Install fails on Raspbian GNU/Linux 11 (bullseye)

[Precision-Tech]

Received the follow errors in the pa-build-pi-schroot.log file when executing the install_pulseaudio_sources_apt_wrapper.sh script on Raspbian GNU/Linux 11 (bullseye):

Reading package lists...
Building dependency tree...
E: Unable to locate package sudo
E: Unable to locate package lsb-release
/bin/sh: 1: cannot create /etc/sudoers.d/nopasswd-pi: Directory nonexistent
chmod: cannot access '/etc/sudoers.d/nopasswd-pi': No such file or directory
/wrapped_script: 55: lsb_release: not found
/wrapped_script: 55: lsb_release: not found

Adding the follow code to the beginning of the RunWrappedScript() function allowed apt-get to find the required packages on Raspbian resulting in a successful build:

sudo cp -r /etc/apt/trusted.gpg.d/ $BUILDROOT/etc/apt/trusted.gpg.d/
sudo cp /etc/apt/trusted.gpg $BUILDROOT/etc/apt/
schroot -c pa-build-$USER -u root -- apt-get update

Full code of install_pulseaudio_sources_apt_wrapper.sh for reference:

#!/bin/sh
#
# xrdp: A Remote Desktop Protocol server.
#
# Copyright (C) 2021 Matt Burt, all xrdp contributors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

# Wrapper to call install_pulseaudio_sources.sh and tidy up afterwards

# ---------------------------------------------------------------------------
# G L O B A L S
# ---------------------------------------------------------------------------
# Where the output files are going. Must be under $HOME as schroot
# assumes this.
PULSE_DIR=$HOME/pulseaudio.src

# Absolute path to the script we're wrapping. This picks it up from
# the same directory this file is in
WRAPPED_SCRIPT=$(cd $(dirname $0) && pwd)/install_pulseaudio_sources_apt.sh

# The buildroot directory. Choose fast, temporary storage if available
BUILDROOT=/var/lib/pa-build/$USER

# Extra packages to install in the build root which the wrapped script
# may be using. These are packages available by default when using
# GitHub actions
WRAPPED_SCRIPT_DEPS="sudo lsb-release"

# -----------------------------------------------------------------------------
# I N S T A L L   R E Q U I R E D   P A C K A G E S
#
# Installs packages required for the build on the host machine
# -----------------------------------------------------------------------------
InstallRequiredPackages()
{
    set -- \
        /usr/sbin/debootstrap   debootstrap \
        /usr/bin/schroot        schroot \
        /usr/bin/lsb_release    lsb-release

    pkgs=
    while [ $# -ge 2 ]; do
        if [ ! -x $1 ]; then
            pkgs="$pkgs $2"
        fi
        shift 2
    done

    if [ -n "$pkgs" ]; then
        echo "- Need to install packages :$pkgs"
        echo
        echo "  These can be removed when this script completes with:-"
        echo "  sudo apt-get purge$pkgs && apt-get autoremove"
        echo
        sudo apt-get install -y $pkgs
    fi
}

# -----------------------------------------------------------------------------
# R U N   W R A P P E D   S C R I P T
#
# Runs the wrapped build script using schroot
#
# This function definition uses () rather than {} to create an extra
# sub-process where we can run 'set -e' without affecting the parent
# -----------------------------------------------------------------------------
RunWrappedScript()
(
    # In this sub-process, fail on error
    set -e

    # Fix for Raspbian
    sudo cp -r /etc/apt/trusted.gpg.d/ $BUILDROOT/etc/apt/trusted.gpg.d/
    sudo cp -r /etc/apt/trusted.gpg $BUILDROOT/etc/apt/
    schroot -c pa-build-$USER -u root -- apt-get update

    # Install extra dependencies
    schroot -c pa-build-$USER -u root -- \
        apt-get install -y $WRAPPED_SCRIPT_DEPS

    # Allow normal user to sudo without a password
    schroot -c pa-build-$USER -u root -- \
        /bin/sh -c "echo '$USER ALL=(ALL) NOPASSWD:ALL'>/etc/sudoers.d/nopasswd-$USER"
    schroot -c pa-build-$USER -u root -- chmod 400 /etc/sudoers.d/nopasswd-$USER

    # Call the wrapped script
    schroot -c pa-build-$USER -- /wrapped_script -d $PULSE_DIR
)

# -----------------------------------------------------------------------------
# M A I N
# -----------------------------------------------------------------------------

# Start with a few sanity checks
if [ -d $PULSE_DIR ]; then
    echo "** Target directory $PULSE_DIR already exists" >&2
    exit 0
fi

if [ ! -x $WRAPPED_SCRIPT ]; then
    echo "** Can't find wrapped script $WRAPPED_SCRIPT" >&2
    exit 1
fi

if [ -e $BUILDROOT ]; then
    echo "** Remove old build root $BUILDROOT before running this script"
    exit 1
fi

# Do we need extra packages?
InstallRequiredPackages || exit $?

# We should be able to determine the distro now
distro=$(lsb_release -cs) ; # e.g. 'bullseye'
if [ -z "$distro" ]; then
    echo "** Can't determine current distro" >&2
    exit 1
fi

# Create the build root
log=/var/tmp/pa-build-$USER-debootstrap.log
echo "- Creating $distro build root. Log file in $log"
sudo debootstrap $distro $BUILDROOT >$log 2>&1 || {
    echo "** debootstrap failed. Check log file" >&2
    exit 1
}

# Create the config file for schroot
schroot_conf=/etc/schroot/chroot.d/pa-build-$USER.conf
echo "- Creating schroot config file $schroot_conf"
{
    echo "[pa-build-$USER]"
    echo "description=Build PA on current system for $USER"
    echo "directory=$BUILDROOT"
    echo "root-users=$USER"
    echo "users=$USER"
    echo "type=directory"
} | sudo tee $schroot_conf >/dev/null || exit $?

# Copy some files to the build root
for file in /etc/apt/sources.list; do
    echo "- Copying $file to the root"
    sudo cp $file $BUILDROOT/$file || exit $?
done

# Copy the wrapped script to the buildroot root
echo "- Copying the wrapped script to the root"
sudo cp $WRAPPED_SCRIPT $BUILDROOT/wrapped_script || exit $?
sudo chmod +x $BUILDROOT/wrapped_script || exit $?

# Run the wrapped script
log=/var/tmp/pa-build-$USER-schroot.log
echo "- Building PA sources. Log file in $log"
RunWrappedScript >$log 2>&1 || {
    echo "** schroot failed. Check log file" >&2
    exit 1
}

# Done! Remove the schroot config file as its no longer needed
echo "- Removing schroot config file and build root"
sudo rm -rf $schroot_conf $BUILDROOT

echo "- All done. Configure PA xrdp module with PULSE_DIR=$PULSE_DIR"
exit 0

[matt335672]

Hi @Precision-Tech

Thanks for feeding this back.

I'm having problems reproducing this, probably as I only have a Franken-Pi available, and that seems to be working.

What are the contents of /etc/apt/sources.list on your machine?

Thanks.

[Precision-Tech]

Here is the contents of /etc/apt/sources.list (it is the default): deb http://raspbian.raspberrypi.org/raspbian/ bullseye main contrib non-free rpi # Uncomment line below then 'apt-get update' to enable 'apt-get source' # deb-src http://raspbian.raspberrypi.org/raspbian/ bullseye main contrib non-free rpi Under the hood it seems to direct you to one of their mirrors, and the two mirrors my Pi connects to are: http://raspbian.mirrors.lucidnetworks.net/raspbian/ https://mirrors.gigenet.com/raspbian/raspbian/ For just a little more detail after the script failed I tried to execute the following command: schroot -c pa-build-$USER -u root -- apt-get install -y sudo This was the error: Reading package lists... Done Building dependency tree... Done E: Unable to locate package sudo Next I ran: schroot -c pa-build-$USER -u root -- apt-get update Here are the errors: Get:1 http://raspbian.raspberrypi.org/raspbian bullseye InRelease [15.0 kB] Err:1 http://raspbian.raspberrypi.org/raspbian bullseye InRelease   The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9165938D90FDDD2E Reading package lists... Done W: GPG error: http://raspbian.raspberrypi.org/raspbian bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9165938D90FDDD2E E: The repository 'http://raspbian.raspberrypi.org/raspbian bullseye InRelease' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. Once the /etc/apt/trusted.gpg was copied into the $BUILDROOT everything seemed to work. It turns out coping the /etc/apt/trusted.gpg.d/ directory was not required. It should not make a difference, but this was on a Raspberry Pi 4 (and given the issues I had just getting xrdp to work it may matter) As a final side note (just in case you do get your hands on a Pi 4) to get xrdp to work I had to remove the pi user from the video and render groups. See https://raspberrypi.stackexchange.com/questions/133425/connection-problem-giving-up-on-xrdp-with-raspberry-pi-os-11-bullseye for details.

[rcfa]

Don’t remove the users from the groups, that leads to unintended consequences, like e.g. not being able to use Mathematica, etc. Instead directly work around the bug in the RasPi DRM kernel driver, and comment out the xrdp configuration statement that runs xrdp with DRM. (Removing users from the groups has indirectly the same effect). In the file /etc/X11/xrdp/xorg.conf find the line in the Section “Device” that is ‘Option “DRMDevice”…’ and comment it out. Ronald

…

Sent from my mobile device

On Feb 23, 2022, at 15:44, Precision-Tech ***@***.***> wrote:  Here is the contents of /etc/apt/sources.list (it is the default): deb http://raspbian.raspberrypi.org/raspbian/ bullseye main contrib non-free rpi # Uncomment line below then 'apt-get update' to enable 'apt-get source' # deb-src http://raspbian.raspberrypi.org/raspbian/ bullseye main contrib non-free rpi Under the hood it seems to direct you to one of their mirrors, and the two mirrors my Pi connects to are:http://raspbian.mirrors.lucidnetworks.net/raspbian/https://mirrors.gigenet.com/raspbian/raspbian/ For just a little more detail after the script failed I tried to execute the following command:schroot -c pa-build-$USER -u root -- apt-get install -y sudo This was the error: Reading package lists... Done Building dependency tree... Done E: Unable to locate package sudo Next I ran: schroot -c pa-build-$USER -u root -- apt-get update Here are the errors: Get:1 http://raspbian.raspberrypi.org/raspbian bullseye InRelease [15.0 kB] Err:1 http://raspbian.raspberrypi.org/raspbian bullseye InRelease The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9165938D90FDDD2E Reading package lists... Done W: GPG error: http://raspbian.raspberrypi.org/raspbian bullseye InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 9165938D90FDDD2E E: The repository 'http://raspbian.raspberrypi.org/raspbian bullseye InRelease' is not signed. N: Updating from such a repository can't be done securely, and is therefore disabled by default. N: See apt-secure(8) manpage for repository creation and user configuration details. Once the /etc/apt/trusted.gpg was copied into the $BUILDROOT everything seemed to work. It turns out coping the /etc/apt/trusted.gpg.d/ directory was not required. It should not make a difference, but this was on a Raspberry Pi 4 (and given the issues I had just getting xrdp to work it may matter) As a final side note (just in case you do get your hands on a Pi 4) to get xrdp to work I had to remove the pi user from the video and render groups. See https://raspberrypi.stackexchange.com/questions/133425/connection-problem-giving-up-on-xrdp-with-raspberry-pi-os-11-bullseye for details. On Wednesday, February 23, 2022, 03:44:20 AM MST, matt335672 ***@***.***> wrote: Hi @Precision-Tech Thanks for feeding this back. I'm having problems reproducing this, probably as I only have a Franken-Pi available, and that seems to be working. What are the contents of /etc/apt/sources.list on your machine? Thanks. — Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you were mentioned.Message ID: ***@***.***> — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.

[Precision-Tech]

Thanks for the advice Ronald! I'll give the recommended changes a try this evening.  I thought there had to be a better way but I didn't come across it in my quick Google searching

[matt335672]

@Precision-Tech - Thanks for your assistance so far. I'm currently trying to see the best way to solve this.

What do these commands give you:-

lsb_release -cs
grep keyring /usr/share/debootstrap/scripts/`lsb_release -cs`
apt-key list

Thanks.

[matt335672]

PS - see also neutrinolabs/xrdp#2060 for a more detailed analysis of @rcfa's suggestion above.

[Precision-Tech]

lsb_release -cs:

bullseye

grep keyring /usr/share/debootstrap/scripts/`lsb_release -cs:

keyring /usr/share/keyrings/debian-archive-keyring.gpg

apt-key list:

Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)).
/etc/apt/trusted.gpg
--------------------
pub   rsa2048 2012-04-01 [SC]
      A0DA 38D0 D76E 8B5D 6388  7281 9165 938D 90FD DD2E
uid           [ unknown] Mike Thompson (Raspberry Pi Debian armhf ARMv6+VFP) <mpthompson@gmail.com>
sub   rsa2048 2012-04-01 [E]

/etc/apt/trusted.gpg.d/raspberrypi-archive-stable.gpg
-----------------------------------------------------
pub   rsa2048 2012-06-17 [SC]
      CF8A 1AF5 02A2 AA2D 763B  AE7E 82B1 2992 7FA3 303E
uid           [ unknown] Raspberry Pi Archive Signing Key
sub   rsa2048 2012-06-17 [E]

[matt335672]

The problem seems to be related to /usr/share/debootstrap/scripts/bullseye which on my system is a symlink to /usr/share/debootstrap/scripts/sid.

This file is telling the debootstrap utility to use /usr/share/keyrings/debian-archive-keyring.gpg. This is fine for a Debian bullseye machine, but not a PI, as the packages are signed with a different key.

Can you edit the original script, and make this change?

Replace this line (130):-

sudo debootstrap $distro $BUILDROOT >$log 2>&1 || {

with

sudo debootstrap --keyring=/etc/apt/trusted.gpg $distro $BUILDROOT >$log 2>&1 || {

I'm trying to come up with something which will work with other Debian derivatives.

Thanks again for your help with investigating this.

[Precision-Tech]

Happy to try and help!

Changing line 130 results in the following:

cat /var/tmp/pa-build-pi-debootstrap.log
I: Target architecture can be executed
I: Retrieving InRelease
I: Checking Release signature
E: Release signed by unknown key (key id 605C66F00D6C9793)
   The specified keyring /etc/apt/trusted.gpg may be incorrect or out of date.
   You can find the latest Debian release key at https://ftp-master.debian.org/keys.html

[Precision-Tech]

Maybe adding this to line 130 would help?

--no-check-gpg
              Disables checking gpg signatures of retrieved Release files.

[Precision-Tech]

Changing line 130 to sudo debootstrap --keyring=/etc/apt/trusted.gpg --no-check-gpg $distro $BUILDROOT >$log 2>&1 || { gets us past the error above. However, this is still an issue:

cat /var/tmp/pa-build-pi-schroot.log
Reading package lists...
Building dependency tree...
E: Unable to locate package sudo
E: Unable to locate package lsb-release
/bin/sh: 1: cannot create /etc/sudoers.d/nopasswd-pi: Directory nonexistent
chmod: cannot access '/etc/sudoers.d/nopasswd-pi': No such file or directory
/wrapped_script: 55: lsb_release: not found
/wrapped_script: 55: lsb_release: not found

[matt335672]

We seem to be in a bit of a mess, as the handle bullseye means two separate things:-

1. The Debian bullseye release
2. The Raspberry PI OS.

The debootstrap command is defaulting to a Debian mirror http://deb.debian.org/debian rather than the raspbian mirror. The URL is hard-coded in the command (which is a shell script). That explains your first error. The key 605C66F00D6C9793 is a (very) recent Debian signing key:-

$ gpg --search-key 605C66F00D6C9793
gpg: data source: http://162.213.33.9:11371
(1)	Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.o
	  4096 bit RSA key 605C66F00D6C9793, created: 2021-02-13

I'm not keen on the --no-check-gpg as you're downloading stuff from the Internet here (probably over vanilla http) which will run with privilege. It's probably OK on a company LAN.

Try this line 130:-

sudo debootstrap --keyring=/etc/apt/trusted.gpg $distro $BUILDROOT http://raspbian.raspberrypi.org/raspbian >$log 2>&1 || {

On my AMD64 machine I get past the error you had earlier, but then get E: Invalid Release file, no entry for main/binary-amd64/Packages. I can see why!

[Precision-Tech]

I 100% agree that --no-check-gpg was not an ideal solution.

Changing line 130 to:

sudo debootstrap --keyring=/etc/apt/trusted.gpg $distro $BUILDROOT http://raspbian.raspberrypi.org/raspbian >$log 2>&1 || {

did resolve the issue!

Seems like there might need to be some logic to check if bullseye then check if is Raspbian for this to work in the general case, but this does work in the single use case of installing on Raspbian

[Precision-Tech]

Checking /etc/os-release comes to mind, but I am not sure how reliable it is:

cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 11 (bullseye)"
NAME="Raspbian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"

[matt335672]

What I might do is add some way to specify the mirror and keyring to the script, and then add a note on the Wiki.

That means less changes when a similar things happens for another SBC - there are quite a few of them.

[matt335672]

Working on this here:-

https://github.com/matt335672/pulseaudio-module-xrdp/tree/specify_mirror

Direct download link to the update script is:-

https://raw.githubusercontent.com/matt335672/pulseaudio-module-xrdp/specify_mirror/scripts/install_pulseaudio_sources_apt_wrapper.sh

Copy this over your existing script, then this should work:-

./install_pulseaudio_sources_apt_wrapper.sh --mirror=http://raspbian.raspberrypi.org/raspbian --keyring=/etc/apt/trusted.gpg

Let me know, then I can commit this and update the Wiki.

[Precision-Tech]

It works, thank you for all your support with this issue!

[matt335672]

@Precision-Tech - thank you for raising this, and particularly in helping me find a good resolution. I've updated the Wiki for Raspberry PI OS now.