install_packages(state, [
  File "/root/mkosi/mkosi/distributions/debian.py", line 147, in install_packages
    invoke_apt(state, "apt-get", "update", apivfs=False)
  File "/root/mkosi/mkosi/installer/apt.py", line 107, in invoke_apt
    bwrap(state, cmd + apt_cmd(state, command) + [operation, *sort_packages(packages)],
  File "/root/mkosi/mkosi/bubblewrap.py", line 150, in bwrap
    raise e
  File "/root/mkosi/mkosi/bubblewrap.py", line 135, in bwrap
    return run(
           ^^^^
  File "/root/mkosi/mkosi/run.py", line 309, in run
    raise e
  File "/root/mkosi/mkosi/run.py", line 290, in run
    return subprocess.run(
           ^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['bwrap', '--ro-bind', '/usr', '/usr', '--ro-bind-try', '/nix/store', '/nix/store', '--bind', '/root/.cache/mkosi-workspacezm258yqo/pkgmngr/etc', '/etc', '--bind', '/var/tmp', '/var/tmp', '--bind', '/tmp', '/tmp', '--bind', '/root/debian/dotnet', '/root/debian/dotnet', '--chdir', '/root/debian/dotnet', '--unshare-pid', '--unshare-ipc', '--unshare-cgroup', '--die-with-parent', '--proc', '/proc', '--setenv', 'SYSTEMD_OFFLINE', '1', '--dev', '/dev', '--symlink', '/usr/lib/systemd/systemd', '/init', '--symlink', 'usr/lib', '/lib', '--symlink', 'boot/vmlinuz-6.5.0-5-cloud-amd64', '/vmlinuz', '--symlink', 'boot/vmlinuz-6.5.0-5-cloud-amd64', '/vmlinuz.old', '--symlink', 'usr/sbin', '/sbin', '--symlink', 'usr/bin', '/bin', '--symlink', 'usr/lib64', '/lib64', '--bind', '/etc/resolv.conf', '/etc/resolv.conf', '--ro-bind', '/etc/ca-certificates', '/etc/ca-certificates', '--ro-bind', '/etc/pki', '/etc/pki', '--ro-bind', '/etc/ssl', '/etc/ssl', '--bind', '/root/.cache/mkosi-workspacezm258yqo', '/root/.cache/mkosi-workspacezm258yqo', '--bind', '/root/debian/dotnet/mkosi.cache', '/root/debian/dotnet/mkosi.cache', '--bind', '/root/debian/dotnet/mkosi.output', '/root/debian/dotnet/mkosi.output', '--setenv', 'PATH', ':/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'sh', '-c', 'chmod 1777 /dev/shm && exec $0 "$@"', 'env', 'APT_CONFIG=/root/.cache/mkosi-workspacezm258yqo/apt.conf', 'DEBIAN_FRONTEND=noninteractive', 'DEBCONF_INTERACTIVE_SEEN=true', 'INITRD=No', 'apt-get', '-o', 'APT::Architecture=amd64', '-o', 'APT::Architectures=amd64', '-o', 'APT::Install-Recommends=false', '-o', 'APT::Immediate-Configure=off', '-o', 'APT::Get::Assume-Yes=true', '-o', 'APT::Get::AutomaticRemove=true', '-o', 'APT::Get::Allow-Change-Held-Packages=true', '-o', 'APT::Get::Allow-Remove-Essential=true', '-o', 'APT::Sandbox::User=root', '-o', 'Dir::Cache=/root/debian/dotnet/mkosi.cache/cache/apt', '-o', 'Dir::State=/root/debian/dotnet/mkosi.cache/lib/apt', '-o', 'Dir::State::Status=/root/.cache/mkosi-workspacezm258yqo/root/var/lib/dpkg/status', '-o', 'Dir::Etc::Trusted=/usr/share/keyrings/debian-archive-keyring.gpg', '-o', 'Dir::Log=/root/.cache/mkosi-workspacezm258yqo', '-o', 'Dir::Bin::DPkg=/usr/bin/dpkg', '-o', 'Debug::NoLocking=true', '-o', 'DPkg::Options::=--root=/root/.cache/mkosi-workspacezm258yqo/root', '-o', 'DPkg::Options::=--force-unsafe-io', '-o', 'DPkg::Options::=--force-architecture', '-o', 'DPkg::Options::=--force-depends', '-o', 'DPkg::Use-Pty=false', '-o', 'DPkg::Install::Recursive::Minimum=1000', '-o', 'pkgCacheGen::ForceEssential=,', 'update']' returned non-zero exit status 100.
‣ + tput cnorm
‣ + tput smam

[DaanDeMeyer]

@ragazenta Can you run with --debug-shell and check that the key is in /etc/apt/trusted.gpg.d as expected? Also, when in the debug shell, can you run apt-config dump and post the output here?

[ragazenta]

Yes, the key is in /etc/apt/trusted.gpg.d

# tree /etc/apt
/etc/apt
├── apt.conf.d
├── keyrings
│   └── microsoft-prod.gpg
├── preferences.d
├── sources.list
├── sources.list.d
│   └── microsoft-prod.list
└── trusted.gpg.d
    └── microsoft.asc

apt-config dump output:

# apt-config dump
APT "";
APT::Architecture "amd64";
APT::Build-Essential "";
APT::Build-Essential:: "build-essential";
APT::Install-Recommends "1";
APT::Install-Suggests "0";
APT::Sandbox "";
APT::Sandbox::User "_apt";
APT::Architectures "";
APT::Architectures:: "amd64";
APT::Compressor "";
APT::Compressor::. "";
APT::Compressor::.::Name ".";
APT::Compressor::.::Extension "";
APT::Compressor::.::Binary "";
APT::Compressor::.::Cost "0";
APT::Compressor::zstd "";
APT::Compressor::zstd::Name "zstd";
APT::Compressor::zstd::Extension ".zst";
APT::Compressor::zstd::Binary "zstd";
APT::Compressor::zstd::Cost "60";
APT::Compressor::zstd::CompressArg "";
APT::Compressor::zstd::CompressArg:: "-19";
APT::Compressor::zstd::UncompressArg "";
APT::Compressor::zstd::UncompressArg:: "-d";
APT::Compressor::lz4 "";
APT::Compressor::lz4::Name "lz4";
APT::Compressor::lz4::Extension ".lz4";
APT::Compressor::lz4::Binary "false";
APT::Compressor::lz4::Cost "50";
APT::Compressor::gzip "";
APT::Compressor::gzip::Name "gzip";
APT::Compressor::gzip::Extension ".gz";
APT::Compressor::gzip::Binary "gzip";
APT::Compressor::gzip::Cost "100";
APT::Compressor::gzip::CompressArg "";
APT::Compressor::gzip::CompressArg:: "-6n";
APT::Compressor::gzip::UncompressArg "";
APT::Compressor::gzip::UncompressArg:: "-d";
APT::Compressor::xz "";
APT::Compressor::xz::Name "xz";
APT::Compressor::xz::Extension ".xz";
APT::Compressor::xz::Binary "xz";
APT::Compressor::xz::Cost "200";
APT::Compressor::xz::CompressArg "";
APT::Compressor::xz::CompressArg:: "-6";
APT::Compressor::xz::UncompressArg "";
APT::Compressor::xz::UncompressArg:: "-d";
APT::Compressor::bzip2 "";
APT::Compressor::bzip2::Name "bzip2";
APT::Compressor::bzip2::Extension ".bz2";
APT::Compressor::bzip2::Binary "false";
APT::Compressor::bzip2::Cost "300";
APT::Compressor::lzma "";
APT::Compressor::lzma::Name "lzma";
APT::Compressor::lzma::Extension ".lzma";
APT::Compressor::lzma::Binary "xz";
APT::Compressor::lzma::Cost "400";
APT::Compressor::lzma::CompressArg "";
APT::Compressor::lzma::CompressArg:: "--format=lzma";
APT::Compressor::lzma::CompressArg:: "-6";
APT::Compressor::lzma::UncompressArg "";
APT::Compressor::lzma::UncompressArg:: "--format=lzma";
APT::Compressor::lzma::UncompressArg:: "-d";
Dir "/";
Dir::State "var/lib/apt";
Dir::State::lists "lists/";
Dir::State::cdroms "cdroms.list";
Dir::State::extended_states "extended_states";
Dir::State::status "/var/lib/dpkg/status";
Dir::Cache "var/cache/apt";
Dir::Cache::archives "archives/";
Dir::Cache::srcpkgcache "srcpkgcache.bin";
Dir::Cache::pkgcache "pkgcache.bin";
Dir::Etc "etc/apt";
Dir::Etc::sourcelist "sources.list";
Dir::Etc::sourceparts "sources.list.d";
Dir::Etc::main "apt.conf";
Dir::Etc::netrc "auth.conf";
Dir::Etc::netrcparts "auth.conf.d";
Dir::Etc::parts "apt.conf.d";
Dir::Etc::preferences "preferences";
Dir::Etc::preferencesparts "preferences.d";
Dir::Etc::trusted "trusted.gpg";
Dir::Etc::trustedparts "trusted.gpg.d";
Dir::Bin "";
Dir::Bin::methods "/usr/lib/apt/methods";
Dir::Bin::solvers "";
Dir::Bin::solvers:: "/usr/lib/apt/solvers";
Dir::Bin::planners "";
Dir::Bin::planners:: "/usr/lib/apt/planners";
Dir::Bin::dpkg "/usr/bin/dpkg";
Dir::Bin::gzip "/bin/gzip";
Dir::Bin::bzip2 "/bin/bzip2";
Dir::Bin::xz "/usr/bin/xz";
Dir::Bin::lz4 "/usr/bin/lz4";
Dir::Bin::zstd "/usr/bin/zstd";
Dir::Bin::lzma "/usr/bin/xz";
Dir::Media "";
Dir::Media::MountPath "/media/apt";
Dir::Log "var/log/apt";
Dir::Log::Terminal "term.log";
Dir::Log::History "history.log";
Dir::Log::Planner "eipp.log.xz";
Dir::Ignore-Files-Silently "";
Dir::Ignore-Files-Silently:: "~$";
Dir::Ignore-Files-Silently:: "\.disabled$";
Dir::Ignore-Files-Silently:: "\.bak$";
Dir::Ignore-Files-Silently:: "\.dpkg-[a-z]+$";
Dir::Ignore-Files-Silently:: "\.ucf-[a-z]+$";
Dir::Ignore-Files-Silently:: "\.save$";
Dir::Ignore-Files-Silently:: "\.orig$";
Dir::Ignore-Files-Silently:: "\.distUpgrade$";
Acquire "";
Acquire::AllowInsecureRepositories "0";
Acquire::AllowWeakRepositories "0";
Acquire::AllowDowngradeToInsecureRepositories "0";
Acquire::cdrom "";
Acquire::cdrom::mount "/media/cdrom/";
Acquire::IndexTargets "";
Acquire::IndexTargets::deb "";
Acquire::IndexTargets::deb::Packages "";
Acquire::IndexTargets::deb::Packages::MetaKey "$(COMPONENT)/binary-$(ARCHITECTURE)/Packages";
Acquire::IndexTargets::deb::Packages::flatMetaKey "Packages";
Acquire::IndexTargets::deb::Packages::ShortDescription "Packages";
Acquire::IndexTargets::deb::Packages::Description "$(RELEASE)/$(COMPONENT) $(ARCHITECTURE) Packages";
Acquire::IndexTargets::deb::Packages::flatDescription "$(RELEASE) Packages";
Acquire::IndexTargets::deb::Packages::Optional "0";
Acquire::IndexTargets::deb::Translations "";
Acquire::IndexTargets::deb::Translations::MetaKey "$(COMPONENT)/i18n/Translation-$(LANGUAGE)";
Acquire::IndexTargets::deb::Translations::flatMetaKey "$(LANGUAGE)";
Acquire::IndexTargets::deb::Translations::ShortDescription "Translation-$(LANGUAGE)";
Acquire::IndexTargets::deb::Translations::Description "$(RELEASE)/$(COMPONENT) Translation-$(LANGUAGE)";
Acquire::IndexTargets::deb::Translations::flatDescription "$(RELEASE) Translation-$(LANGUAGE)";
Acquire::IndexTargets::deb-src "";
Acquire::IndexTargets::deb-src::Sources "";
Acquire::IndexTargets::deb-src::Sources::MetaKey "$(COMPONENT)/source/Sources";
Acquire::IndexTargets::deb-src::Sources::flatMetaKey "Sources";
Acquire::IndexTargets::deb-src::Sources::ShortDescription "Sources";
Acquire::IndexTargets::deb-src::Sources::Description "$(RELEASE)/$(COMPONENT) Sources";
Acquire::IndexTargets::deb-src::Sources::flatDescription "$(RELEASE) Sources";
Acquire::IndexTargets::deb-src::Sources::Optional "0";
Acquire::Changelogs "";
Acquire::Changelogs::URI "";
Acquire::Changelogs::URI::Origin "";
Acquire::Changelogs::URI::Origin::Debian "https://metadata.ftp-master.debian.org/changelogs/@CHANGEPATH@_changelog";
Acquire::Changelogs::URI::Origin::Ubuntu "https://changelogs.ubuntu.com/changelogs/pool/@CHANGEPATH@/changelog";
Acquire::Changelogs::AlwaysOnline "";
Acquire::Changelogs::AlwaysOnline::Origin "";
Acquire::Changelogs::AlwaysOnline::Origin::Ubuntu "1";
Acquire::Snapshots "";
Acquire::Snapshots::URI "";
Acquire::Snapshots::URI::Origin "";
Acquire::Snapshots::URI::Origin::Debian "https://snapshot.debian.org/archive/debian/@SNAPSHOTID@/";
Acquire::Snapshots::URI::Origin::Ubuntu "https://snapshot.ubuntu.com/ubuntu/@SNAPSHOTID@/";
Acquire::Snapshots::URI::Override "";
Acquire::Snapshots::URI::Override::Label "";
Acquire::Snapshots::URI::Override::Label::Debian-Security "https://snapshot.debian.org/archive/debian-security/@SNAPSHOTID@/";
Acquire::Snapshots::URI::Host "";
Acquire::Snapshots::URI::Host::archive.ubuntu.com "https://snapshot.ubuntu.com/@PATH@/@SNAPSHOTID@/";
Acquire::Snapshots::URI::Host::deb.debian.org "https://snapshot.debian.org/archive/@PATH@/@SNAPSHOTID@/";
Acquire::Snapshots::URI::Host::.archive.ubuntu.com "https://snapshot.ubuntu.com/@PATH@/@SNAPSHOTID@/";
Acquire::Snapshots::URI::Host::security.ubuntu.com "https://snapshot.ubuntu.com/@PATH@/@SNAPSHOTID@/";
Acquire::Snapshots::URI::Host::ppa.launchpadcontent.net "https://snapshot.ppa.launchpadcontent.net/@PATH@/@SNAPSHOTID@/";
Acquire::Snapshots::URI::Host::ppa.launchpad.net "https://snapshot.ppa.launchpadcontent.net/@PATH@/@SNAPSHOTID@/";
Acquire::Languages "";
Acquire::Languages:: "en";
Acquire::CompressionTypes "";
Acquire::CompressionTypes::xz "xz";
Acquire::CompressionTypes::bz2 "bzip2";
Acquire::CompressionTypes::lzma "lzma";
Acquire::CompressionTypes::gz "gzip";
Acquire::CompressionTypes::lz4 "lz4";
Acquire::CompressionTypes::zst "zstd";
DPkg "";
DPkg::Path "/usr/sbin:/usr/bin:/sbin:/bin";
Binary "apt-config";
Binary::apt "";
Binary::apt::APT "";
Binary::apt::APT::Color "1";
Binary::apt::APT::Cache "";
Binary::apt::APT::Cache::Show "";
Binary::apt::APT::Cache::Show::Version "2";
Binary::apt::APT::Cache::AllVersions "0";
Binary::apt::APT::Cache::ShowVirtuals "1";
Binary::apt::APT::Cache::Search "";
Binary::apt::APT::Cache::Search::Version "2";
Binary::apt::APT::Cache::ShowDependencyType "1";
Binary::apt::APT::Cache::ShowVersion "1";
Binary::apt::APT::Get "";
Binary::apt::APT::Get::Upgrade-Allow-New "1";
Binary::apt::APT::Get::Update "";
Binary::apt::APT::Get::Update::InteractiveReleaseInfoChanges "1";
Binary::apt::APT::Cmd "";
Binary::apt::APT::Cmd::Show-Update-Stats "1";
Binary::apt::APT::Cmd::Pattern-Only "1";
Binary::apt::APT::Keep-Downloaded-Packages "0";
Binary::apt::DPkg "";
Binary::apt::DPkg::Progress-Fancy "1";
Binary::apt::DPkg::Lock "";
Binary::apt::DPkg::Lock::Timeout "-1";
CommandLine "";
CommandLine::AsString "apt-config dump";

[DaanDeMeyer]

@ragazenta I have no clue unfortunately. Can you try using signed-by like in https://github.com/systemd/mkosi/pull/2215? You can use [signed-by=/usr/share/keyrings/customrepo.gpg] and we'll pick it up from the package manager tree automatically.

[ragazenta]

I've just tried using Fedora 39 to build the image and there is no error. Previously I used Debian Unstable (also built by mkosi).

I confirm signed-by works as expected and I think it's the recommended way, instead of putting ASCII GPG key .asc file to /etc/apt/trusted.gpg.d.

Thanks.