teamdfir
Installation fails on Ubuntu 24.04
I have a freshly installed Ubuntu 24.04.2 machine. I tried to install the sift stack with
root@sift-workstation:/home/sift# cast install --mode=server [email protected]
according to https://github.com/teamdfir/sift/issues/660#issuecomment-2917943794, The installation finishes, however, in the end I have 16 failed components and I noticed that for some reason some IPs were not found
...
INFO[1632] state completed component=installer duration=33.74 state=/usr/local/bin/sqlecmd time_begin="09:52:51.375307" time_end="09:52:51.409048"
INFO[1632] state completed component=installer duration=3.676 state=/tmp/SQLECmd.zip time_begin="09:52:51.414401" time_end="09:52:51.418077"
INFO[1633] state completed component=installer duration=1665.801 state=/tmp/WxTCmd.zip time_begin="09:52:51.418377" time_end="09:52:53.084178"
INFO[1634] state completed component=installer duration=215.661 state=/opt/zimmermantools/ time_begin="09:52:53.084381" time_end="09:52:53.300043"
INFO[1634] state completed component=installer duration=2.521 state=/usr/local/bin/WxTCmd time_begin="09:52:53.300225" time_end="09:52:53.302746"
INFO[1634] state completed component=installer duration=2.204 state=/usr/local/bin/wxtcmd time_begin="09:52:53.302904" time_end="09:52:53.305109"
INFO[1634] state completed component=installer duration=1.542 state=/tmp/WxTCmd.zip time_begin="09:52:53.307383" time_end="09:52:53.308925"
INFO[1634] state completed component=installer duration=0.578 state=sift-scripts time_begin="09:52:53.320027" time_end="09:52:53.320606"
INFO[1635] log file location component=installer file=/var/cache/cast/installer/logs/saltstack.log
INFO[1635] results file location component=installer file=/var/cache/cast/installer/logs/results.yaml
WARN[1635] first failed state comment="Failed to configure repo 'deb http://ports.ubuntu.com/ubuntu-ports/ noble-security multiverse': E: Failed to fetch http://ports.ubuntu.com/ubuntu-ports/dists/noble-security/multiverse/binary-amd64/Packages 404 Not Found [IP: 185.125.190.36 80] E: Failed to fetch http://ports.ubuntu.com/ubuntu-ports/dists/noble/multiverse/binary-amd64/Packages 404 Not Found [IP: 185.125.190.36 80] E: Some index files failed to download. They have been ignored, or old ones used instead." component=installer run_num=12 sls=sift.repos.ubuntu-multiverse
INFO[1635] statistics component=installer failed=16 success=679 total=695
INFO[1635] salt-call completed but had failed states component=installer
FATA[1635] salt-call completed but had failed states
I had similar issues with Ubuntu 22.04. Any idea what's wrong here or do you maybe have any advice on what I can try to get SIFT up and runngin :)
Thank you.
That's usually a sign that apt update wasn't run, but usually that happens during an install. I would manually run an apt-get update and re-run the install. The install is idempotent, you can run it as many times as you want it'll fix what needs to be fixed, install what is missing, etc ...
Thank you for the super-fast feedback :-). Unfortunately, apt-get update doesn't seem to solve the problem
root@sift-workstation:/home/sift# apt-get update
Hit:1 http://de.archive.ubuntu.com/ubuntu noble InRelease
Hit:2 http://de.archive.ubuntu.com/ubuntu noble-updates InRelease
Hit:3 https://download.docker.com/linux/ubuntu noble InRelease
Hit:4 http://de.archive.ubuntu.com/ubuntu noble-backports InRelease
Get:5 http://ports.ubuntu.com/ubuntu-ports noble-security InRelease [126 kB]
Get:6 http://ports.ubuntu.com/ubuntu-ports noble InRelease [256 kB]
Ign:7 http://ports.ubuntu.com/ubuntu-ports noble-security/multiverse amd64 Packages
Get:8 http://ports.ubuntu.com/ubuntu-ports noble-security/multiverse Translation-en [3792 B]
Get:9 http://ports.ubuntu.com/ubuntu-ports noble-security/multiverse amd64 Components [208 B]
Err:7 http://ports.ubuntu.com/ubuntu-ports noble-security/multiverse amd64 Packages
404 Not Found [IP: 185.125.190.36 80]
Ign:7 http://ports.ubuntu.com/ubuntu-ports noble-security/multiverse amd64 Packages
Err:7 http://ports.ubuntu.com/ubuntu-ports noble-security/multiverse amd64 Packages
404 Not Found [IP: 185.125.190.36 80]
Ign:7 http://ports.ubuntu.com/ubuntu-ports noble-security/multiverse amd64 Packages
Err:7 http://ports.ubuntu.com/ubuntu-ports noble-security/multiverse amd64 Packages
404 Not Found [IP: 185.125.190.36 80]
Ign:10 http://ports.ubuntu.com/ubuntu-ports noble/multiverse amd64 Packages
Get:11 http://ports.ubuntu.com/ubuntu-ports noble/multiverse Translation-en [118 kB]
Get:12 http://ports.ubuntu.com/ubuntu-ports noble/multiverse amd64 Components [35.0 kB]
Get:13 http://ports.ubuntu.com/ubuntu-ports noble/universe amd64 Packages [15.0 MB]
Hit:15 https://ppa.launchpadcontent.net/dotnet/backports/ubuntu noble InRelease
Get:13 http://ports.ubuntu.com/ubuntu-ports noble/universe amd64 Packages [15.0 MB]
Hit:17 https://ppa.launchpadcontent.net/gift/stable/ubuntu noble InRelease
Ign:13 http://ports.ubuntu.com/ubuntu-ports noble/universe amd64 Packages
Hit:18 https://ppa.launchpadcontent.net/openjdk-r/ppa/ubuntu noble InRelease
Hit:19 https://ppa.launchpadcontent.net/sift/stable/ubuntu noble InRelease
Ign:10 http://ports.ubuntu.com/ubuntu-ports noble/multiverse amd64 Packages
Ign:13 http://ports.ubuntu.com/ubuntu-ports noble/universe amd64 Packages
Ign:10 http://ports.ubuntu.com/ubuntu-ports noble/multiverse amd64 Packages
Ign:13 http://ports.ubuntu.com/ubuntu-ports noble/universe amd64 Packages
Ign:10 http://ports.ubuntu.com/ubuntu-ports noble/multiverse amd64 Packages
Get:20 http://security.ubuntu.com/ubuntu noble-security InRelease [126 kB]
Ign:13 http://ports.ubuntu.com/ubuntu-ports noble/universe amd64 Packages
Ign:10 http://ports.ubuntu.com/ubuntu-ports noble/multiverse amd64 Packages
Ign:13 http://ports.ubuntu.com/ubuntu-ports noble/universe amd64 Packages
Err:10 http://ports.ubuntu.com/ubuntu-ports noble/multiverse amd64 Packages
404 Not Found [IP: 185.125.190.36 80]
Ign:13 http://ports.ubuntu.com/ubuntu-ports noble/universe amd64 Packages
Get:21 http://security.ubuntu.com/ubuntu noble-security/main amd64 Packages [868 kB]
Get:22 http://security.ubuntu.com/ubuntu noble-security/main amd64 Components [21.5 kB]
Get:23 http://security.ubuntu.com/ubuntu noble-security/restricted amd64 Components [212 B]
Get:24 http://security.ubuntu.com/ubuntu noble-security/universe amd64 Packages [851 kB]
Get:25 http://security.ubuntu.com/ubuntu noble-security/universe amd64 Components [52.2 kB]
Get:26 http://security.ubuntu.com/ubuntu noble-security/multiverse amd64 Components [208 B]
Fetched 2302 kB in 2s (933 kB/s)
Reading package lists... Done
E: Failed to fetch http://ports.ubuntu.com/ubuntu-ports/dists/noble-security/multiverse/binary-amd64/Packages 404 Not Found [IP: 185.125.190.36 80]
E: Failed to fetch http://ports.ubuntu.com/ubuntu-ports/dists/noble/multiverse/binary-amd64/Packages 404 Not Found [IP: 185.125.190.36 80]
E: Some index files failed to download. They have been ignored, or old ones used instead.
Moreover, the install doesn't seem to be idempotent
root@sift-workstation:/home/sift# cast install --mode=server [email protected]
WARN[0000] using unauthenticated github client, could result in API rate limiting
INFO[0001] checking operating system support component=distro owner=teamdfir repo=sift-saltstack
INFO[0001] operating system is supported component=distro owner=teamdfir repo=sift-saltstack
INFO[0001] rendering manifest component=distro owner=teamdfir repo=sift-saltstack
INFO[0001] distro validated successfully command=install
INFO[0001] downloading archive file component=distro owner=teamdfir repo=sift-saltstack version=v2025.06.03
INFO[0002] downloading release file component=distro filename=checksums.txt owner=teamdfir repo=sift-saltstack
INFO[0003] downloading release file component=distro filename=checksums.txt.sig owner=teamdfir repo=sift-saltstack
INFO[0003] downloading release file component=distro filename=cosign.pub owner=teamdfir repo=sift-saltstack
INFO[0004] downloading release file component=distro filename=manifest.yml owner=teamdfir repo=sift-saltstack
INFO[0004] signatures verified component=cosign
INFO[0004] validating checksums component=distro handler=validateChecksums owner=teamdfir repo=sift-saltstack
INFO[0004] checksum validated component=distro filename=teamdfir-sift-saltstack-v2025.06.03-0-g29cc18d.tar.gz owner=teamdfir repo=sift-saltstack
INFO[0004] checksum validated component=distro filename=manifest.yml owner=teamdfir repo=sift-saltstack
INFO[0004] extracting archive file component=distro owner=teamdfir repo=sift-saltstack version=v2025.06.03
INFO[0005] distro downloaded successfully command=install
INFO[0005] installing using mode: server command=install
INFO[0005] checking if install can progress component=installer
INFO[0005] preparing pillar data component=installer
INFO[0005] running saltstack installer component=installer
INFO[0005] downloading tar.gz file component=saltstack-installer handler=install-onedir
INFO[0028] downloading hash file component=saltstack-installer handler=install-onedir
INFO[0028] validating tar.gz.file component=saltstack-installer handler=install-onedir
INFO[0028] validating file checksum component=saltstack-installer filename=/var/cache/cast/installer/saltstack/salt.tar.xz
INFO[0028] extracting file component=saltstack-installer handler=install-onedir
FATA[0028] handling file: salt/lib/libkrad.so.0: symlink /var/cache/cast/installer/saltstack/salt/lib/libkrad.so.0.0 /var/cache/cast/installer/saltstack/salt/lib/libkrad.so.0: file exists
I'm having the same exact issue top to bottom on a fresh Ubuntu 24.0.2 install. Only difference is the command
sudo cast install teamdfir/sift. Otherwise, same apt update issues, same symlink issue on install attempt 2.
Copy. I'll kick a build off here in a bit and see if I can't replicate this.
@funkwhatyouheard what happens if you just remove this directory and re-run? /var/cache/cast/installer/saltstack
@ekristen Fresh run, new error. Here's the last few log lines:
INFO[0218] state completed component=installer duration=33.461 state=smbd time_begin="19:38:48.822464" time_end="19:38:48.855925"
INFO[0218] state completed component=installer duration=30.849 state=nmbd time_begin="19:38:48.858072" time_end="19:38:48.888920"
INFO[0218] state completed component=installer duration=2.65 state=/etc/foremost.conf time_begin="19:38:48.889070" time_end="19:38:48.891721"
INFO[0218] state completed component=installer duration=2.207 state=/usr/local/etc/foremost.conf time_begin="19:38:48.891857" time_end="19:38:48.894063"
INFO[0218] state completed component=installer duration=0.59 state=sift-config-tools time_begin="19:38:48.895243" time_end="19:38:48.895832"
INFO[0218] state completed component=installer duration=0.559 state=sift-config time_begin="19:38:48.901308" time_end="19:38:48.901867"
INFO[0218] state completed component=installer duration=0.563 state=sift-desktop-include time_begin="19:38:48.901997" time_end="19:38:48.902559"
INFO[0219] log file location component=installer file=/var/cache/cast/installer/logs/saltstack.log
INFO[0219] results file location component=installer file=/var/cache/cast/installer/logs/results.yaml
WARN[0220] first failed state comment="One or more requisite failed: sift.repos.sift.sift-repo" component=installer run_num=331 sls=sift.packages.xmount
INFO[0220] statistics component=installer failed=51 success=745 total=796
INFO[0220] salt-call completed but had failed states component=installer
FATA[0220] salt-call completed but had failed states
Seeing a bunch of errors in the log file for the same package that was in the apt update error mentioned above... There something wrong with one of the dependencies currently?
Failed to fetch http://ports.ubuntu.com/ubuntu-ports/dists/noble-security/multiverse/binary-amd64/Packages 404 Not Found [IP: 185.125.190.36 80]
Seeing a bunch of errors in the log file for the same package that was in the apt update error mentioned above... There something wrong with one of the dependencies currently?
Failed to fetch http://ports.ubuntu.com/ubuntu-ports/dists/noble-security/multiverse/binary-amd64/Packages 404 Not Found [IP: 185.125.190.36 80]
So basically the same I had on apt-get update. Having a look in the repository it seems that there are no binary_amd64 packages available
Came to the same conclusion yesterday. Looking at the archive instead of the port, the packages are there but the OS seems to recreate the /etc/apt/sources.list file with those port entries if I remove them. Starting to wonder if it's an issue with the specific OS version and nothing to do with sift.
Alright, so I removed all entries in /etc/apt/sources.list (deleting the file, it will just recreate with the port entries at update) so that it defers to /etc/apt/sources.list.d/ubuntu.sources which has the correct entries. This resolve the issue with apt update, however when salt runs, it repopulates /etc/apt/sources.list with the port entries which is incorrect for amd64 architecture.
# [ERROR ] Command 'apt-get' failed with return code: 100
# [ERROR ] stdout: Hit:1 http://security.ubuntu.com/ubuntu noble-security InRelease
# [ERROR ] stderr: E: Failed to fetch http://ports.ubuntu.com/ubuntu-ports/dists/noble/multiverse/binary-amd64/Packages 404 Not Found [IP: 91.189.91.104 80]
# [ERROR ] retcode: 100
# [ERROR ] Failed to configure repo 'deb http://ports.ubuntu.com/ubuntu-ports/ noble multiverse': E: Failed to fetch http://ports.ubuntu.com/ubuntu-ports/dists/noble/multiverse/binary-amd64/Packages 404 Not Found [IP: 91.189.91.104 80]
# [ERROR ] Command 'apt-get' failed with return code: 100
# [ERROR ] stdout: Hit:1 https://download.docker.com/linux/ubuntu noble InRelease
# [ERROR ] stderr: E: Failed to fetch http://ports.ubuntu.com/ubuntu-ports/dists/noble-security/multiverse/binary-amd64/Packages 404 Not Found [IP: 91.189.91.102 80]
# [ERROR ] retcode: 100
# [ERROR ] Failed to configure repo 'deb http://ports.ubuntu.com/ubuntu-ports/ noble-security multiverse': E: Failed to fetch http://ports.ubuntu.com/ubuntu-ports/dists/noble-security/multiverse/binary-amd64/Packages 404 Not Found [IP: 91.189.91.102 80]
# [ERROR ] Command 'apt-get' failed with return code: 100
# [ERROR ] stdout: Hit:1 http://archive.ubuntu.com/ubuntu noble InRelease
# [ERROR ] stderr: E: Failed to fetch http://ports.ubuntu.com/ubuntu-ports/dists/noble/multiverse/binary-amd64/Packages 404 Not Found [IP: 91.189.91.104 80]
# [ERROR ] retcode: 100
# [ERROR ] Failed to configure repo 'deb http://ports.ubuntu.com/ubuntu-ports/ noble universe': E: Failed to fetch http://ports.ubuntu.com/ubuntu-ports/dists/noble/multiverse/binary-amd64/Packages 404 Not Found [IP: 91.189.91.104 80]
# [ERROR ] Command 'apt-get' failed with return code: 100
# [ERROR ] stdout: Hit:1 http://archive.ubuntu.com/ubuntu noble InRelease
# [ERROR ] stderr: E: Failed to fetch http://ports.ubuntu.com/ubuntu-ports/dists/noble/multiverse/binary-amd64/Packages 404 Not Found [IP: 91.189.91.103 80]
# [ERROR ] retcode: 100
# [ERROR ] Failed to configure repo 'dotnet-backports': E: Failed to fetch http://ports.ubuntu.com/ubuntu-ports/dists/noble/multiverse/binary-amd64/Packages 404 Not Found [IP: 91.189.91.103 80]
-arg_parser.add_argument('-l', '--log_level', help='Log levels: INFO, DEBUG, WARNING, ERROR, CRITICAL (Default is INFO)')#, choices=['INFO','DEBUG','WARNING','ERROR','CRITICAL'])
- if args.log_level not in ['INFO', 'DEBUG', 'WARNING', 'ERROR', 'CRITICAL']: # TODO: change to just [info, debug, error]
- Exit("Invalid input type for log level. Valid values are INFO, DEBUG, WARNING, ERROR, CRITICAL")
- elif args.log_level == "ERROR": args.log_level = logging.ERROR
-log.info("Review the Log file and report any ERRORs or EXCEPTIONS to the developers")
+arg_parser.add_argument('-l', '--log_level', help='Log levels: INFO, DEBUG, WARNING, ERROR, CRITICAL (Default is INFO)')#, choices=['INFO','DEBUG','WARNING','ERROR','CRITICAL'])
+ if args.log_level not in ['INFO', 'DEBUG', 'WARNING', 'ERROR', 'CRITICAL']: # TODO: change to just [info, debug, error]
+ Exit("Invalid input type for log level. Valid values are INFO, DEBUG, WARNING, ERROR, CRITICAL")
+ elif args.log_level == "ERROR": args.log_level = logging.ERROR
+log.info("Review the Log file and report any ERRORs or EXCEPTIONS to the developers")
# [ERROR ] /opt/python-evtx/bin/evtx_eid_record_numbers.py: file not found
# [ERROR ] Command 'systemd-run' failed with return code: 100
# [ERROR ] stdout: Reading package lists...
# [ERROR ] stderr: Running as unit: run-r376d001e25c44c02a96fbd1e9dec8415.scope; invocation ID: 6d1a27cc5eae4e50af6270ab65adb3ff
# [ERROR ] retcode: 100
# [ERROR ] Problem encountered installing package(s). Additional info follows:
# [ERROR ] Command 'apt-get' failed with return code: 100
# [ERROR ] stdout: Hit:1 http://archive.ubuntu.com/ubuntu noble InRelease
# [ERROR ] stderr: E: Failed to fetch http://ports.ubuntu.com/ubuntu-ports/dists/noble/multiverse/binary-amd64/Packages 404 Not Found [IP: 91.189.91.102 80]
# [ERROR ] retcode: 100
# [ERROR ] An exception occurred in this state: Traceback (most recent call last):
\ WARNING, ERROR, CRITICAL (Default is INFO)')#, choices=['INFO','DEBUG','WARNING','ERROR','CRITICAL'])\r\
\ 'WARNING', 'ERROR', 'CRITICAL']: # TODO: change to just [info, debug, error]\r\
\ DEBUG, WARNING, ERROR, CRITICAL\")\r\n- else:\r\n- if args.log_level\
\ == \"ERROR\": args.log_level = logging.ERROR\r\n- elif args.log_level\
\ ERRORs or EXCEPTIONS to the developers\")\r\n+'''\n+ Copyright (c) 2017\
\ '--log_level', help='Log levels: INFO, DEBUG, WARNING, ERROR, CRITICAL (Default\
\ is INFO)')#, choices=['INFO','DEBUG','WARNING','ERROR','CRITICAL'])\n+arg_parser.add_argument('-p',\
\ 'WARNING', 'ERROR', 'CRITICAL']: # TODO: change to just [info, debug, error]\n\
\ WARNING, ERROR, CRITICAL\")\n+ else:\n+ if args.log_level == \"\
\ == \"ERROR\": args.log_level = logging.ERROR\n+ elif args.log_level\
\ ERRORs or EXCEPTIONS to the developers\")\n"
@funkwhatyouheard you are correct, we made a mistake somewhere and it was missed turning testing when we were doing the update for 24.04 and AMD64 and ARM64 support.
my build system is down at the moment, I'm working on a fix.
After looking at it online though, there is no "binary-amd64" folder now under Multiverse:
http://ports.ubuntu.com/ubuntu-ports/dists/noble-security/multiverse/
Sorry, was typing this out and didn't see your post come in before mine @ekristen
https://github.com/teamdfir/sift-saltstack/releases/tag/v2025.06.17 should fix it, it's unclear if it'll fix the bad files in apt.sources.list, there might need to be manual intervention there, I didn't have a simple way to test at the moment, but these new ones work.
@ekristen I am testing your latest release and give you feedback as soon as possible. Thank you!
Likewise, appreciate the quick turn around and will report back :)
I deleted /etc/apt/sources.list and reran to remove the port references and it looks better, but still hitting an error (though I think it's a totally different issue now).
grep "ERROR" /var/cache/cast/installer/logs/saltstack.log
-arg_parser.add_argument('-l', '--log_level', help='Log levels: INFO, DEBUG, WARNING, ERROR, CRITICAL (Default is INFO)')#, choices=['INFO','DEBUG','WARNING','ERROR','CRITICAL'])
- if args.log_level not in ['INFO', 'DEBUG', 'WARNING', 'ERROR', 'CRITICAL']: # TODO: change to just [info, debug, error]
- Exit("Invalid input type for log level. Valid values are INFO, DEBUG, WARNING, ERROR, CRITICAL")
- elif args.log_level == "ERROR": args.log_level = logging.ERROR
-log.info("Review the Log file and report any ERRORs or EXCEPTIONS to the developers")
+arg_parser.add_argument('-l', '--log_level', help='Log levels: INFO, DEBUG, WARNING, ERROR, CRITICAL (Default is INFO)')#, choices=['INFO','DEBUG','WARNING','ERROR','CRITICAL'])
+ if args.log_level not in ['INFO', 'DEBUG', 'WARNING', 'ERROR', 'CRITICAL']: # TODO: change to just [info, debug, error]
+ Exit("Invalid input type for log level. Valid values are INFO, DEBUG, WARNING, ERROR, CRITICAL")
+ elif args.log_level == "ERROR": args.log_level = logging.ERROR
+log.info("Review the Log file and report any ERRORs or EXCEPTIONS to the developers")
# [ERROR ] /opt/python-evtx/bin/evtx_eid_record_numbers.py: file not found
# [ERROR ] Command 'systemd-run' failed with return code: 100
# [ERROR ] stdout: Reading package lists...
# [ERROR ] stderr: Running as unit: run-rdfaaae159a0443efa194507559ad1983.scope; invocation ID: 81eab04faf7043539d9a1b458f0ae74f
# [ERROR ] retcode: 100
# [ERROR ] Problem encountered installing package(s). Additional info follows:
\ WARNING, ERROR, CRITICAL (Default is INFO)')#, choices=['INFO','DEBUG','WARNING','ERROR','CRITICAL'])\r\
\ 'WARNING', 'ERROR', 'CRITICAL']: # TODO: change to just [info, debug, error]\r\
\ DEBUG, WARNING, ERROR, CRITICAL\")\r\n- else:\r\n- if args.log_level\
\ == \"ERROR\": args.log_level = logging.ERROR\r\n- elif args.log_level\
\ ERRORs or EXCEPTIONS to the developers\")\r\n+'''\n+ Copyright (c) 2017\
\ '--log_level', help='Log levels: INFO, DEBUG, WARNING, ERROR, CRITICAL (Default\
\ is INFO)')#, choices=['INFO','DEBUG','WARNING','ERROR','CRITICAL'])\n+arg_parser.add_argument('-p',\
\ 'WARNING', 'ERROR', 'CRITICAL']: # TODO: change to just [info, debug, error]\n\
\ WARNING, ERROR, CRITICAL\")\n+ else:\n+ if args.log_level == \"\
\ == \"ERROR\": args.log_level = logging.ERROR\n+ elif args.log_level\
\ ERRORs or EXCEPTIONS to the developers\")\n"
Somewhat the same for me, though I just commented out the port references in sources.list and found a missing prerequisite.
digging through the logs, I don't think it's missing, I think it's downgrading.
comment: "Problem encountered installing package(s). Additional info follows:\n\
\nerrors:\n - Running as unit: run-rdfaaae159a0443efa194507559ad1983.scope;\
\ invocation ID: 81eab04faf7043539d9a1b458f0ae74f\n E: Packages were downgraded\
\ and -y was used without --allow-downgrades."
duration: 2520.13
name: sift-packages-pdftk-java
result: false
start_time: '14:43:05.061124'
interesting, could you have had it already installed?
SIFT is installing a specific version which I'm not sure why. I need @digitalsleuth to comment on because I think he did that one.
http://mirrors.edge.kernel.org/ubuntu/pool/universe/p/pdftk-java/pdftk-java_3.2.2-1_all.deb
interesting, could you have had it already installed?
SIFT is installing a specific version which I'm not sure why. I need @digitalsleuth to comment on because I think he did that one.
http://mirrors.edge.kernel.org/ubuntu/pool/universe/p/pdftk-java/pdftk-java_3.2.2-1_all.deb
Indeed it is already installed on the system
confirmed, here as well. That said, I definitely didn't explicitly install it. Unsure if it was pulled from a previous attempt or on newer version of ubuntu by default.
Alright, I just got done testing moving this back to ubuntu universe repository for both amd64 and arm64 and it's working, I'll push and cut a new release shortly.
just tried v2025.06.18. Hit an error initially (evtx_edi_record_numbers was missing .py extension so ran sudo mv /opt/python-evtx/bin/evtx_eid_record_numbers /opt/python-evtx/bin/evtx_eid_record_numbers.py) but second run everything looks good. Thanks again for the quick turn around!
@digitalsleuth mind looking into that, it looks correct in the code, that .py should be there.
just tried v2025.06.18. Hit an error initially (evtx_edi_record_numbers was missing .py extension so ran
sudo mv /opt/python-evtx/bin/evtx_eid_record_numbers /opt/python-evtx/bin/evtx_eid_record_numbers.py) but second run everything looks good. Thanks again for the quick turn around!
I can confirm that this seems wo work 🚀
My steps were:
rm -rf /var/cache/cast/installer/saltstack/mv /opt/python-evtx/bin/evtx_eid_record_numbers /opt/python-evtx/bin/evtx_eid_record_numbers.pyas suggested by @funkwhatyouheardcast install --mode=server [email protected]
Thank you guys! Good work