Signal-Desktop Postinst script for dpkg package does not work in chroot'ed environment

Using a supported version?

[x] I have searched searched open and closed issues for duplicates.
[x] I am using Signal-Desktop as provided by the Signal team, not a 3rd-party package.

Overall summary

We use a chroot environment to maintain our diskless clients' boot images. The postinst script has a call

apparmor_parser --replace --write-cache --skip-read-cache "$APPARMOR_PROFILE_TARGET"

which one doesn't want to have in a chroot environment, and it fails for us. This means I typically remove the call from the postinst file manually.

I think utilizing ischroot(1) would be the correct approach here?

Steps to reproduce

On Ubuntu noble

# mkdir -p /srv/chroottest
# debootstrap noble /srv/chroottest
...
# cat > /etc/schroot/chroot.d/chroottest.conf <<EOF
[chroottest]
type=directory
directory=/src/chroottest
EOF
# schroot -c chroottest
(chroottest)root@wsbox:~# apt-get install -yqq wget gpg apparmor
(chroottest)root@wsbox:~# wget -O- https://updates.signal.org/desktop/apt/keys.asc | gpg --dearmor > signal-desktop-keyring.gpg
...
(chroottest)root@wsbox:~# cat signal-desktop-keyring.gpg | sudo tee /usr/share/keyrings/signal-desktop-keyring.gpg > /dev/null
(chroottest)root@wsbox:~# echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main' |\
  sudo tee /etc/apt/sources.list.d/signal-xenial.list
...
(chroottest)root@wsbox:~# apt update && apt -y install signal-desktop                                     
...
unshare: unshare failed: Operation not permitted
Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.
dpkg: error processing package signal-desktop (--configure):
 installed signal-desktop package post-installation script subprocess returned error exit status 1
Processing triggers for hicolor-icon-theme (0.17-2) ...
Errors were encountered while processing:
 signal-desktop
E: Sub-process /usr/bin/dpkg returned an error code (1)

Expected result

Exit code 0

Actual result

Exit code 100

Screenshots

No response

Signal version

7.40.0

Operating system

Ubuntu 24.04

Version of Signal on your phone

No response

Link to debug log

No response

Jan 30 '25 09:01 fiesh

Changing signal-desktop.postinst's problematic line to

if ! { [ -x '/usr/bin/ischroot' ] && ischroot; } && hash apparmor_parser 2>/dev/null; then

fixes the issue for me. But I can't create a pull request since I cannot find the repository this file is in. I'd be grateful for feedback.

Feb 03 '25 10:02 fiesh

Hi, sorry for this issue. I believe the logic to add an apparmor profile comes from an upstream package electron-builder: https://github.com/electron-userland/electron-builder/blob/master/packages/app-builder-lib/templates/linux/after-install.tpl#L49

Reading the script I wonder if skipping install of apparmor allows signal-desktop to install successfully? An alternative is to ask the electron-builder maintainers if there's a way to support chroot.

We don't have much resources for less common Linux setups but I'll leave this open for tracking.

Feb 04 '25 00:02 ayumi-signal

@ayumi-signal Thank you very much, I'll raise an issue with them! Regarding your question: If the chroot environment is only for building an image, like in our case, live updating of apparmor is irrelevant on the host system anyway

Feb 04 '25 06:02 fiesh

My PR in electron-userland was merged into its master branch. So I think this issue can be closed as soon as the version of electron-userland used in here is recent enough to include the change.

Feb 06 '25 07:02 fiesh

@fiesh Amazing! Thanks so much for looking into it.

Feb 06 '25 17:02 ayumi-signal

I'm seeing this on non-chrooted Ubuntu 24.04 running the latest Xanmod kernel (6.13.5-x64v3-xanmod1) and trying to configure signal-desktop 7.45.1.

Still not quite vanilla Ubuntu, but getting closer. I'm not a developer, so I'm not sure if it's the same thing and/or if it will be addressed soon in repositories.

EDIT: I should mention that the program is still working though, possibly using a config from the pre-upgraded packages.

Mar 10 '25 04:03 AATLEMIDRM

I'm seeing this on non-chrooted Ubuntu 24.04 running the latest Xanmod kernel (6.13.5-x64v3-xanmod1) and trying to configure signal-desktop 7.45.1.

Still not quite vanilla Ubuntu, but getting closer. I'm not a developer, so I'm not sure if it's the same thing and/or if it will be addressed soon in repositories.

EDIT: I should mention that the program is still working though, possibly using a config from the pre-upgraded packages.

More importantly, does the change from the PR in electron-builder fix it for you?

Mar 10 '25 06:03 fiesh

My techie friends describe me as a power end user, not a full on techie. I therefore freely admit that I have no idea how to test that. I might be able to with some guidance, though.

Mar 10 '25 12:03 AATLEMIDRM

My techie friends describe me as a power end user, not a full on techie. I therefore freely admit that I have no idea how to test that. I might be able to with some guidance, though.

If you apply the changes from https://github.com/electron-userland/electron-builder/pull/8843/files#diff-ce484dcb54be40b46ebfd55f8447dd6fcbd028bc84bd5df28daa78fc1df2f518 to your local /var/lib/dpkg/info/signal-desktop.postinst, your postinst step should work. Never mind, there is no way this fix can help you if you're not in a chrooted environment.

Mar 10 '25 12:03 fiesh

Yeah, that's kind of the reason that I bring it up.

To be more specific, I am running sudo apt upgrade && sudo apt update signal-desktop and getting an identical error message to the original report. Every apt update since I'm getting an attempted configuration of signal-desktop. I am using the https://updates.signal.org/desktop/apt xenial main repository.

I do keep vmlinuz-6.8.0-55-generic (the latest from the Ubuntu repository) installed just in case. I can boot into that and try to update and see if that fixes the problem, but I'm loathe to do so in the fear that if it works I might not be able to test for you.

The error message, copied from my terminal just in case I am not looking at the same bug:

Setting up signal-desktop (7.45.1) ... update-alternatives is /usr/bin/update-alternatives Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.) Warning: unable to find a suitable fs in /proc/mounts, is it mounted? Use --subdomainfs to override. dpkg: error processing package signal-desktop (--configure): installed signal-desktop package post-installation script subprocess returned error exit status 1 Errors were encountered while processing: signal-desktop

Mar 10 '25 12:03 AATLEMIDRM

Given that you're not in a chroot environment, I suspect your kernel actual really does not support AppArmor. Which begs the question why. I think this would best be addressed by the Xanmod community.

Mar 10 '25 12:03 fiesh

Nope, no need to bother them. I'm an idiot and forgot to add it back to my grub options. Sorry for the false alarm, and thanks for the help. Resolved.

Mar 10 '25 12:03 AATLEMIDRM

I'm on a vanilla ubuntu 24.04 and got the same Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch message and a failure to install the package.

Probably the same, apparmor is not enabled, but apparently it's not a given that that is the case?

Mar 12 '25 09:03 jorismak

Apparently it is a new requirement of the signal package, this also happened to me, on Debian with the liquorix kernel.

We can check what are the kernel options of the system.

cat /proc/cmdline

If apparmor is missing we edit /etc/default/grub and ADD the lsm option to the ones that you may already have:

GRUB_CMDLINE_LINUX_DEFAULT="lsm=landlock,lockdown,yama,integrity,apparmor,bpf"

Then

sudo update-grub2

Reboot the system and reinstall signal

Mar 13 '25 10:03 vejeta

yeah, I managed to install it by enabling apparmor, because there was a file in grub.d/apparmor file that disabled it. It had a date/time of the install date of the system, I never touched it. So, depending on some factors Ubuntu installs with apparmor disabled, apparently?

Anyway, if it comes from upstream electron I guess not the problem for here. Maybe put a hint on the docs for installing it.

Mar 13 '25 11:03 jorismak

This is cause by a bug in electron-builder. Please update to electron-builder 26.0.11+ to fix this issue.

Mar 18 '25 17:03 gaaf

Confirmed gaaf's fix -- if you want to fix it now you'll need to drop the dmg-patcher patch put in (but that doesn't change anything on Linux!) and it'll build and install correctly

Apr 10 '25 00:04 frothedoatmilk

I just happily updated to signal-desktop version 7.50.0 on Ubuntu and it worked like a charm \o/

So closing this issue.

Apr 11 '25 11:04 fiesh