make template fails with paxctl error

[sssoleileraaa]

Parent issue: freedomofpress/securedrop-workstation#600

make template fails now because it can't seem to find paxctld. Note that as of today we are hosting paxctld here: https://apt.freedom.press/pool/main/p/paxctld/paxctld_1.2.5-1_amd64.deb (and on apt-test).

distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
 securedrop-workstation-grsec : Depends: paxctld but it is not installable
E: Unable to correct problems, you have held broken packages.
Removing 'local diversion of /sbin/initctl to /sbin/initctl.distrib'
make[2]: *** [Makefile:66: rootimg-build] Error 100
make[2]: Leaving directory '/home/user/qubes-template-securedrop-workstation/qubes-builder/qubes-src/linux-template-builder'

[sssoleileraaa]

@legoktm @eaon - I added this as a release blocker and should be able to debug more next week. Wondering if either of you can confirm the issue?

[legoktm]

Slightly above the error you pasted is:

Ign:1 https://apt.freedom.press buster InRelease
Hit:2 https://deb.debian.org/debian bullseye InRelease
Get:3 https://apt.freedom.press buster Release [949 B]
Hit:4 https://deb.debian.org/debian-security bullseye-security InRelease
Get:5 https://apt.freedom.press buster Release.gpg [833 B]
Get:6 https://apt.freedom.press buster/main amd64 Packages [3232 B]
Hit:7 https://deb.qubes-os.org/r4.1/vm bullseye InRelease

1. we're using the buster repo, not bullseye, 2) we're using apt and not apt-test

[legoktm]

Trying:

diff --git a/securedrop-workstation/04_install_qubes_post.sh b/securedrop-workstation/04_install_qubes_post.sh
index efd9825..c097195 100755
--- a/securedrop-workstation/04_install_qubes_post.sh
+++ b/securedrop-workstation/04_install_qubes_post.sh
@@ -37,7 +37,7 @@ mount --bind /dev "${INSTALLDIR}/dev"
 
 aptInstall apt-transport-https qubes-vm-recommended
 
-[ -n "$workstation_repository_suite" ] || workstation_repository_suite="buster"
+[ -n "$workstation_repository_suite" ] || workstation_repository_suite="bullseye"
 [ -n "$workstation_signing_key_fingerprint_2020" ] || workstation_signing_key_fingerprint_2020="22245C81E3BAEB4138B36061310F561200F4AD77"
 [ -n "$workstation_signing_key_file_2020" ] || workstation_signing_key_file_2020="$BUILDER_DIR/$SRC_DIR/template-securedrop-workstation/keys/release-key-LEGACY.asc"
 [ -n "$workstation_signing_key_fingerprint_2021" ] || workstation_signing_key_fingerprint_2021="2359E6538C0613E652955E6C188EDD3B7B22E6A3"
@@ -58,6 +58,9 @@ $chroot_cmd apt-key adv --fingerprint "$workstation_signing_key_fingerprint_2020
 $chroot_cmd apt-key add - < "$workstation_signing_key_file_2021"
 ## Sanity test. apt-key adv would exit non-zero if not exactly that fingerprint in apt's keyring.
 $chroot_cmd apt-key adv --fingerprint "$workstation_signing_key_fingerprint_2021"
+## TESTING ONLY
+$chroot_cmd apt-key add - < "$BUILDER_DIR/$SRC_DIR/template-securedrop-workstation/keys/test-key.asc"
+## END TESTING ONLY
 
 echo "${INSTALLDIR}/$workstation_repository_list"
 echo "$workstation_repository_apt_line" > "${INSTALLDIR}/$workstation_repository_list"