Postinst script for dpkg package does not work in chroot'ed environment

[fiesh]

Using a supported version?

• I have searched searched open and closed issues for duplicates.
• I am using Signal-Desktop as provided by the Signal team, not a 3rd-party package.

Overall summary

We use a chroot environment to maintain our diskless clients' boot images. The postinst script has a call

apparmor_parser --replace --write-cache --skip-read-cache "$APPARMOR_PROFILE_TARGET"

which one doesn't want to have in a chroot environment, and it fails for us. This means I typically remove the call from the postinst file manually.

I think utilizing ischroot(1) would be the correct approach here?

Steps to reproduce

On Ubuntu noble

# mkdir -p /srv/chroottest
# debootstrap noble /srv/chroottest
...
# cat > /etc/schroot/chroot.d/chroottest.conf <<EOF
[chroottest]
type=directory
directory=/src/chroottest
EOF
# schroot -c chroottest
(chroottest)root@wsbox:~# apt-get install -yqq wget gpg apparmor
(chroottest)root@wsbox:~# wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > signal-desktop-keyring.gpg
...
(chroottest)root@wsbox:~# cat signal-desktop-keyring.gpg | sudo tee /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null
(chroottest)root@wsbox:~# echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main' |\
  sudo tee /etc/apt/sources.list.d/signal-xenial.list
...
(chroottest)root@wsbox:~# apt update && apt -y install signal-desktop                                     
...
unshare: unshare failed: Operation not permitted
Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.
dpkg: error processing package signal-desktop (--configure):
 installed signal-desktop package post-installation script subprocess returned error exit status 1
Processing triggers for hicolor-icon-theme (0.17-2) ...
Errors were encountered while processing:
 signal-desktop
E: Sub-process /usr/bin/dpkg returned an error code (1)

Expected result

Exit code 0

Actual result

Exit code 100

Screenshots

No response

Signal version

7.40.0

Operating system

Ubuntu 24.04

Version of Signal on your phone

No response

Link to debug log

No response

[fiesh]

Changing signal-desktop.postinst's problematic line to

if ! { [ -x '/usr/bin/ischroot' ] && ischroot; } && hash apparmor_parser 2>/dev/null; then

fixes the issue for me. But I can't create a pull request since I cannot find the repository this file is in. I'd be grateful for feedback.

[ayumi-signal]

Hi, sorry for this issue. I believe the logic to add an apparmor profile comes from an upstream package electron-builder:
https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/templates/linux/after-install.tpl#L49

Reading the script I wonder if skipping install of apparmor allows signal-desktop to install successfully? An alternative is to ask the electron-builder maintainers if there's a way to support chroot.

We don't have much resources for less common Linux setups but I'll leave this open for tracking.

[fiesh]

@ayumi-signal Thank you very much, I'll raise an issue with them! Regarding your question: If the chroot environment is only for building an image, like in our case, live updating of apparmor is irrelevant on the host system anyway

[fiesh]

My PR in electron-userland was merged into its master branch. So I think this issue can be closed as soon as the version of electron-userland used in here is recent enough to include the change.

[ayumi-signal]

@fiesh Amazing! Thanks so much for looking into it.