debootstrap我们有一个自动化的构建和部署过程,用于apt在构建服务器上构建之后直接为我们的产品之一创建映像文件。
这sources.list有点奇怪,但只要目标主机工作就可以工作不是信任用于签署版本的 GPG 密钥:
root@host:/# cat /etc/apt/sources.list
deb http://buildserver.mycompany.com/project/deploy-test ./
虽然密钥不受信任,但调用apt-get update有效且一切正常:
root@host:/# cat /etc/apt/sources.list
deb http://buildserver.mycompany.com/project/deploy-test ./
root@host:/# apt-get update
Hit http://buildserver.mycompany.com ./ Release.gpg
Hit http://buildserver.mycompany.com ./ Release
Ign http://buildserver.mycompany.com ./ Release
Ign http://buildserver.mycompany.com ./ Packages/DiffIndex
Hit http://buildserver.mycompany.com ./ Packages
Ign http://buildserver.mycompany.com ./ Translation-en
Reading package lists... Done
W: GPG error: http://buildserver.mycompany.com ./ Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 65F8A65265A41039
root@host:/# echo $?
0
如果我添加构建服务器的密钥,事情就会开始变得奇怪:
root@host:/# apt-key add /etc/apt/buildserver.gpg
OK
root@host:/# apt-get update
Get:1 http://buildserver.mycompany.com ./ Release.gpg [490 B]
Hit http://buildserver.mycompany.com ./ Release
Fetched 490 B in 0s (17.4 kB/s)
W: Failed to fetch http://buildserver.mycompany.com/project/deploy-test/./Release Unable to find expected entry 'Packages' in Release file (Wrong sources.list entry or malformed file)
E: Some index files failed to download. They have been ignored, or old ones used instead.
root@host:/# echo $?
100
互联网上的研究表明,该Packages文件要么在网络服务器上丢失(不是,只是200 服务器日志中所有请求的状态响应),要么Release文件中缺少校验和。但这种情况并非如此:
root@host:~$ curl http://buildserver.mycompany.com/project/deploy-test/./Release | grep Packages
dc7048e30031d700ec50c0ea084f69da 606332 Packages
6a601e7da66b2a518bdf901ef95b53b5 171774 Packages.gz
任何可能导致此行为的提示都非常感谢。提前致谢!