[Piuparts-devel] Bug#1114537: piuparts: Error when host /etc/apt/sources.list contains [signed-by=]

Philippe SWARTVAGHER phil.swart at gmx.fr
Sat Sep 6 17:36:54 BST 2025 

Package: piuparts
Version: 1.6.0
Severity: normal

Dear Maintainer,

I'm executing piuparts through sbuild. I setup sbuild as instructed in
the wiki https://wiki.debian.org/sbuild.

My configuration of sbuild related to piuparts is the following:

$run_piuparts = 1;
$piuparts_opts = ['--distribution=%r', '--bootstrapcmd=mmdebstrap 
--skip=check/empty --variant=minbase --aptopt="Acquire::http { Proxy 
\"http://192.168.3.55:3142\"; }"'];

I noticed that if the /etc/apt/sources.list of the host is the
following:

deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] 
http://ftp.fr.debian.org/debian/ unstable main non-free-firmware
deb-src [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] 
http://ftp.fr.debian.org/debian/ unstable main non-free-firmware

I get an error during the execution of piuparts:

% sbuild hello
[...]
0m0.0s DEBUG: Setting up minimal chroot for unstable at /tmp/tmp0rgv7d44.
0m0.0s DEBUG: Starting command: ['mmdebstrap', '--skip=check/empty', 
'--variant=minbase', '--aptopt=Acquire::http { Proxy 
"http://192.168.3.55:3142"; }', 
'--keyring=/usr/share/keyrings/debian-archive-keyring.gpg', 
'--include=eatmydata', '--merged-usr', 
'--components=unstable,main,non-free-firmware', 'unstable', 
'/tmp/tmp0rgv7d44', 
'[signed-by=/usr/share/keyrings/debian-archive-keyring.gpg]']
0m0.3s DUMP:
   I: the option --merged-usr is a no-op. It only exists for 
compatibility with some debootstrap wrappers.
   I: automatically chosen mode: root
   I: chroot architecture amd64 is equal to the host's architecture
   I: finding correct signed-by value...
   E: invalid mirror: 
[signed-by=/usr/share/keyrings/debian-archive-keyring.gpg]
0m0.3s ERROR: Command failed (status=25): ['mmdebstrap', 
'--skip=check/empty', '--variant=minbase', '--aptopt=Acquire::http { 
Proxy "http://192.168.3.55:3142"; }', 
'--keyring=/usr/share/keyrings/debian-archive-keyring.gpg', 
'--include=eatmydata', '--merged-usr', 
'--components=unstable,main,non-free-firmware', 'unstable', 
'/tmp/tmp0rgv7d44', 
'[signed-by=/usr/share/keyrings/debian-archive-keyring.gpg]']
   I: the option --merged-usr is a no-op. It only exists for 
compatibility with some debootstrap wrappers.
   I: automatically chosen mode: root
   I: chroot architecture amd64 is equal to the host's architecture
   I: finding correct signed-by value...
   E: invalid mirror: 
[signed-by=/usr/share/keyrings/debian-archive-keyring.gpg]


However, if I remove the [signed-by=] from the sources.list:

deb http://ftp.fr.debian.org/debian/ unstable main non-free-firmware
deb-src http://ftp.fr.debian.org/debian/ unstable main non-free-firmware

it works fine:

0m0.0s DEBUG: Starting command: ['mmdebstrap', '--skip=check/empty', 
'--variant=minbase', '--aptopt=Acquire::http { Proxy 
"http://192.168.3.55:3142"; }', 
'--keyring=/usr/share/keyrings/debian-archive-keyring.gpg', 
'--include=eatmydata', '--merged-usr', 
'--components=main,non-free-firmware', 'unstable', '/tmp/tmpjhhhbwky', 
'http://ftp.fr.debian.org/debian/']
0m7.3s DUMP:
   I: the option --merged-usr is a no-op. It only exists for 
compatibility with some debootstrap wrappers.
   I: automatically chosen mode: root
   I: chroot architecture amd64 is equal to the host's architecture
   I: finding correct signed-by value...
   I: automatically chosen format: directory
   I: skipping check/empty as requested
   I: running apt-get update...
   I: downloading packages with apt...
   I: extracting archives...
   mount: /tmp/tmpjhhhbwky/sys: permission denied.
          dmesg(1) may have more information after failed mount system call.
   I: installing essential packages...
   I: installing remaining packages inside the chroot...
   I: cleaning package lists and apt cache...
   I: success in 7.1120 seconds

If you compare the arguments of the mmdebstrap command, it seems
"[signed-by=...]" is not ignored and is considered as the URL of the
repository.

The workaround for me was to remove these [signed-by=...] from my
sources.list (which doesn't seem to bother apt for
update/ugprade/install).

I don't know how you want to handle this bug, since it seems the new
default format for sources.list is now deb822, but I didn't try with
this format, maybe the bug does not occur.


Philippe.


-- System Information:
Debian Release: forky/sid
   APT prefers unstable-debug
   APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.16.3+deb14-amd64 (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE 
not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages piuparts depends on:
ii  debsums          3.0.2.3
ii  libjs-sphinxdoc  8.2.3-5
ii  lsb-release      12.1-1
ii  lsof             4.99.4+dfsg-2
ii  mount            2.41.1-2
ii  piuparts-common  1.6.0
ii  python3          3.13.7-1
ii  python3-debian   1.0.1

Versions of packages piuparts recommends:
ii  adequate     0.17.6+b1
ii  debootstrap  1.0.141
ii  mmdebstrap   1.5.7-3

Versions of packages piuparts suggests:
ii  docker.io  26.1.5+dfsg1-9+b9
ii  schroot    1.6.13-7
ii  uidmap     1:4.18.0-1

-- no debconf information

More information about the Piuparts-devel mailing list